Stealth-first attacker tradecraft shifts toward covert exfiltration for extortion in 2025
Target Trend
Summary
Hide ▲
Show ▼
Attackers are increasingly using stealthy persistence and evasion to silently exfiltrate data for extortion, making detection harder across monitored environments. A 2025 telemetry analysis of over 1.1 million malicious files and 15.5 million actions found process injection at 30% for the third year in a row. The same analysis showed C2 traffic routed through high-reputation services such as OpenAI and AWS, while browser-stolen passwords were used in a quarter of attacks. The shift away from encryption-for-impact is also notable, with that technique dropping 38% annually.
Related Happenings
Low-severity enterprise alerts hiding confirmed incidents
Target Trend
First: 08.05.2026 13:30
Last: 08.05.2026 13:30
Sources 1
About this happening:
A recent enterprise telemetry analysis found that **low-severity** and **informational alerts** are hiding real compromises across live environments, creating a measurable missed-...
Low-severity enterprise alerts hiding confirmed incidents
Target TrendAbout this happening: A recent enterprise telemetry analysis found that **low-severity** and **informational alerts** are hiding real compromises across live environments, creating a measurable missed-...
Underground AI services emerge with jailbroken APIs and MCP servers
Threat Actor Meta
First: 12.02.2026 14:45
Last: 12.02.2026 14:45
Sources 1
About this happening:
**Underground AI services** are emerging on **marketplaces** with a model that hides **jailbroken commercial APIs** and **open-source MCP servers**, expanding access to **malware*...
Underground AI services emerge with jailbroken APIs and MCP servers
Threat Actor MetaAbout this happening: **Underground AI services** are emerging on **marketplaces** with a model that hides **jailbroken commercial APIs** and **open-source MCP servers**, expanding access to **malware*...
Publicly exposed training and demo apps in cloud environments are being abused at scale
Target Trend
First: 11.02.2026 13:30
Last: 11.02.2026 13:30
Sources 1
About this happening:
Publicly exposed **training and demo applications** are showing up at scale in **AWS, Azure, and GCP**, turning lab systems into real cloud footholds. Researchers verified **nearl...
Publicly exposed training and demo apps in cloud environments are being abused at scale
Target TrendAbout this happening: Publicly exposed **training and demo applications** are showing up at scale in **AWS, Azure, and GCP**, turning lab systems into real cloud footholds. Researchers verified **nearl...
BlueNoroff spear-phishing campaign uses typosquatted Zoom, Teams, and Calendly lures against crypto firms
Campaign
First: 11.02.2026 00:17
Last: 11.02.2026 00:17
Sources 1
About this happening:
**BlueNoroff**, a **North Korea-linked Lazarus Group** subgroup, ran a **large-scale spear-phishing campaign** against **100+ cryptocurrency organizations** in **20+ countries** b...
BlueNoroff spear-phishing campaign uses typosquatted Zoom, Teams, and Calendly lures against crypto firms
CampaignAbout this happening: **BlueNoroff**, a **North Korea-linked Lazarus Group** subgroup, ran a **large-scale spear-phishing campaign** against **100+ cryptocurrency organizations** in **20+ countries** b...
Picus Labs quantified 2025 shift toward stealth, persistence, and credential theft
Target Trend
First: 10.02.2026 15:59
Last: 10.02.2026 15:59
Sources 1
About this happening:
**Picus Labs** quantified a broad shift in **2025 attacker tradecraft** toward **stealth**, **persistence**, and **credential theft**, reducing the role of overt encryption and ra...
Picus Labs quantified 2025 shift toward stealth, persistence, and credential theft
Target TrendAbout this happening: **Picus Labs** quantified a broad shift in **2025 attacker tradecraft** toward **stealth**, **persistence**, and **credential theft**, reducing the role of overt encryption and ra...
Timeline
-
10.02.2026 16:00 2 articles · 3mo ago
Stealth-first attacker tradecraft shifts toward covert exfiltration for extortion in 2025
Initial DisclosureThe 2025 telemetry baseline already shows a durable shift toward **stealth**, **trusted-process abuse**, and **covert exfiltration** as the preferred path for extortion-oriented attacks.
Show sources
- “Digital Parasite” Warning as Attackers Favor Stealth for Extortion — www.infosecurity-magazine.com — 10.02.2026 16:00
- “Digital Parasite” Warning as Attackers Favor Stealth for Extortion — www.infosecurity-magazine.com — 10.02.2026 16:00