> analysis: Picus Red Report 2026 —— dataset: 1.1M malicious files / 15.5M adversarial actions —— finding: stealth > destruction —— implication: your SOC is being tested<span class="cursor-blink">_</span>_
For the better part of a decade, ransomware encryption was the defining signal of cyber compromise. Systems locked. Operations froze. The attacker's presence was undeniable. Every security vendor, every board presentation, every news cycle reinforced the same message: the threat is loud, destructive, and visible.
That signal is now fading. The Picus Labs Red Report 2026, which analysed over 1.1 million malicious files and mapped 15.5 million adversarial actions observed across 2025, documents a fundamental strategic pivot in attacker behaviour. Data Encrypted for Impact (T1486) — the MITRE ATT&CK technique that defines ransomware — dropped 38% year-over-year, declining from 21.00% prevalence in 2024 to 12.94% in 2025. Ransomware is not disappearing. But the data shows that the most successful threat actors are no longer optimising for disruption. They are optimising for residency.
Picus calls them Digital Parasites: adversaries that live inside the host, feed on credentials and trusted services, and remain undetected for as long as possible. Rather than breaking in and burning systems down, they move in, blend in, and quietly exploit the trust that organisations place in their own infrastructure. Eight of the top ten MITRE ATT&CK techniques observed in 2025 are now primarily dedicated to evasion, persistence, or stealthy command-and-control — the highest concentration of stealth-focused tradecraft Picus Labs has ever recorded.
We know this is true, because over the last twelve months our own red team testers have been doing exactly the same thing. And the results have been sobering — for our clients, for their Security Operations Centres, and for the automated detection platforms they rely on.
The Red Report 2026 is not a vendor marketing exercise dressed up as research. Picus Labs analysed 1,153,683 unique files between January and December 2025, of which 1,084,718 (94.02%) were malicious. Those files were sourced from commercial threat intelligence feeds, malware sandboxes, and underground forums — a dataset that represents the operational reality of what threat actors are actually deploying, not what security vendors are selling protection against.
From that dataset, Picus mapped over 15.5 million individual adversarial actions to the MITRE ATT&CK framework. The resulting picture is clear: the techniques that define modern attacks are not the ones making headlines. They are the ones that ensure attackers can stay hidden long enough to achieve their objectives — whether those objectives are data exfiltration, credential harvesting, or simply maintaining access for future exploitation.
| Rank | ATT&CK Technique | Prevalence | Primary Purpose |
|---|---|---|---|
| 1 | T1055 — Process Injection | Highest observed | Defence Evasion. Execute malicious code inside trusted system processes. If your malware runs inside svchost.exe or explorer.exe, the activity looks legitimate to every endpoint detection tool that relies on process reputation. |
| 2 | T1059 — Command and Scripting Interpreter | Very high | Execution. PowerShell, cmd.exe, Python, bash — the same tools administrators use every day. The attacker does not need to bring their own tooling when the operating system provides everything they need. |
| 3 | T1555 — Credentials from Password Stores | 23.49% (1 in 4 attacks) | Credential Access. Extract saved credentials directly from browsers, keychains, and password managers. Once the attacker has valid credentials, they do not need to hack anything — they log in. |
| 4 | T1497 — Virtualisation/Sandbox Evasion | Top tier (new entry) | Defence Evasion. Malware evaluates its execution environment before deciding whether to act. If it detects a sandbox, it suppresses all malicious behaviour. LummaC2 used trigonometric analysis of mouse movement to distinguish human users from automated analysis. |
| 5 | T1071 — Application Layer Protocol | High | Command-and-Control. C2 traffic over HTTPS, DNS, cloud APIs — 'whisper channels' that blend with normal business traffic. Attackers are increasingly using legitimate cloud services (including LLM APIs) as C2 relays. |
| 6 | T1036 — Masquerading | High | Defence Evasion. Rename malicious files to mimic legitimate system processes. The attacker turns your trusted environment into their own camouflage. |
| 7 | T1547 — Boot or Logon Autostart Execution | High | Persistence. Survive reboots, patching cycles, and user logins. Ensures the attacker's foothold survives even when the victim thinks they have 'cleaned up'. |
| 8 | T1562 — Impair Defences | High | Defence Evasion. Disable or tamper with security controls — EDR agents, logging services, Windows Defender. If the attacker can silence the alarm before it triggers, no alert is ever generated. |
| 9 | T1219 — Remote Access Tools | High | Command-and-Control. Deploy legitimate RMM tools (as we documented in our MuddyWater profile) for persistent remote access that blends with IT operations. |
| 10 | T1486 — Data Encrypted for Impact | 12.94% (↓38% YoY) | Impact. Traditional ransomware encryption — now the only 'loud' technique in the top 10. Its decline does not signal reduced capability. It signals that disruption is no longer the primary business model. |
Read that list again. Nine of the ten techniques are about staying hidden, maintaining access, stealing credentials, or controlling systems quietly. Only one — T1486, now in last place and declining rapidly — is about visible destruction. This is not a subtle shift. It is a fundamental inversion of the threat model that most organisations' security architectures were built to defend against.
