Overview
- Picus Red Report 2026, built from analysis of over 1.1 million malicious files and about 15.5 million adversarial actions, documents a measurable pivot toward long-term, quiet compromise.
- Use of Data Encrypted for Impact (T1486) fell 38% year over year, dropping from 21.00% in 2024 to 12.94% in 2025, indicating a move away from disruption toward extortion.
- Process Injection (T1055) remained the top technique, Command and Scripting Interpreter (T1059) ranked next, and Credentials from Password Stores (T1555) appeared in roughly 23.49% of attacks.
- Virtualization/Sandbox Evasion (T1497) surged into fourth place as malware increasingly detects analysis environments and withholds execution, exemplified by LummaC2’s mouse-movement checks.
- Researchers note C2 traffic blending through trusted services such as OpenAI and AWS and frequent use of stolen browser passwords, prompting guidance to emphasize behavioral detection, credential hygiene, and immutable, isolated backups.