Analysis of over 1 million malware samples shows just 10 MITRE ATT&CK techniques accounted for 93% of all malicious actions in 2024
SAN FRANCISCO, Feb. 04, 2025, the leading security validation company, today released The Red Report 2025. Based on an in-depth analysis of more than 1 million pieces of malware collected in 2024, the fifth annual report reveals that 25% of malware targets credentials in password stores - a 3X increase from 2023. For the first time ever, stealing credentials from password stores is in the top 10 techniques listed in the MITRE ATT&CK Framework. The report reveals that these top 10 techniques accounted for 93% of all malicious actions in 2024.
"Threat actors are leveraging sophisticated extraction methods, including memory scraping, registry harvesting and compromising local and cloud-based password stores, to obtain credentials that give attackers the keys to the kingdom," said Picus Security co-founder and VP of Picus Labs, Dr. Suleyman Ozarslan. "It's vital that password managers are used in tandem with multi-factor authentication, and that employees never reuse a password, especially for their password manager."
Picus observed that attackers are prioritizing complex, prolonged, multi-stage attacks that require a new generation of malware to succeed. Picus Labs researchers coined the term "SneakThief" to represent the evolution of info-stealing malware, which involves increased stealth, persistence and automation. They liken the increasingly sophisticated approach to "the perfect heist," noting that most malware samples now contain more than a dozen malicious actions designed to help attackers evade defenses, increase permissions and exfiltrate data.
"Focusing on Top 10 MITRE ATT&CK techniques is the most viable way to stop the kill chain of sophisticated malware strains as early as possible", said Volkan Ertürk, CTO and co-founder of Picus. "SneakThief malware is not an exception, enterprise security teams can stop ninety percent of malware by focusing on just 10 of MITRE's entire library of techniques."
Additional key findings from the report include:
- Malware samples now contain an average of 14 malicious actions. This means each individual piece of malware is more complex and can perform more actions in the cyber kill chain.
- Exfiltration and stealth tactics made up 11.3 million actions in 2024. Adversaries are shifting to covert exfiltration methods - "whispering channels" like encrypted communications (HTTPS, DoH) - and living-off-the-land techniques to blend malicious activity into legitimate traffic. It is more common than ever to see tactics like process injection and application layer protocols used as key enablers, allowing attackers to persist in environments and exfiltrate data without triggering an alert.
- No evidence that cybercriminals are using AI-driven malware. Despite the widespread hype surrounding AI and its potential applications in cybersecurity, Picus's analysis revealed no significant increase in the use of AI-driven malware techniques in 2024.
Methodology
Picus Labs processed 1,094,744 pieces of malware collected between January and December 2024. From the identified malicious files, 14,010,853 malicious actions were detected, averaging approximately 14 actions per malware sample. These malicious actions were systematically mapped to the MITRE ATT&CK framework. The Picus Red Report offers a more in-depth description of the research methodology.
To learn more, download the Picus Red Report 2025and register to explore the report results with the Picus Research team during a, at 1:00 p.m. EST.
Resources
- Download the Picus Red Report 2025 (https://www.picussecurity.com/resource/report/red-report-2025)
- Read the Picus Red Report Blog (https://www.picussecurity.com/resource/press-release/the-rise-of-perfect-heist-attacks)
About Picus Security
Picus Security, the leading security validation company, gives organizations a clear picture of their cyber risk based on business context. Picus transforms security practices by correlating, prioritizing and validating exposures across siloed findings so teams can focus on critical gaps and high-impact fixes. With Picus, security teams can quickly take action with one-click mitigations to stop more threats with less effort.
The pioneer of Breach and Attack Simulation, Picus delivers award-winning, threat-centric technology that allows teams to pinpoint fixes worth pursuing, offering a 95% recommendation in Gartner® Peer Insights Customers' Choice for 2024 in the BAS tools category.*
Contact Info:
Jennifer Tanner
Look Left Marketing
picus@lookleftmarketing.com
Photos accompanying this announcement are available at:
https://www.globenewswire.com/NewsRoom/AttachmentNg/73c8bf25-cd5e-41a8-8b6d-4561fe99df09
https://www.globenewswire.com/NewsRoom/AttachmentNg/009eaa50-d2e3-4bee-aadb-f2140af1864c