The single most operationally significant finding in the Red Report 2026 is the prevalence of T1555 — Credentials from Password Stores. Appearing in 23.49% of all analysed malware samples, credential theft from password stores is now one of the most common behaviours in the entire threat landscape. Nearly one in every four attacks targets the credentials your users have saved in their browsers, operating system keychains, and password managers.
The logic is straightforward: why exploit a vulnerability, deploy a zero-day, or brute-force an authentication system when you can simply extract the saved credentials from a compromised workstation and log in as a legitimate user? Once an attacker has valid domain credentials, every subsequent action — privilege escalation, lateral movement, data access — uses native administrative tooling that generates no malware alerts, no anomalous process events, and no signature-based detections.
One of the more concerning findings in the Red Report 2026 is the rise of T1497 — Virtualisation and Sandbox Evasion — into the top tier of observed techniques. Modern malware increasingly evaluates where it is before deciding whether to act. If it detects an analysis environment, it suppresses all malicious behaviour and sits dormant — waiting for a real production system.
The sophistication of this detection is advancing rapidly. In one example highlighted in the report, the LummaC2 infostealer analysed mouse movement patterns using Euclidean distance calculations and cursor angle geometry to distinguish human interaction from the linear, predictable motion typical of automated sandbox environments. When conditions appeared artificial, it deliberately withheld execution. No detonation. No indicators. No alerts. Just silence — which is, itself, the evasion technique.
This has direct implications for organisations that rely on sandbox-based email security gateways and automated malware analysis platforms. If the malware refuses to execute in the sandbox, the sandbox reports it as clean. The file is delivered to the end user. The malware executes on the real endpoint — where the mouse moves naturally, the screen is a real resolution, and the system has the registry artefacts of a genuine Windows installation.
The Picus data validates what we have observed directly through our own engagements. Over the last twelve months, our penetration testers and red team operators have made a deliberate, sustained effort to replicate the 'Digital Parasite' model during client engagements — not just breaching the perimeter, but establishing persistent, long-term access inside networks and operating undetected for as long as possible.
The objective was not to prove that networks can be breached. That is a given. The objective was to measure how long an attacker can remain resident inside a defended environment, and to test whether the client's Security Operations Centre — including their automated detection platforms — would identify the intrusion before we chose to reveal ourselves.
The results were consistent and, for many clients, uncomfortable.
This requires a direct, honest discussion — because it affects real security investment decisions that our clients make.
Platforms like Darktrace use machine learning to establish baselines of 'normal' network behaviour and alert on anomalies. The technology works. Darktrace and similar platforms do detect anomalous activity. During our engagements, we observed Darktrace-protected environments generating alerts on activity we generated — unusual internal connections, atypical data transfer patterns, authentication anomalies. The problem was never the detection. The problem was always the response.
In every engagement where we maintained prolonged undetected access inside a Darktrace-monitored environment, the failure was the same: the alerts existed in the queue, but no analyst investigated them with the expertise and context required to identify our activity as a threat rather than a false positive. The reasons varied — alert fatigue from high volumes of low-fidelity anomaly detections, insufficient analyst training to distinguish genuine lateral movement from legitimate administrative activity, over-reliance on the platform's autonomous response capabilities, or simply not enough staff to investigate the volume of alerts the platform generates.
The lesson is not that Darktrace is ineffective. The lesson is that no automated detection platform — regardless of how sophisticated its machine learning models are — replaces the need for skilled human analysts who can investigate alerts, apply contextual judgement, and escalate genuine threats. Organisations that deploy these platforms as a substitute for human expertise, rather than as a force multiplier for existing capability, are investing in an alarm system while leaving the monitoring station unstaffed.
