ACCORDING to Picus Labs’ new Red Report 2026, which analysed over 1.1 million malicious files and mapped 15.5 million adversarial actions observed across 2025, attackers are not optimising for disruption but for long-term, invisible access.
The report notes a strategic pivot away from loud, destructive attacks toward techniques that evade detection, persist inside environments, and quietly exploit identity and trusted infrastructure, with attackers behaving like Digital Parasites that feed on credentials and services while remaining undetected. It also highlights that data extortion is now the primary monetisation model, as the signal from Data Encrypted for Impact (T1486) declined from 21.00% in 2024 to 12.94% in 2025.
A key finding is that credentials from password stores appear in nearly one in four attacks (23.49%), underscoring how credential theft has become the control plane for attacks. The report emphasises that eight of the Top Ten MITRE ATT&CK techniques focus on evasion, persistence, or stealthy C2, signalling a shift toward maximum dwell time rather than immediate impact, and closes with the claim that “the adversary's business model has shifted from immediate disruption to long-lived access.”