Analysis of over a million unique malware samples throughout 2024 showed a sharp rise in malware that explicitly targets stored credentials.
Picus Security analysed 1,094,744 pieces of malware and mapped them to the MITRE ATT&CK framework for the fifth addition of its “Red Report”.
Its researchers found that the “T1555 Credentials from Password Stores” sub-technique appeared in 25% of malware samples – a threefold increase from 2023 that reflects the popularity of “infostealer” malware.
“A growing trend in credential theft targets password managers, browser-stored credentials, and cached login data to gain lateral movement and afford attackers elevated privileges to sensitive systems.
“Those stolen credentials are later used for lateral movement and privilege escalation, allowing attackers to broaden their reach within the environments theyʼve compromised,” the 2025 Red Report said.
“Threat actors are [using] memory scraping, registry harvesting and compromising local and cloud-based password stores, to obtain credentials that give attackers the keys to the kingdom,” said Picus Security co-founder, Dr Suleyman Ozarslan. “Password managers [must be used] in tandem with multi-factor authentication, and employees [should] never reuse a password, especially for their password manager.”
Snowflake customers, Cisco staff hit by...
Attackers have also improved their C2 by using the likes of DNS over HTTPS (DoH) while exfiltrating data or communicating with C2 servers.
“In this way, these ‘whispering channels ‘allow attackers to mask malicious traffic within legitimate network traffic patterns that bypass traditional monitoring tools,” the Red Report highlights.
Companies hit over the years as the result of employees storing enterprise credentials stored in a browser and then getting hacked include Cisco in a “pre-ransomware” incident in 2022. More recently, swathes of Snowflake customers saw their data breached in a campaign again tied to “infostealer” malware after an investigation by Mandiant.
Many of these attacks would have been thwarted or at least slowed by the use of MFA. Security awareness and hygiene however remain far from ubiquitous; recent reports suggested that British Prime Minister Keir Starmer, for example, did not have MFA set up on his private email.
Picus Security meanwhile said it had observed that attackers are prioritising “complex, prolonged, multi-stage attacks that require a new generation of malware to succeed” and noted that the malware it analysed now contains “an average of 14 malicious actions.
“This means each individual piece of malware is more complex and can perform more actions in the cyber kill chain” its report said.
