A new report finds that attackers increasingly rely on compromised credentials, identity abuse, and trusted integrations rather than traditional malware-driven intrusion techniques.
The study from Ontinue draws on investigations conducted by its Advanced Threat Operations (ATO) team and telemetry from the Ontinue ION MXDR platform, it highlights how identity compromise has become the most common pathway into cloud environments.
“Attackers aren’t trying to break through defenses anymore, they’re logging in with stolen credentials,” says Balazs Greksza, director of Advanced Threat Operations at Ontinue. “Infostealers are feeding a growing underground market for corporate access. Once attackers obtain valid identities, they can bypass traditional security controls and move through environments as legitimate users, often without triggering the alarms organizations rely on.”
Identity-based attacks now dominate security investigations. Rather than exploiting software vulnerabilities, attackers increasingly rely on compromised credentials to gain direct access to cloud environments.
Infostealer malware plays a central role in this trend. Malware families such as LummaC2 harvest browser passwords, session cookies, and authentication tokens from infected systems. These stolen credentials are then packaged into ‘logs’ and sold through dark web marketplaces, allowing other threat actors to purchase ready-made access to corporate environments. Listings of stolen credentials linked to LummaC2 have increased by 72 percent on underground marketplaces.
The report also cites more than 7,000 ransomware incidents reported globally in 2025, with over 120 active ransomware groups operating across industries.
In addition there are signs that threat actors are beginning to use generative AI to accelerate the development of malicious tools. Analysis of several recovered webshells and commodity malware samples has revealed coding patterns consistent with LLM-assisted development.
Shane Barney, chief information security officer at Keeper Security, says, “As the Ontinue report notes, identity has become the attacker’s skeleton key. Instead of forcing their way through a firewall, adversaries are logging in with stolen credentials, hijacked tokens and abused permissions, then moving laterally under the cover of legitimacy. When identity controls are fragmented or overly permissive, attackers don’t need novel exploits. They just need access that looks routine. Identity now defines the enterprise perimeter. When every identity is governed with least privilege and continuously validated, a stolen credential becomes a contained event instead of an enterprise-wide incident.”
You can read more and get the full report on the Ontinue blog.
Image credit: Tsingha25/Dreamstime.com
