For the fourth consecutive year, Elastic Security Labs presents its 2025 Global Threat Report, distilling real-world user telemetry to offer critical insights into the evolving threat landscape. This year's report delves into how AI is redefining threats, highlights areas where adversaries are intensifying their efforts, and provides actionable strategies for enterprises to proactively counter these emerging risks.
Key highlights
-
Adversary priorities on Windows are changing. The tactic category of Execution now accounts for nearly double its previous share and surpasses Defense Evasion as the top tactic.
-
The cloud attack surface is highly concentrated. Over 60% of all cloud security events boil down to just three adversary goals: Initial Access, Persistence, and Credential Access.
-
Adversaries are weaponizing AI to lower the barrier to entry for cybercrime. We saw an increase in Generic threats, a trend likely influenced by adversaries using large language models (LLMs) to quickly generate simple but effective malicious loaders and tools.
-
The theft of browser credentials has industrialized. Our analysis of over 150,000 malware samples revealed that more than one in eight are designed to steal browser data. This isn't for isolated use; these credentials are the raw material fueling the access broker economy, providing a steady supply of keys for other attackers to compromise corporate cloud accounts.
What we learned from the report
The security landscape is undergoing a rapid transformation. Adversaries’ AI-driven threat innovation is evolving at an accelerated pace via streamlined information synthesis and automated workflows. This is resulting in more diverse adversary capabilities and new, indirect avenues of access. AI’s role on both sides of the cyber battle is anticipated to shift significantly as these technologies become more widespread.
This report uncovers real-world threat activities, revealing a fundamental shift in how adversaries achieve success today. It also includes a new section describing our visibility from non-telemetry sources, highlighting which malware families and threat behaviors were seen externally.
Access brokers are increasingly using information stealers to maintain a distance from collective defense efforts, significantly escalating the risks of credential exposure through cloud storage and other services. Trojanized software, which represented about 61% of all malware samples observed, was a major contributor; the ClickFix methodology is one of the most common techniques used to deliver trojans and infostealers. More than 24% of malware samples on Windows represented named infostealer code families.
Defense Evasion techniques have held the top spot for several years. This is attributed to improvements in detection and response capabilities that drive adversaries toward edge devices with a powerful capacity for exploit development. Execution rose to more than 32% of techniques followed by defense evasion at 23% and initial access around 19%. Together, these larger patterns reveal that attackers are investing in gaining a cheap foothold with minimum exposure and quickly running other malicious code. Scripts and browser-based techniques as well as SaaS compromise attempts show us another aspect of these threat trends and highlight areas where many enterprises could improve their defenses.
Threat profiles for BANSHEE, EDDIESTEALER, and ARECHCLIENT2 demonstrate how some of the most popular novel discoveries from the Elastic Security Labs team used infostealers. REF7707, a threat campaign involving the FINALDRAFT, PATHLOADER, and GUIDLOADER malware families, provides details about how an espionage-motivated threat evaded defenses using Microsoft’s GraphAPI for C2. Without the visibility shared by our customers, these threats may have made a much bigger impact before being revealed.
Navigate the AI-era threat landscape with Elastic
Elastic Security Labs is dedicated to providing crucial, timely security research to the intelligence community. This report reveals a shift in the threat landscape — one in which AI is continuing to surface as a tool for both adversaries and defenders. With Elastic as your partner, this 2025 Elastic Global Threat Report empowers you to make informed decisions on how best to address these evolving threats.
La publication et la date de publication de toute fonctionnalité ou fonction décrite dans le présent article restent à la seule discrétion d'Elastic. Toute fonctionnalité ou fonction qui n'est actuellement pas disponible peut ne pas être livrée à temps ou ne pas être livrée du tout.
Dans cet article de blog, nous pouvons avoir utilisé ou fait référence à des outils d'IA générative de tiers, qui sont détenus et exploités par leurs propriétaires respectifs. Elastic n'a aucun contrôle sur les outils de tiers et nous ne sommes pas responsables de leur contenu, de leur fonctionnement ou de leur utilisation, ni de toute perte ou de tout dommage pouvant résulter de votre utilisation de ces outils. Soyez prudent lorsque vous utilisez des outils d'IA avec des informations personnelles, sensibles ou confidentielles. Les données que vous soumettez peuvent être utilisées pour la formation à l'IA ou à d'autres fins. Il n'y a aucune garantie que les informations que vous fournissez resteront sécurisées ou confidentielles. Vous devez vous familiariser avec les pratiques en matière de protection de la vie privée et les conditions d'utilisation de tout outil d'IA générative avant de l'utiliser.
Elastic, Elasticsearch, and associated marks are trademarks, logos or registered trademarks of Elasticsearch N.V. in the United States and other countries. All other company and product names are trademarks, logos or registered trademarks of their respective owners.