For the fourth consecutive year, Elastic Security Labs presents its 2025 Global Threat Report, distilling real-world user telemetry to offer critical insights into the evolving threat landscape. This year's report delves into how AI is redefining threats, highlights areas where adversaries are intensifying their efforts, and provides actionable strategies for enterprises to proactively counter these emerging risks.
Key highlights
-
Adversary priorities on Windows are changing. The tactic category of Execution now accounts for nearly double its previous share and surpasses Defense Evasion as the top tactic.
-
The cloud attack surface is highly concentrated. Over 60% of all cloud security events boil down to just three adversary goals: Initial Access, Persistence, and Credential Access.
-
Adversaries are weaponizing AI to lower the barrier to entry for cybercrime. We saw an increase in Generic threats, a trend likely influenced by adversaries using large language models (LLMs) to quickly generate simple but effective malicious loaders and tools.
-
The theft of browser credentials has industrialized. Our analysis of over 150,000 malware samples revealed that more than one in eight are designed to steal browser data. This isn't for isolated use; these credentials are the raw material fueling the access broker economy, providing a steady supply of keys for other attackers to compromise corporate cloud accounts.
What we learned from the report
The security landscape is undergoing a rapid transformation. Adversaries’ AI-driven threat innovation is evolving at an accelerated pace via streamlined information synthesis and automated workflows. This is resulting in more diverse adversary capabilities and new, indirect avenues of access. AI’s role on both sides of the cyber battle is anticipated to shift significantly as these technologies become more widespread.
This report uncovers real-world threat activities, revealing a fundamental shift in how adversaries achieve success today. It also includes a new section describing our visibility from non-telemetry sources, highlighting which malware families and threat behaviors were seen externally.
Access brokers are increasingly using information stealers to maintain a distance from collective defense efforts, significantly escalating the risks of credential exposure through cloud storage and other services. Trojanized software, which represented about 61% of all malware samples observed, was a major contributor; the ClickFix methodology is one of the most common techniques used to deliver trojans and infostealers. More than 24% of malware samples on Windows represented named infostealer code families.
Defense Evasion techniques have held the top spot for several years. This is attributed to improvements in detection and response capabilities that drive adversaries toward edge devices with a powerful capacity for exploit development. Execution rose to more than 32% of techniques followed by defense evasion at 23% and initial access around 19%. Together, these larger patterns reveal that attackers are investing in gaining a cheap foothold with minimum exposure and quickly running other malicious code. Scripts and browser-based techniques as well as SaaS compromise attempts show us another aspect of these threat trends and highlight areas where many enterprises could improve their defenses.
Threat profiles for BANSHEE, EDDIESTEALER, and ARECHCLIENT2 demonstrate how some of the most popular novel discoveries from the Elastic Security Labs team used infostealers. REF7707, a threat campaign involving the FINALDRAFT, PATHLOADER, and GUIDLOADER malware families, provides details about how an espionage-motivated threat evaded defenses using Microsoft’s GraphAPI for C2. Without the visibility shared by our customers, these threats may have made a much bigger impact before being revealed.
Navigate the AI-era threat landscape with Elastic
Elastic Security Labs is dedicated to providing crucial, timely security research to the intelligence community. This report reveals a shift in the threat landscape — one in which AI is continuing to surface as a tool for both adversaries and defenders. With Elastic as your partner, this 2025 Elastic Global Threat Report empowers you to make informed decisions on how best to address these evolving threats.
O lançamento e o tempo de amadurecimento de todos os recursos ou funcionalidades descritos neste artigo permanecem a exclusivo critério da Elastic. Os recursos ou funcionalidades não disponíveis no momento poderão não ser entregues ou não chegarem no prazo previsto.
Nesta postagem do blog, podemos ter usado ou feito referência a ferramentas de IA generativa de terceiros, que são de propriedade e operadas por seus respectivos proprietários. A Elastic não tem nenhum controle sobre as ferramentas de terceiros e não temos nenhuma responsabilidade ou obrigação por seu conteúdo, operação ou uso, nem por qualquer perda ou dano que possa surgir do uso de tais ferramentas. Tenha cuidado ao usar ferramentas de IA com informações pessoais, sigilosas ou confidenciais. Todos os dados que você enviar podem ser usados para treinamento de IA ou outros propósitos. Não há garantia de que as informações fornecidas serão mantidas seguras ou confidenciais. Você deve se familiarizar com as práticas de privacidade e os termos de uso de quaisquer ferramentas de IA generativa antes de usá-las.
Elastic, Elasticsearch, and associated marks are trademarks, logos or registered trademarks of Elasticsearch N.V. in the United States and other countries. All other company and product names are trademarks, logos or registered trademarks of their respective owners.