A new report from Picus Security analyzing over a million malicious files and 15.5 million actions in 2025 finds that adversaries have shifted 80 percent of their tradecraft toward stealth, evasion, and persistence.
Clever tactics include malware strains like LummaC2 which are now using trigonometry (calculating Euclidean distance of mouse angles) to distinguish between human users and automated security sandboxes. If the mouse moves too ‘perfectly,’ the malware knows it is being watched and refuses to detonate.
Virtualization/Sandbox Evasion has surged to become the fourth most prevalent technique. Modern malware actively checks for analysis environments and goes dormant to create a false sense of safety.
There’s also a shift from encryption to extortion, the use of ‘Data Encrypted for Impact’ (ransomware’s signature move) has dropped by 38 percent as attackers are no longer locking data immediately, rather they are silently exfiltrating it for extortion.
“What we’re observing is the rise of the digital parasite,” says Dr. Süleyman Özarslan, co-founder and VP of Picus Labs. “Attackers have realized it is more profitable to inhabit the host than to destroy it. They are embedding themselves inside environments, using trusted identities and even physical hardware to feed on access while staying operationally invisible. If your security relies on spotting a ‘break-in,’ you’ve already lost, because they are already logged in.”
Among other findings, fFor the third consecutive year, Process Injection is the top technique, allowing attackers to hide malicious code inside legitimate, trusted applications. State-sponsored actors (specifically DPRK operatives) are now utilizing physical IP-KVM devices to bypass software agents entirely, controlling laptop farms at the hardware level.
Attackers are also routing Command-and-Control (C2) traffic through high-reputation services like OpenAI and AWS to blend in with normal business traffic. In addition one in four attacks now involve stealing saved passwords from browsers, allowing adversaries to authenticate as valid users.
You can get the Red Report 2026 from the Picus site.
Image credit: Olenasvetlychna/Dreamstime.com
