Bengaluru, April 28, 2025: Mandiant has released M-Trends 2025, its 16th annual report on cyberattacks trends, highlighting significant shifts in attacker behaviour and a surge in financially motivated cybercrime.
The report reveals that financially motivated threat groups dominated the landscape in 2024, accounting for 55% of active groups (up from 52% in 2023). The financial services sector remained the most targeted industry, comprising 17.4% of incidents, followed by business services, technology, government, and healthcare.
Mandiant analysts found that exploited vulnerabilities continued to be the leading initial access method, responsible for 33% of breaches. Notably, for the first time, stolen credentials—often harvested through infostealer malware—rose to 16%, surpassing email phishing at 14%. Prolific infostealers such as Vidar, Raccoon, and RedLine have significantly lowered the barrier for credential theft.
“People are more resistant to phishing… as phishing resistance grows, phishing becomes less attractive,” Mandiant researchers noted, explaining the shift toward credential abuse.
Ransomware continued to dominate financially motivated attacks. Ransomware-related incidents accounted for 21% of Mandiant’s cases, while data exfiltration appeared in 37%—including pure extortion without encryption (11%) and dual extortion cases (6%).
Median dwell time—the duration attackers remain undetected—edged up slightly to 11 days in 2024, compared to 10 days in 2023. Breaches discovered through attacker notifications (such as ransom notes) were found much faster (5 days) than those detected via external reports (26 days) or internal detection (10 days).
The report also spotlights several high-profile campaigns:
- UNC3944 used SMS-phishing and social engineering to breach major firms, deploying ALPHV ransomware.
- APT28 (Russia) exploited Microsoft Outlook vulnerabilities to harvest credentials.
- APT44 (Russia) leveraged trojanized software installers to infect targets.
Mandiant additionally flagged a growing insider threat: North Korean IT workers (UNC5267) securing remote jobs under false identities to exfiltrate corporate data. This insider risk represented approximately 5% of intrusions.
Cloud environments also faced increased targeting, with email phishing (39%) and stolen credentials (35%) identified as the leading breach vectors. Key groups active in the cloud threat landscape included:
- UNC5537, which compromised Snowflake client data.
- UNC3944, which exploited single sign-on (SSO) vulnerabilities to deepen access across cloud applications.
In the Web3 and cryptocurrency space, DPRK-linked threat actors stole over $500 million in digital assets over three years, frequently leveraging malware, smart-contract exploits, and phishing drainers.
Talking about the report, Jurgen Kutscher, Vice President of Mandiant Consulting, Google Cloud, emphasized: “This year’s M-Trends report once again illuminates interesting trends in attacker behavior. Exploits remain the most frequently used initial infection vector for the fifth year in a row, with stolen credentials taking on the second spot ahead of email phishing,” said Jurgen Kutscher. “Opportunistic ransomware and multifaceted extortion attacks continue to cause significant impact to organizations across most industries. With ransomware and extortion, we’re seeing threat actors using brute force attacks such as password spraying, and attacks against VPN devices using default credentials, indicating a less targeted approach. This highlights the importance of auditing and securing internet-exposed systems and infrastructure and underscores the universal risk faced by organizations around the world. As in prior years, this report aims to provide timely insights to help our readers with preparedness.”
Key Recommendations from Mandiant
To strengthen cybersecurity defenses, Mandiant recommends organizations:
- Enforce rigorous patch management programs.
- Deploy phishing-resistant multi-factor authentication (e.g., FIDO2 security keys).
- Apply least-privilege principles across user access.
- Boost threat detection and incident response capabilities.
- Regularly audit cloud and SaaS configurations for vulnerabilities.