The Red Report 2026 provides a welcome counterweight to the relentless hype around AI-powered attacks. Despite widespread speculation that artificial intelligence would fundamentally reshape the malware landscape, Picus Labs observed no meaningful increase in AI-driven malware techniques across the entire 2025 dataset.
The most prevalent adversarial behaviours remain familiar: process injection, command-and-scripting interpreters, credential theft, application layer C2, and masquerading. Attackers do not require advanced AI to bypass modern defences — they require patience, operational discipline, and an understanding of how defenders think. Some malware families have begun experimenting with large language model APIs, but so far their use has been limited to retrieving predefined commands or acting as a convenient communication layer. These implementations improve efficiency, but they are not fundamentally altering attacker decision-making or execution logic.
AI is being absorbed into existing tradecraft rather than redefining it. The mechanics of the Digital Parasite remain unchanged: credential theft, stealthy persistence, abuse of trusted processes, and ever-longer dwell times. The threat is not that attackers have discovered a revolutionary new capability. The threat is that they have become quieter, more patient, and increasingly difficult to distinguish from legitimate activity — and that requires better human analysts, not better algorithms.
The combined picture from the Red Report data and our own engagement experience over the last twelve months points to a fundamental misalignment between how most organisations defend their networks and how attackers are actually operating.
| What Most Organisations Defend Against | What Attackers Are Actually Doing |
|---|---|
| Malware delivery and detonation — perimeter-focused defences designed to block known-bad files. | Delivering malware that evaluates its environment before executing, deliberately evading sandbox analysis, and only detonating on real production endpoints. |
| Ransomware encryption — incident response plans built around system lockout and recovery. | Silent data exfiltration and credential theft without encryption. Systems remain operational while the attacker extracts everything of value. No recovery is needed because nothing is visibly damaged. |
| Signature-based detection — blocking known malicious hashes, domains, and patterns. | Process injection into trusted processes, C2 over legitimate cloud APIs, and lateral movement using native Windows tools. No malicious signatures to detect because every tool used is legitimate. |
| Automated anomaly detection — deploying ML-based platforms to identify unusual behaviour. | Generating activity that looks like normal administrative work. When anomalies are detected, relying on the fact that overwhelmed SOC teams lack the capacity or expertise to investigate every alert. |
| Perimeter security — heavy investment in firewalls, email gateways, and web proxies. | Using stolen valid credentials to log in through legitimate access channels — VPN, RDP, cloud SSO — that perimeter controls are designed to permit. |
The Picus Red Report 2026 confirms what our own red team engagements have demonstrated throughout the last twelve months: the most dangerous attackers are no longer the ones who make the most noise. They are the ones who make no noise at all. Ransomware encryption is declining not because attackers lack capability, but because silent residency is more profitable, more sustainable, and harder to detect. Eight of the top ten MITRE ATT&CK techniques now prioritise stealth. Credential theft appears in nearly one in four attacks. Malware deliberately evades the sandbox environments defenders rely on for analysis.
The defensive implication is uncomfortable but clear: the security architectures that most organisations built to defend against loud, visible, destructive attacks are poorly suited to detecting quiet, patient, credential-wielding adversaries who operate inside trusted processes and communicate over legitimate protocols. Automated detection platforms generate the alerts. But if no skilled analyst investigates those alerts with sufficient expertise and context, the attacker remains resident indefinitely.
Our experience this year — deliberately living inside client networks without detection, using precisely the techniques the Red Report documents, and forcing SOC teams to confront the gap between their detection capability and their response capability — has consistently delivered one lesson above all others. The technology is not the problem. The problem is that organisations treat detection platforms as solutions rather than tools, invest in automation as a substitute for expertise rather than a force multiplier, and test their perimeters without testing whether anyone is watching what happens after the perimeter is breached.
The Digital Parasite does not need to be sophisticated. It needs to be patient. And patience only works when the host is not paying attention.
Our red team engagements measure dwell time — not just whether we can get in, but how long we can stay in without your SOC detecting us. We replicate the techniques documented in the Red Report 2026 against your actual environment, then work with your team through a purple team debrief to close the gaps.