The IT Nerd

Red Canary today unveiled its seventh annual Threat Detection Report, examining the trends, cyber threats, and adversary techniques that organizations should prioritize in the coming months and years. The report tracks the MITRE ATT&CK® techniques that adversaries abuse most frequently, and this year noted four times as many identity attacks compared to the 2024 edition. After debuting in the top 10 in 2024, cloud-native and identity-enabled techniques surged in this year’s report, with Cloud Accounts, Email Forwarding Rule, and Email Hiding Rules ranking among the top five.

Research highlights major shifts in the threat landscape

The data that powers Red Canary and this report are not mere software signals—this data set is the result of hundreds of thousands of investigations across millions of protected systems and identities. Each of the threats Red Canary detected in 2024 were not prevented by the customers’ expansive security controls. They are the result of a breadth and depth that Red Canary leverages to detect the threats that would otherwise go undetected.

Red Canary’s 2025 report provides in-depth analysis of nearly 93,000 threats detected within more than 308 petabytes of security telemetry from customers’ endpoints, networks, cloud infrastructure, identities, and SaaS applications over the past year. The total number of threats detected increased by more than a third compared to 2024’s report as a result of not only more customers, but also Red Canary’s expanded visibility into cloud and identity infrastructure. 

The analysis shows that while the threat landscape continues to shift and evolve, adversaries’ motivations do not. The tools and techniques they deploy remain consistent, with some notable exceptions. Key findings include:

• Click, paste, compromised – One of the most successful new initial access techniques observed this year was paste and run, also known as “ClickFix” and “fakeCAPTCHA.” In this attack, adversaries socially engineer users into executing malicious scripts under the pretense that doing so will fix something, like providing access to a video or document.
• VPN abuse is rampant and difficult to detect – Adversaries constantly use virtual private networks (VPNs) to conceal their location and bypass network controls, but employees also rely on them for legitimate activity. Strikingly, organizations in the educational services sector accounted for 63 percent of all VPN use – a disproportionately high share given their smaller presence among Red Canary’s data. This highlights that environments from organizations in this sector are a potential hotspot for VPN-related security risks.

• RMM exploitation is on the rise – The use of remote monitoring and management (RMM) tools for command and control and lateral movement is growing, enabling adversaries to drop malicious payloads including ransomware. This year, Red Canary saw malicious use of NetSupport Manager break its yearly top 10, highlighting the popularity of RMM tools amongst adversaries.
• The not-so-helpful IT desk – Phishing remains prevalent in many forms. Email, QR code (aka “quishing”), SMS, and voice phishing attacks all increased in 2024. Often adversaries posed as IT personnel, asking victims to download malicious or remote control software. In 2024, Black Basta paired email bombing with social engineering, posing as IT personnel “helping” with the issue to gain access and install RMM tools.

The rise of LLMJacking to attack cloud infrastructure

While cloud attacks rose overall in 2024, the techniques adversaries abused have largely remained the same as in past years. However, adversaries have shifted more of their efforts to attacking and compromising cloud infrastructure and platforms:

• Red Canary observed adversaries attempting to impair defenses inside cloud environments by disabling or modifying firewall rules and logging. Gaining access through compromised cloud accounts or valid credentials, adversaries elevate their privileges by granting the identity additional roles. 
• With the rise of LLM usage, cloud services such as AWS Bedrock, Azure OpenAI, and GCP Vertex AI have become prime targets for adversaries in an attack known as “LLMJacking.” Adversaries have reportedly sold access to these hijacked models as part of their own SaaS “business” and passed all LLM usage costs to the victim.

Info-stealing malware is the ultimate identity threat

In 2024, stealer malware infections were on the rise across Windows and macOS platforms. Adversaries use stealers to gather identity information and other data at scale. In 2024 there were some interesting variations in the use of infostealers, including:

• LummaC2 was the most prevalent stealer detected in 2024, operating under a malware-as-a-service (MaaS), and selling for anywhere from $250 per month to a one-time payment of $20,000. Its growing popularity and expanded scope make it a major threat, exposing user credentials and enabling adversaries to gain initial access to organizations using legitimate accounts.
• Adversaries commonly use LummaC2 to deliver NetSupport Manager, Red Canary’s seventh most detected threat detected in 2024 – giving them a gateway to deploy other malicious payloads as a follow-up to their initial attack.

Mac malware ran rampant

In 2024, macOS experienced the same phenomenon that Windows did: an exponential increase in stealer malware.

• Red Canary detected 400 percent more macOS threats in 2024 than in 2023, including an exponential increase in malware driven by Atomic, Poseidon, Banshee, and Cuckoo stealers. Atomic Stealer was the most prevalent, appearing on Red Canary’s monthly top 10 threat rankings five times.
• In September 2024, detections dropped off sharply after Apple remediated a popular Gatekeeper bypass technique abused by numerous malware families. 95 percent of stealer infections happened before September and just five percent occurred after, highlighting the dramatic and immediate impact that patching can have.

Recommended actions:

• Limit unsanctioned VPN usage. Tighter policies around acceptable use of VPNs will mean that abuse is rare and becomes a potential signal of suspicious logins and other malicious activity when they are present.
• Manage your centralized identity management solution. A central identity solution isn’t an excuse to kick back. Centralized identity solutions make organizations more secure, but they’re also a priority target for adversaries. Organizations should pay special attention to the evolving threat landscape and be careful to manage their identity infrastructure as safely and securely as possible.
• Mitigate risk by making patching a top priority. It remains one of the best ways to protect yourself from risk. Unpatched vulnerabilities are one of the most common entry points for adversaries, making timely updates critical to reducing exposure.
• Balance accessibility to cloud systems with protection. Verify that permissions and configurations are correctly set, and stay informed on how your organization uses cloud infrastructure. Distinguishing between legitimate and suspicious activity requires a deep understanding of what’s normal in your environment.
• Assess and test your defenses. Look at the top threats and techniques and ask: ‘am I confident in my ability to defend each of these?’ Red Canary’s open source test library Atomic Red Team is free and easy to adopt. 

Learn more

• Read the full interactive report or the condensed executive summary
• Register and join the Inside the 2025 Threat Detection Report webinar on March 26 at 2:00pm ET 

About the Threat Detection Report

The full report is intended as a reference library for security practitioners to improve their ability to prevent, mitigate, detect, and emulate cyber threats. It offers detailed guidance on data sources that log relevant evidence of adversary behaviors, tools that collect from those data sources, insight into how security teams can use this visibility to develop detection coverage, and much more deeply actionable information.

The Threat Detection Report sets itself apart from other annual reports by offering unique data and insights, accompanied by recommended actions derived from a combination of expansive visibility and expert, human-led investigation and confirmation of threats.

Each of the nearly 93,000 threats Red Canary detected in 2024 were not prevented by the customers’ expansive security controls. They are the result of a breadth and depth that Red Canary leverages to detect the threats that would otherwise go undetected.