Is AI really reshaping the landscape of network threats? Or is the endless hype concealing more realistic threats in reality? According to the analysis of over 1 million malware samples by Picus Labs in the 2025 Red Report, AI-driven attacks have not shown significant growth so far. Although attackers are indeed innovating, the role of AI will become increasingly important, but the latest data shows that a series of known strategies, techniques, and procedures (TTPs) are still the dominant force in network attacks.
While media headlines are filled with hype about AI, real data paints a more complex picture, revealing which malware threats are most active and the reasons behind them. Here are some key findings and trends about the most common attack activities this year, as well as the measures that security teams need to take.
Why has the AI hype fallen flat? At least for now
Although the media hyped AI as a new universal weapon for cybercrime, the statistics tell a completely different story... Picus Labs found through careful analysis of the data that attack strategies based on AI did not show significant growth in 2024.
Admittedly, attackers are beginning to use AI to improve efficiency, such as creating more deceptive phishing emails, or writing and debugging malicious code. However, in the vast majority of attacks, the transformative potential of AI has not been fully utilized.
The data from the 2025 Red Report indicates that most attacks can still be mitigated by focusing on validated TTPs (tactics, techniques, and procedures). This clearly shows that although AI has渗透 into the field of network attacks, it is far from the disruptive change in the network threat landscape as portrayed by the media.
“Security teams should prioritize identifying and plugging key vulnerabilities in their defenses rather than overfocusing on the potential impact of AI.”——《2025 Red Report》
The theft of credentials has increased threefold (8% → 25%)
Now, the targets of attackers are becoming more explicit, focusing on password storage, credentials saved by browsers, and cached login information. Once they successfully steal these key information, they can use the obtained keys to elevate privileges and then move laterally in the network at will, expanding the scope of the attack.
The data shows that there has been a threefold increase in such attack behaviors, which intuitively reflects that strengthening credential management and proactive threat detection is urgent and has become an urgent task to ensure network security.
Modern information theft malware has 'evolved' into an extremely covert and efficient attack mode, implementing multi-stage attacks by perfectly combining stealthiness, automation, and persistence. It can cunningly use legitimate processes to cover up malicious operations, making security monitoring difficult to detect; at the same time, it uses daily network traffic as cover to sneakily upload data obtained illegally, as if wearing a 'cloak of invisibility'.
The entire attack process is carried out silently under the eyes of the security team, without the need for the grandiose 'raiding' seen in Hollywood movies, yet it can achieve the goal of data theft. This is like a meticulously planned burglary, where the criminal is no longer in a hurry to drive away after a successful heist, but patiently hides, waiting for the target to make another mistake or expose a new vulnerability, so as to launch the next round of attacks.
93% of malware uses at least one of the top ten MITRE ATT&CK technologies
Although the MITRE ATT&CK® framework is comprehensive and detailed, most attackers still rely on a set of core TTPs. Among the top ten ATT&CK technologies listed in the 'Red Report', the following exfiltration and covert techniques are most commonly used:
- T1055 (Process Injection): Allows attackers to inject malicious code into trusted system processes, increasing the difficulty of detection.
- T1059 (Command and Script Interpreter): Allows attackers to run malicious commands or scripts on target machines.
- T1071 (Application Layer Protocols): Providing attackers with a covert channel for command and control and data exfiltration through common protocols (such as HTTPS or DNS-over-HTTPS).
The combination of these technologies allows seemingly legitimate processes to collect data through legitimate tools and transmit it through widely used network channels. Relying solely on signature-based detection methods is difficult to discover such attacks, but through behavioral analysis, especially when monitoring and correlating multiple technologies, it is easier to detect anomalies. Security teams need to focus on malicious activities that are almost identical to normal network traffic.
Return to the basics and strengthen defense
In the current cybersecurity field, the threat situation presents an extremely complex appearance. Attack methods at multiple stages are often meticulously connected, with the purpose of achieving network penetration, long-term concealment, and data theft. When an attack step is detected, the attacker is likely to have silently entered the next stage.
Although the threat environment is constantly changing, the glimmer of hope revealed by the '2025 Red Report' is quite simple: the vast majority of malicious activities are actually centered around a small number of attack techniques.
By strengthening modern cybersecurity foundations, such as strict credential protection, advanced threat detection, and continuous security verification, enterprises can temporarily ignore the AI hype wave and focus their efforts on dealing with the actual threats they face.
Reference Source:
Debunking the AI Hype: Inside Real Hacker Tactics
