For the fourth consecutive year, Elastic Security Labs presents its 2025 Global Threat Report, distilling real-world user telemetry to offer critical insights into the evolving threat landscape. This year's report delves into how AI is redefining threats, highlights areas where adversaries are intensifying their efforts, and provides actionable strategies for enterprises to proactively counter these emerging risks.
Key highlights
-
Adversary priorities on Windows are changing. The tactic category of Execution now accounts for nearly double its previous share and surpasses Defense Evasion as the top tactic.
-
The cloud attack surface is highly concentrated. Over 60% of all cloud security events boil down to just three adversary goals: Initial Access, Persistence, and Credential Access.
-
Adversaries are weaponizing AI to lower the barrier to entry for cybercrime. We saw an increase in Generic threats, a trend likely influenced by adversaries using large language models (LLMs) to quickly generate simple but effective malicious loaders and tools.
-
The theft of browser credentials has industrialized. Our analysis of over 150,000 malware samples revealed that more than one in eight are designed to steal browser data. This isn't for isolated use; these credentials are the raw material fueling the access broker economy, providing a steady supply of keys for other attackers to compromise corporate cloud accounts.
What we learned from the report
The security landscape is undergoing a rapid transformation. Adversaries’ AI-driven threat innovation is evolving at an accelerated pace via streamlined information synthesis and automated workflows. This is resulting in more diverse adversary capabilities and new, indirect avenues of access. AI’s role on both sides of the cyber battle is anticipated to shift significantly as these technologies become more widespread.
This report uncovers real-world threat activities, revealing a fundamental shift in how adversaries achieve success today. It also includes a new section describing our visibility from non-telemetry sources, highlighting which malware families and threat behaviors were seen externally.
Access brokers are increasingly using information stealers to maintain a distance from collective defense efforts, significantly escalating the risks of credential exposure through cloud storage and other services. Trojanized software, which represented about 61% of all malware samples observed, was a major contributor; the ClickFix methodology is one of the most common techniques used to deliver trojans and infostealers. More than 24% of malware samples on Windows represented named infostealer code families.
Defense Evasion techniques have held the top spot for several years. This is attributed to improvements in detection and response capabilities that drive adversaries toward edge devices with a powerful capacity for exploit development. Execution rose to more than 32% of techniques followed by defense evasion at 23% and initial access around 19%. Together, these larger patterns reveal that attackers are investing in gaining a cheap foothold with minimum exposure and quickly running other malicious code. Scripts and browser-based techniques as well as SaaS compromise attempts show us another aspect of these threat trends and highlight areas where many enterprises could improve their defenses.
Threat profiles for BANSHEE, EDDIESTEALER, and ARECHCLIENT2 demonstrate how some of the most popular novel discoveries from the Elastic Security Labs team used infostealers. REF7707, a threat campaign involving the FINALDRAFT, PATHLOADER, and GUIDLOADER malware families, provides details about how an espionage-motivated threat evaded defenses using Microsoft’s GraphAPI for C2. Without the visibility shared by our customers, these threats may have made a much bigger impact before being revealed.
Navigate the AI-era threat landscape with Elastic
Elastic Security Labs is dedicated to providing crucial, timely security research to the intelligence community. This report reveals a shift in the threat landscape — one in which AI is continuing to surface as a tool for both adversaries and defenders. With Elastic as your partner, this 2025 Elastic Global Threat Report empowers you to make informed decisions on how best to address these evolving threats.
本博文所描述的任何特性或功能的发布及上市时间均由 Elastic 自行决定。当前尚未发布的任何特性或功能可能无法按时提供或根本无法提供。
在这篇博文中,我们可能使用或提及了第三方生成式 AI 工具,这些工具由其各自的所有者拥有和运营。 Elastic 对第三方工具没有任何控制权,我们对其内容、操作或使用不承担任何责任,也不对您使用此类工具可能产生的任何损失或损害承担任何责任。 在将人工智能工具用于个人、敏感或机密信息时请务必谨慎。 您提交的任何数据都可能用于人工智能训练或其他目的。 无法保证您提供的信息一定会安全或保密。 在使用任何生成式 AI 工具之前,您应该熟悉其隐私惯例和使用条款。
Elastic, Elasticsearch, and associated marks are trademarks, logos or registered trademarks of Elasticsearch N.V. in the United States and other countries. All other company and product names are trademarks, logos or registered trademarks of their respective owners.