Threat actors favored stealthy persistence and evasion over other techniques, in order to silently exfiltrate data for extortion, according to Picus Security.
The security vendor analyzed over 1.1 million malicious files and more than 15.5 million actions in 2025 to compile its latest study: The Red Report 2026.
It revealed the increasingly sophisticated methods that threat actors are using to stay hidden from network defenders – by blending in with legitimate traffic and operating through trusted processes.
To that end, process injection (30%) was the top malicious technique for the third consecutive year. It enables attackers to hide malicious code inside legitimate, trusted applications.
Read more on Picus Security: Threefold Increase in Malware Targeting Credential Stores
Picus Security warned that threat actors are also routing command-and-control (C2) traffic through high-reputation services like OpenAI and AWS to stay hidden. In a quarter of attacks, they used passwords stolen from browsers to masquerade as legitimate users.
Picus Security co-founder Süleyman Özarslan likened this activity to that of a digital parasite.
"Attackers have realized it is more profitable to inhabit the host than to destroy it. They are embedding themselves inside environments, using trusted identities and even physical hardware to feed on access while staying operationally invisible,” he said.
“If your security relies on spotting a 'break-in,' you’ve already lost, because they are already logged in."
These TTPs are helping to support an evolution in the digital extortion landscape, whereby groups are keener to silently exfiltrate data which they can hold to ransom, rather than set off any alarms by deploying encryption.
The use of “data encrypted for impact” dropped by 38% annually, according to the report.
Under the Radar
The report uncovered other examples of sophisticated evasion techniques used in attacks today, including LummaC2 infostealer malware that uses trigonometry to understand when users are moving their mouse and when it is inside an automated security sandbox.
If the latter, the malware knows it is being observed and will not detonate, the report claimed.
Virtualization/sandbox evasion is now the fourth most prevalent MITRE ATT&CK technique observed, with malware designed to go dormant if it suspects it is being analyzed.
Malware now carries out an average of 14 malicious actions and 12 ATT&CK techniques per sample, the report noted. This levelling up in terms of sophistication increases the level of complexity needed for detection and defense, Picus Security claimed.