The cybersecurity landscape is undergoing a fundamental transformation. According to Picus Labs' comprehensive Red Report 2026, which analyzed over 1.1 million malicious files and mapped 15.5 million adversarial actions throughout 2025, attackers are no longer optimizing for disruption—they're optimizing for invisibility.

The Ransomware Signal Is Fading

For the past decade, ransomware encryption served as the clearest indicator of a cyberattack. When systems locked up and operations froze, the compromise was undeniable. That signal is now losing relevance.

Year-over-year data reveals a dramatic 38% decline in Data Encrypted for Impact attacks, dropping from 21.00% in 2024 to just 12.94% in 2025. This decline doesn't reflect reduced attacker capability—it represents a deliberate strategic shift.

Rather than locking data to force immediate payment, threat actors are pivoting toward data extortion as their primary monetization model. By avoiding encryption, attackers keep systems operational while they:

- Quietly exfiltrate sensitive data
- Harvest credentials and authentication tokens
- Remain embedded in environments for extended periods
- Apply pressure later through extortion rather than disruption

The implication is profound: cyber impact is no longer defined by locked systems, but by how long attackers can maintain undetected access within an organization's infrastructure.

Credential Theft: The New Control Plane

As attackers shift toward prolonged, stealthy persistence, identity has become the most reliable path to system control. The Red Report 2026 reveals that credential theft from password stores now appears in nearly one out of every four attacks (23.49%), making it one of the most prevalent attack behaviors observed.

Modern attackers are increasingly extracting saved credentials directly from browsers, keychains, and password managers. Once they possess valid credentials, privilege escalation and lateral movement become trivial—often requiring nothing more than native administrative tooling.

This approach creates what security researchers are now calling "digital parasite" behavior: no alarms, no crashes, no obvious indicators. Just an eerie quiet as attackers maintain persistent, invisible access to critical systems.

80% of Top Attack Techniques Now Favor Stealth

Despite the breadth of the MITRE ATT&CK framework, real-world malware activity continues to concentrate around a small set of techniques that increasingly prioritize evasion and persistence.

The Red Report 2026 reveals a stark imbalance: eight of the top ten MITRE ATT&CK techniques are now primarily dedicated to evasion, persistence, or stealthy command-and-control. This represents the highest concentration of stealth-focused tradecraft ever recorded, signaling a fundamental shift in how attackers measure success.

The most commonly observed stealth behaviors include:

Process Injection (T1055)

Allows malware to run inside trusted system processes, making malicious activity nearly impossible to distinguish from legitimate execution.

Boot or Logon Autostart Execution (T1547)

Ensures persistence by surviving system reboots and user logins, maintaining long-term access even after system maintenance.

Application Layer Protocols (T1071)

Provides "whisper channels" for command-and-control communications, blending attacker traffic seamlessly into normal web and cloud communications.

Virtualization and Sandbox Evasion (T1497)

Enables malware to detect analysis environments and refuse execution when it suspects observation, effectively blind-siding security tools.

The combined effect is powerful: legitimate-looking processes use legitimate tools to quietly operate over widely trusted channels. Signature-based detection struggles in this environment, making behavioral analysis increasingly critical for identifying deliberately normal-looking malicious activity.

Self-Aware Malware Refuses Analysis

When stealth becomes the primary measure of success, evading detection alone isn't enough—attackers must also avoid the tools defenders use to observe malicious behavior in the first place.

Modern malware increasingly evaluates its execution environment before deciding whether to act. In one sophisticated example highlighted in the report, the LummaC2 infostealer analyzed mouse movement patterns using geometric calculations—measuring Euclidean distance and cursor angles to distinguish human interaction from the linear motion typical of automated sandbox environments. When conditions appeared artificial, it simply remained dormant.

This behavior reflects a deeper shift in attacker logic. Malware can no longer be relied upon to reveal itself in controlled analysis environments. It withholds activity by design, remaining dormant until it reaches a real production system where it can operate undetected.

In an ecosystem dominated by stealth and persistence, inaction itself has become a core evasion technique.

AI Hype Versus Reality: Evolution, Not Revolution

Despite widespread speculation about artificial intelligence reshaping the malware landscape, the Red Report 2026 data suggests a more measured reality. Picus Labs observed no meaningful increase in AI-driven malware techniques across the 2025 dataset.

The most prevalent attack behaviors remain familiar. Longstanding techniques such as Process Injection and Command and Scripting Interpreter continue to dominate real-world intrusions, reinforcing that attackers don't require advanced AI to bypass modern defenses.

Some malware families have begun experimenting with large language model APIs, but their use remains limited in scope. In observed cases, LLM services were primarily used to retrieve predefined commands or act as convenient communication layers. These implementations improve efficiency but aren't fundamentally altering attacker decision-making or execution logic.

The data shows that AI is being absorbed into existing tradecraft rather than redefining it. The mechanics of the digital parasite remain unchanged: credential theft, stealthy persistence, abuse of trusted processes, and progressively longer dwell times.

Defending Against the Digital Parasite

The fundamental shift from disruptive to stealthy attacks requires a corresponding evolution in defensive strategies. Modern attacks prioritize:

- Remaining invisible through legitimate-looking processes and tools
- Abusing trusted identities rather than exploiting technical vulnerabilities
- Disabling defenses quietly to avoid triggering security alerts
- Maintaining access over time rather than achieving immediate impact

Organizations must shift focus from dramatic attack scenarios to the threats that are actually succeeding today. This requires:

Enhanced Behavioral Detection

Signature-based tools struggle against attacks designed to appear normal. Behavioral analysis and anomaly detection become essential for identifying subtle deviations from legitimate activity patterns.

Rigorous Credential Hygiene

With credential theft appearing in nearly 25% of attacks, implementing robust credential management, multi-factor authentication, and privileged access management is critical.

Continuous Adversarial Exposure Validation

Regular testing against the specific techniques attackers are actively using—not just theoretical threats—helps organizations identify defensive gaps before adversaries exploit them.

Extended Detection and Response

Longer dwell times mean attackers have more opportunity to achieve their objectives. Extended detection and response capabilities that maintain visibility over time become increasingly valuable.

TL;DR

- Ransomware encryption declined 38% as attackers shift to silent data exfiltration and extortion
- Credential theft now appears in 25% of attacks, making identity the primary attack vector
- 80% of top attack techniques focus on stealth, with attackers optimizing for invisibility over immediate impact
- Modern malware actively evades analysis by detecting sandbox environments and remaining dormant until reaching production systems
- AI hasn't revolutionized attacks yet—traditional techniques remain dominant, with AI being absorbed into existing tradecraft rather than replacing it

Sources

The Hacker News: From Ransomware to Residency: Inside the Rise of the Digital Parasite