Are ransomware and encryption still the defining signals of modern cyberattacks, or has the industry been too fixated on noise while missing a more dangerous shift happening quietly all around them?
According to Picus Labs’ new Red Report 2026, which analyzed over 1.1 million malicious files and mapped 15.5 million adversarial actions observed across 2025, attackers are no longer optimizing for disruption. Instead, their goal is now long-term, invisible access.
To be clear, ransomware isn’t going anywhere, and adversaries continue to innovate. But the data shows a clear strategic pivot away from loud, destructive attacks toward techniques designed to evade detection, persist inside environments, and quietly exploit identity and trusted infrastructure. Rather than breaking in and burning systems down, today’s attackers increasingly behave like Digital Parasites. They live inside the host, feed on credentials and services, and remain undetected for as long as possible.
Public attention often gravitates toward dramatic outages and visible impact. The data in this year’s Red Report tells a quieter story, one that reveals where defenders are actually losing visibility.
The Ransomware Signal Is Fading
For the past decade, ransomware encryption served as the clearest signal of cyber risk. When your systems locked up and your operations froze, compromise was undeniable.
That signal is now losing relevance. Year over year, Data Encrypted for Impact (T1486) dropped by 38%, declining from 21.00% in 2024 to 12.94% in 2025. This decline doesn’t show reduced attacker capability. It reflects a deliberate shift in strategy instead.
Rather than locking data to force payment, threat actors are shifting toward data extortion as their primary monetization model. By avoiding encryption, attackers keep systems operational while they:
- Quietly exfiltrate sensitive data
- Harvest credentials and tokens
- Remain embedded in environments for extended periods
- Apply pressure later through extortion rather than disruption
The implication is clear: impact is no longer defined by locked systems, but by how long attackers can maintain access within a host’s systems without being detected.
“The adversary’s business model has shifted from immediate disruption to long-lived access.”– Picus Red Report 2026
Credential Theft Becomes the Control Plane (A Quarter of Attacks)
As attackers shift toward prolonged, stealthy persistence, identity becomes the most reliable path to control.
The Red Report 2026 shows that Credentials from Password Stores (T1555) appear in nearly one out of every four attacks (23.49%), making credential theft one of the most prevalent behaviors observed over the last year.
Rather than relying on noisy credential dumping or complex exploit chains, attackers are increasingly extracting saved credentials directly from browsers, keychains, and password managers. Once they have valid credentials, privilege escalation and lateral movement are usually just a little native administrative tooling away.
More and more modern malware campaigns are behaving like digital parasites. There are no alarms, no crashes, and no obvious indicators. Just an eerie quiet.
This same logic now shapes attacker tradecraft more broadly.
80% of Top ATT&CK Techniques Now Favor Stealth
Despite the breadth of the MITRE ATT&CK® framework, real-world malware activity continues to concentrate around a small set of techniques that are increasingly prioritizing evasion and persistence.
The Red Report 2026 reveals a stark imbalance: Eight of the Top Ten MITRE ATT&CK techniques are now primarily dedicated to evasion, persistence, or stealthy command-and-control. This represents the highest concentration of stealth-focused tradecraft Picus Labs has ever recorded, signaling a fundamental shift in attacker success metrics.
Rather than prioritizing immediate impact, modern adversaries are optimizing for maximum dwell time. Techniques that enable attackers to hide, blend in, and remain operational for extended periods now outweigh those designed for disruption.
Here are some of the most commonly observed behaviors from this year’s report:
- T1055 – Process Injection allows malware to run inside trusted system processes, making malicious activity difficult to distinguish from legitimate execution.
- T1547 – Boot or Logon Autostart Execution ensures persistence by surviving reboots and user logins.
- T1071 – Application Layer Protocols provide “whisper channels” for command-and-control, blending attacker traffic into normal web and cloud communications.
- T1497 – Virtualization and Sandbox Evasion enables malware to detect analysis environments and refuse to execute when it suspects it is being observed.
