The 2025 Threat Detection Report playlist
We’re excited to press play on Threat sounds vol. 5, a playlist to accompany the 2025 Threat Detection Report. For the fifth year in a row, we picked a song for each of the most prevalent threats, trends, and ATT&CK® techniques Red Canary observed this past year. Read our liner notes below, and listen to the whole songs on Spotify!
Threats
Also known as “FakeUpdates,” our number one threat of the year uses drive-by downloads to trick users into planting all sorts of plastic trees on their systems.
Do you want to know a secret? More than half of the Impacket events we detect are filtered out as confirmed-customer testing. However, adversaries continue to abuse this collection of Python classes, including secretsdump.py.
Mimikatz is still pawing its way through victim systems, dumping credentials just like Tom Delonge dumped Blink-182 back in 2005.
If birds of a feather flock together, Scarlet Goldfinch flies with fellow top 10 threat NetSupport Manager, its most common payload.
Search engine optimization (SEO) is as much of a boon for adversaries as it is for corporate marketing teams. Beware of poisoned page one results from malware like Gootloader.
Amber is the color of this threat’s energy, and shades of gold display naturally when it’s dropped by potentially unwanted programs like PC App Store and Let’s Compress.
Delivered via USB, Gamarue wiggles its way through victim environments like they’re the sand dunes of Arrakis. We’ve reached out to Timothée and Zendaya for worm-mounting tips.
While it’s freely available online as a legitimate remote monitoring and management (RMM) tool, NetSupport Manager often smells like a RAT.
LummaC2 was the most popular infostealer we detected in 2024, and just like the twee folk revival, we’re hoping it goes out of style soon.
Just like how Rihanna helped SZA launch her career by dropping a duet, HijackLoader contributed to LummaC2’s rise by dropping it as a payload.
Techniques
“Stacey” might be the username for the stolen credentials an attacker is using to log into a cloud environment, but that’s not their real name.
cmd.exe might be the Taylor Swift of commands, with the power call on virtually any executable to get a good look inside people’s Windows.
Adele asks her ex to forward her love to his new girlfriend–which sounds like mature behavior but might end up being part of an elaborate business email compromise scheme.
Though it’s no longer the most prevalent technique of the year, PowerShell continues to enable all sorts of trippy activity on Windows.
It’s good thing that when Conor Oberst asked Phoebe Bridgers to make an album with him, the email didn’t ended up buried in the RSS Subscriptions folder!
Adversaries escalate privileges by executing certain services to load at boot up, running down your dream of an incident-free workday.
The glove compartment is inaccurately named… maybe because someone modified its entry in the registry.
We picked a post-punk band to represent a post-execution technique–WMI helps adversaries move laterally after they’ve gained access to a Windows system.
This Windows-native binary that executes script code is back in the top 10 after a four-year hiatus, a triumphant return we couldn’t have scripted if we tried.
A tool doesn’t have to be the sharpest in the shed to be useful in a cyber attack.
If an adversary compromises your cloud environment, you might lose control of the LLM services in there as well. Defenders, get yo’ backs off the wall!
Bonus tracks: Trends
Remember who came before: Woody Gutherie begat Pete Seeger who begat Bruce Springsteen who begat Jack Antonoff. Six out of our top 10 threats are known ransomware precursors.
Just like America’s longest serving jam band, phishing operators have incredible improvisational skills, switching up their web lures and social engineering techniques without any sense of melody.
Adopting an identity access management (IAM) solution without enabling MFA is like buying a sofa without a plastic cover. It might feel more comfortable, but stains are guaranteed.
Unpatched software enabled Moonlight Maze, the largest data breach of the 1990s, and nearly 30 years later, vulnerabilities in products like ScreenConnect and Fortinet are giving throwback vibes.
Stealer activity spiked in the last few months of 2024, right around the time Dead & Co announced another run of shows at the Vegas Sphere. Coincidence? (Almost certainly.)
While the North Koreans caught posing as IT workers last year appear to have been driven by profit, APTs have been infiltrating companies through employees for decades.
Brat summer was also infostealer summer, that is until Apple disabled an oft-abused Gatekeeper bypass in macOS Sequoia in September. Attackers then had to remix, launching malware that’s completely different but also still malware.
Run and tell all of the angels: We’ve all had to learn to fly as adversaries move their operations to the cloud.
VPNs have become even more popular in the wake of some states passing stricter internet regulations, making it all the more difficult to distinguish malicious use.
Security gaps? We got you.
Get curated insights on managed detection and response (MDR) services, threat intelligence, and security operations—delivered straight to your inbox every month.