Identity attacks and infostealers dominate the 2025 Threat Detection Report

The 2025 Threat Detection Report is here, arming you and your team with actionable insights into the year’s most prevalent security trends, threats, and MITRE ATT&CK® techniques. Our seventh annual retrospective presents an in-depth analysis of nearly 93,000 threats detected across over 4 million identities, endpoints, and cloud assets over the past year. This report provides you with a comprehensive view of this threat landscape, along with practical guidance on detection, testing, prevention, and mitigation.

Key findings

As the technology that we rely on to conduct business continues to evolve, so do the threats that we face. Here are some of our key findings:

• More data: Red Canary detected nearly 93,000 threats in 2024, increasing last year’s total by more than a third. This is the result of not only more customers, but also our expanded visibility into cloud and identity infrastructure.
• Expanded attack surface: Three of the top 5 MITRE ATT&CK® techniques we detected this year were cloud-native and enabled by identity, including number one Cloud Accounts.
• On the rise: Along with 4x times as many identity attacks as last year, we observed notable increases in infostealers, macOS threats, and business email compromise.
• Trickier browser lures: The use of fake CAPTCHA lures, a technique known as “paste and run,” likely explains how LummaC2, NetSupport Manager, and HijackLoader made their way into our top 10 threats, as well as Mshta’s return to the top 10 technique list after a four-year absence.
• Proxies are a common thread: VPN abuse is both rampant and hard to detect, and we observed these popular products leveraged in incidents ranging from ransomware to insider threats.

We also check back on the timeless threats and techniques that are prevalent year-after-year, explore emerging ones that are worth keeping an eye on, and introduce the Field Guide to Color Bird Threats, a collection of Red Canary-named threats that are worth tracking.

Trends

Since its inception seven years ago, The Threat Detection Report has been anchored by data-driven insights into the most prevalent adversary behaviors we witness on a daily basis. The Trends section allows us to zoom out from our top 10 lists to highlight developments in adversary tradecraft and other patterns that we anticipate making waves in the coming year.

Along with our unusual updates into ransomware, initial access tradecraft, and vulnerabilities, this year we took a look at Mac malware, insider threats, and VPN abuse.

Threats

Half of our top 10 threats are new to the rankings this year, with LummaC2 and HijackLoader both cracking through with last-minute pushes at the end of the year. SocGholish takes the number one spot, leveraging fake browser updates in a manner similar to the Red Canary-named Scarlet Goldfinch activity cluster.

Techniques

For the first time in seven years of collection, our number one technique does not fall under Command and Scripting Interpreter. The reason why Cloud Accounts outranked stalwarts like PowerShell and Windows Command Shell is two-pronged; cloud attacks are certainly increasing, but we’re also getting better at detecting them.

Our continuing cloud research inspired us to highlight Cloud Service Hijacking as an additional featured technique. Read our analysis to learn how adversaries can abuse AI services after compromising a cloud service provider account.

Get started

The Threat Detection Report is both a timely read and an evergreen resource that practitioners refer to throughout the year. The web version of the report includes even more technical details into visibility, collection, detection and testing, with actionable guidance should you run into this behavior in your environment.

If you’re intimidated by the PDF’s page count, don’t fret–the Executive Summary provides high-level takeaways for security leaders and any one else who’s short on time. To kick things off, we encourage you to flip through the report, share it with your team, and start a discussion about which threats and techniques should be prioritized in your organization’s threat model.