Picus Red Report 2026 Shows Attackers Favor Stealth Over Disruption

Cyber attackers are quietly changing how they operate — and the latest Picus Red Report™ shows that disruption is no longer the goal. 

Rather than encrypting systems or triggering immediate disruption, Picus Security found that adversaries are prioritizing stealth, persistence, and long-term access within enterprise environments. 

“The 2026 Red Report confirms that the era of ‘smash-and-grab’ cybercrime is ending and that the age of the ‘Digital Parasite’ has begun,” said Dr. Süleyman Özarslan, Co-founder of Picus Security and VP of Picus Labs in an email to eSecurityPlanet. 

He added, “We’re witnessing a strategic pivot, as adversaries have traded immediate destruction for silent persistence. 

Dr. Özarslan explained, “Ransomware encryption has plummeted by 38%, replaced by a landscape in which 80% of the top tradecraft is dedicated to evasion and maintaining invisible, long-term access.”

He also added, “The modern adversary is no longer breaking down the door; they’re simply logging in.”

Shifts in Attacker Behavior

Picus based their report on an extensive analysis of more than 1.1 million malicious files and 15.5 million adversarial actions observed across enterprise environments throughout 2025. 

The data points to a clear shift in attacker priorities: ransomware encryption activity declined by 38%, while techniques designed for stealth, persistence, and long-term access increased significantly. 

According to Picus Labs, approximately 80% of the most frequently observed attacker techniques are now focused on evasion, persistence, and identity abuse rather than immediate disruption.

Rather than introducing new exploit classes, adversaries are refining well-established techniques to blend seamlessly into normal enterprise operations. 

For the third consecutive year, Process Injection (T1055) ranked as the most prevalent technique, appearing in 30% of analyzed malware samples. 

By injecting malicious code into legitimate and trusted processes, attackers can operate under the guise of normal system activity, reducing the likelihood of detection by traditional endpoint controls.

Evasion techniques have also evolved to directly challenge automated security pipelines. 

Virtualization and Sandbox Evasion (T1497) rose sharply to become the fourth most common technique observed in 2025. 

Modern malware increasingly checks whether it is running in an analysis environment and will suppress execution if it detects telltale indicators. 

Picus Labs highlighted malware families such as LummaC2, which analyze mouse movement patterns using geometric calculations to distinguish human interaction from automated sandboxes. 

When behavior appears too precise or artificial, the malware remains dormant, creating a false sense of security.

Identity abuse represents another foundational element of this persistence-focused strategy. 

Credentials from Password Stores (T1555) appeared in nearly one-quarter of all attacks analyzed, reinforcing the idea that identity — not the traditional network perimeter — has become the primary target. 

Once attackers obtain valid credentials, they can authenticate as legitimate users, move laterally across systems, and maintain access with minimal resistance, often blending into routine user activity for extended periods.

How Organizations Can Reduce Risk

As attacker tactics increasingly emphasize stealth and persistence, organizations need to adjust their defenses to detect activity that blends into normal operations. 

Traditional security controls alone may not reliably surface threats that abuse legitimate tools, credentials, and trusted infrastructure. 

The following measures outline practical steps security teams can take to improve visibility, reduce dwell time, and strengthen response capabilities.

• Continuously validate security controls against real adversary behaviors, including stealth techniques such as process injection and sandbox evasion.
• Monitor for abnormal use of credentials, identities, and legitimate tools to detect attackers operating as valid users.
• Strengthen identity security through least privilege access, credential hygiene, and identity threat detection and response capabilities.
• Establish behavioral baselines on endpoints and systems to identify subtle deviations associated with persistence and masquerading.
• Improve visibility across cloud, network, and hardware layers to detect command-and-control activity routed through trusted services or devices.
• Restrict and monitor administrative tooling, scripting environments, and remote access mechanisms to limit abuse of legitimate capabilities.
• Regularly test and update incident response plans to ensure teams can identify, contain, and recover from low-noise, persistence-focused intrusions.

Together, these measures help organizations detect subtle attacker behavior earlier, limit long-term persistence, and respond more effectively to threats designed to blend into normal operations. 

When Attackers Blend In

The report shows that many attackers are prioritizing quiet, long-term access rather than immediate disruption. 

By relying on trusted tools, valid credentials, and familiar infrastructure, adversaries are able to blend into normal operations and extend dwell time. 

To address this shift, security teams need to focus on sustained behavioral visibility, continuous validation of defenses, and stronger identity controls to improve detection and response to low-noise activity.

This shift toward identity and trust-based abuse is driving organizations to evaluate zero-trust solutions that reduce implicit trust across users, devices, and services.