> **来源:[研报客](https://pc.yanbaoke.cn)** # 2025 Elastic Global Threat Report Summary ## Core Content The 2025 Elastic Global Threat Report highlights the evolving nature of cyber threats, emphasizing a shift toward high-velocity attacks that prioritize speed and efficiency over traditional stealth. Attackers are now leveraging trusted enterprise tools, such as cloud accounts, developer platforms, and browsers, to execute their strategies, making it increasingly difficult to distinguish malicious activity from normal operations. The report underscores the importance of AI-driven analysis to connect real-time events with historical patterns, enabling faster and more informed decision-making. It also promotes an open, community-based approach to security, where shared intelligence and collaborative efforts enhance overall defense capabilities. ## Main Trends and Correlations ### 1. Adversary Priorities on Windows - **Execution** has become the top tactic, accounting for **32.05%** of malicious behavior, doubling from the previous year's **~16%**. - This indicates a strategic shift toward immediate payload deployment rather than prolonged stealth. - **Defense Evasion** and **Initial Access** follow closely, with **23.08%** and **19.23%** respectively. - **Implication**: Organizations must focus on runtime memory protection and initial access prevention. ### 2. Cloud Attack Surface - Over **60%** of cloud security events are related to **Initial Access**, **Persistence**, and **Credential Access**. - **Implication**: Hardening authentication flows and monitoring for anomalous privileged access are critical for cloud defense. ### 3. AI-Generated Threats - There has been a **15.5% increase** in **Generic threats**, likely due to the use of large language models (LLMs) to generate malicious loaders and tools. - **Implication**: Relying on static signatures is less effective; behavioral analytics and AI-driven detection are essential for identifying novel threats at scale. ### 4. Browser Credential Theft - Over **1 in 8** malware samples are designed to steal browser credentials. - These credentials are used in the **access broker economy**, providing attackers with keys to compromise corporate cloud accounts. - **Implication**: Traditional identity controls are insufficient; organizations must secure their browser data and monitor for credential exfiltration. ### 5. Source Code Leaks - A single accidental commit to platforms like GitHub can create **permanent exposure**, as it becomes part of an immutable, distributed history. - **Implication**: Continuous monitoring must extend to developer workflows to secure the entire supply chain. ## Malware Category Breakdown ### 1. Trojan - Comprised **64.49%** of all identified malware. - These threats often masquerade as legitimate software to exfiltrate data and deploy additional payloads. - **ClickFix** was a notable Trojan campaign. ### 2. Generic Threats - Account for **23.53%** of all threats, showing a **15.5% increase** from the previous year. - Driven by the ease of generating small, effective tools using LLMs and economic factors. ### 3. Rootkits - Increased to **5.01%**, particularly on **Linux**. - Used for **stealthy persistence** and hiding processes, files, and network artifacts. - Notable rootkit: **ABYSSWORKER (POORTRY)**. ### 4. Cryptominers - Account for **2.77%** of the share, primarily targeting **Monero** using **XMRIG**. - Also observed on **macOS**, with **22%** of malware being crypto miners. ### 5. Remote Monitoring and Management (RMM) Tools - Represent **1.91%** of observed instances. - Abused by threat actors to gain **remote access**, **persistence**, and **lateral movement**. - Examples: **Remcos**, **AsyncRAT**, and **RedLine**. ## Endpoint Behavior and MITRE ATT&CK Alignment Elastic Security aligns with **MITRE ATT&CK** tactics and techniques, providing detailed behavioral analysis to detect and prevent threats. ### Windows - **Top Techniques**: - **Command and Scripting Interpreter** (21.62%) - **User Execution** (12.61%) - **Phishing** (11.71%) - **Subtechniques**: - **PowerShell**, **Windows Command Shell**, **JavaScript**, and **Visual Basic** are the most prevalent. - **Malicious LNK files**, **fake CAPTCHA lures**, and **WebDav** are common vectors for execution. ### Linux - **Top Techniques**: - **Living-off-the-land (LOTL)** methods for execution, including **bash**, **socat**, **netcat**, **curl**, and **wget**. - **Process name masquerading**, **timestamping**, and **Telegram** for C2 communication. - **Notable Threats**: - **Gsocket** for encrypted C2. - **Rootkits** using **LD_PRELOAD** and **LKM**. ## Key Recommendations - **Adopt AI and behavioral analytics** to detect and respond to high-speed threats. - **Secure cloud environments** by hardening authentication and monitoring privileged access. - **Enhance browser security** to prevent credential theft and its use in access broker networks. - **Monitor developer workflows** to prevent source code leaks and secure the supply chain. - **Implement layered telemetry and cross-signal analytics** to improve visibility into attacker playbooks. ## Conclusion The 2025 report outlines a more dynamic and complex threat landscape, where traditional security measures are no longer sufficient. The integration of AI and behavioral analysis, along with continuous monitoring and community collaboration, is essential for modern threat defense. Elastic Security provides the tools and intelligence needed to adapt and respond effectively to these evolving threats.