The combined effect is powerful. Legitimate-looking processes use legitimate tools to quietly operate over widely trusted channels. Signature-based detection struggles in this environment, while behavioral analysis becomes increasingly important for identifying illicit activity deliberately designed to appear normal.
Where encryption once defined the attack, stealth now defines its success.
Self-Aware Malware Refuses to Be Analyzed
When stealth becomes the primary measure of success, evading detection alone is no longer enough. Attackers must also avoid triggering the tools defenders rely on to observe their malicious behavior in the first place. The Red Report 2026 shows this clearly in the rise of Virtualization and Sandbox Evasion (T1497), which moved into the top tier of attacker tradecraft in 2025.
Modern malware increasingly evaluates where it is before deciding whether to act. Instead of relying on simple artifact checks, some samples assess execution context and user interaction to determine if they’re actually operating in a real environment.
In one example highlighted in the report, LummaC2 analyzed mouse movement patterns using geometry, calculating Euclidean distance and cursor angles to distinguish human interaction from the linear motion typical of automated sandbox environments. When conditions appeared artificial, it deliberately suppressed any execution and just sat there, quietly biding its time.
This behavior reflects a deeper shift in attacker logic. Malware can no longer be relied on to reveal itself in sandbox environments. It withholds activity by design, remaining dormant until it reaches a real production system.
In an ecosystem dominated by stealth and persistence, inaction itself has become a core evasion technique.
AI Hype vs. Reality: Evolution, Not Revolution
With attackers demonstrating increasingly adaptive behavior, it’s natural to ask where artificial intelligence fits into this picture.
The Red Report 2026 data suggests a measured answer. Despite widespread speculation, almost anticipation, about AI reshaping the malware landscape, Picus Labs observed no meaningful increase in AI-driven malware techniques across the 2025 dataset.
Instead, the most prevalent behaviors remain familiar. Longstanding techniques such as Process Injection and Command and Scripting Interpreter continue to dominate real-world intrusions, reinforcing that attackers do not require advanced AI to bypass modern defenses.
Some malware families have begun experimenting with large language model APIs, but so far their use has remained limited in scope. In observed cases, LLM services were primarily used to retrieve predefined commands or act as a convenient communication layer. These implementations improve efficiency, but they’re not fundamentally altering attacker decision-making or execution logic.
So far, the data shows that AI is being absorbed into existing tradecraft rather than redefining it. The mechanics of the Digital Parasite remain unchanged: credential theft, stealthy persistence, abuse of trusted processes, and longer and longer dwell times.
Attackers are not winning by inventing radically new techniques. They’re winning by becoming quieter, more patient, and increasingly hard to distinguish from legitimate activity.
Back to Basics for a Different Threat Model
Having run these reports annually for some time now, we see a continuing trend with many of the same tactics appearing year after year. What has fundamentally changed is the objective.
Modern attacks prioritize:
- remaining invisible
- abusing trusted identities and tools
- disabling defenses quietly
- maintaining access over time
By doubling down on modern security fundamentals, behavior-based detection, credential hygiene, and continuous Adversarial Exposure Validation, organizations can focus less on dramatic attack scenarios and more on the threats that are actually succeeding today.
Ready to Validate Against the Digital Parasite?
While ransomware headlines still dominate the news cycle, the Red Report 2026 shows that, more and more, the real risk lies in silent, persistent compromise. Picus Security focuses on validating defenses against the specific techniques attackers are using right now, not just the ones making the most noise.
Ready to see the full data behind the Digital Parasite model?
Download the Picus Red Report 2026 to explore this year’s findings and understand how modern adversaries are staying inside networks longer than ever before.
Note: This article was written by Sıla Özeren Hacıoğlu, Security Research Engineer at Picus Security.
📰 Original Source:TheHackerNews
✍️ Author: info@thehackernews.com (The Hacker News)
