According to Picus Security’s Red Report 2025, infostealers have seen a surge in popularity within the cybercrime underground, with credentials from password stores appearing in nearly a third of malware samples analyzed. The report, which meticulously examined over one million malware samples and identified more than 14 million malicious actions and 11 million instances of MITRE ATT&CK techniques, sheds light on the evolving threat landscape.
One of the most alarming revelations from the report is the significant increase in malware strains specifically targeting credential stores. This trend underscores the expanding market for compromised logins, as cybercriminals seek to gain access to sensitive systems by stealing credentials from password managers, browser-stored credentials, and cached login data. These stolen credentials are often used for lateral movement and privilege escalation, allowing attackers to extend their reach within compromised environments.
In fact, credentials stolen via infostealers played a crucial role in the Snowflake campaign, a large-scale cyberattack last year that resulted in the compromise of hundreds of millions of victims. This highlights the real-world impact of these malicious tools and the urgency of addressing the growing threat posed by infostealers.
Picus Security’s report also highlights several other concerning trends in the cyber threat landscape. For instance, techniques for stealth and evasion, such as process injection and the use of native tools like PowerShell and Bash, are increasingly employed by threat actors to evade detection. Additionally, the use of encrypted channels like HTTPS and DNS over HTTPS (DoH) for exfiltration and command-and-control communication allows attackers to bypass monitoring tools, making their activities harder to detect.
Another notable trend identified in the report is the acceleration of real-time data theft, with attackers utilizing methods like “Input Capture” and “System Information Discovery” to steal data rapidly. This includes the use of keyloggers, screen capture utilities, and audio interceptors by infostealers to obtain sensitive information.
Persistence is also a key focus for malware developers, with “Boot or Logon Autostart Execution” emerging as a popular method for malware to survive system reboots and removal attempts. This highlights the need for organizations to adopt robust cybersecurity measures to protect against persistent threats.
The report also underscores the increasing sophistication of malware, with the average sample now performing around 14 malicious actions and 12 ATT&CK techniques. This complexity reflects the growing maturity of the cybercrime market and supports the emergence of multi-stage, structurally complex attacks.
In response to these evolving threats, Suleyman Ozarslan, co-founder and VP of Picus Labs, emphasizes the importance of using password managers in conjunction with multi-factor authentication and avoiding password reuse. He notes that attackers are employing advanced extraction methods, such as memory scraping and compromising password stores, to obtain valuable credentials.
Overall, the report warns that threat actors are becoming more adept at tailoring their tactics to maximize destruction while minimizing exposure. This shift towards precision-centric campaigns underscores the need for organizations to enhance their cybersecurity defenses and stay vigilant against evolving cyber threats.