Mandiant M Trends 2025: Information, Perspectives, and Suggestions From the Frontlines. Increasing the sophistication of their attacks is one way threat actors stay ahead of the ever-changing cyber defense landscape. This pattern is evident in many of the interactions, especially when when are addressing groups with a connection to China.
These actors have proven that they can utilize proxy networks similar to botnets, target edge devices and platforms that typically lack endpoint detection and response, develop custom malware ecosystems, find and exploit zero-day vulnerabilities in security and other appliances, and incorporate custom obfuscators into their malware. These additional actions are taken in an effort to avoid discovery, hinder analysis, and eventually remain on systems for extended periods of time.
But not every successful attack is extremely intricate and technical. When possibilities are presented to them, attackers frequently take advantage of them. This includes gaining initial access by utilising credentials that were taken during infostealer operations. The use of infostealer has increased so much in Mandiant that, in 16% of the investigations, stolen credentials are now the second most common initial infection vector. Attackers are also seizing opportunities by focusing on unprotected data repositories to steal credentials and other sensitive information, as well as by taking advantage of vulnerabilities and hazards inherent in cloud migrations.
The 16th edition of the annual report, Mandiant M Trends 2025, was issued today to assist organizations in staying ahead of all kinds of threats. To provide defenders with vital information on the most recent cyberthreats, the developers delve deeply into a number of patterns and offer data and analysis from the frontlines of to incident response engagements.
Learn more about CUDA Libraries And AI: Accelerating Cybersecurity Training
Data and Trends
Over 450,000 hours of Mandiant Consulting investigations served as the foundation for the M-Trends 2025 data. The measurements are derived from targeted attack activity investigations carried out between January 1, 2024, and December 31, 2024. M-Trends 2025’s main conclusions include:
- In 2024, 8% of danger groups were driven by espionage, while 55% of threat groups were driven by money, a consistent rise.
- The most frequent initial infection vector is still exploits (33%), and in 2024, stolen credentials became the second most prevalent for the first time (16%).
- Financial (17.4%), business and professional services (11.1%), high tech (10.6%), government (9.5%), and healthcare (9.3%) are the main industries targeted.
- In 2023, the median dwell time worldwide increased from 10 days to 11 days. The global median dwell period was 10 days when organizations found malicious activity internally, 5 days when adversaries notified (especially in ransomware cases), and 26 days when external entities notified.
In addition to the previously mentioned infostealer, cloud, and unprotected data repository developments, M-developments 2025 delves further into a number of additional subjects, such as:
- In order to make money and support national goals, the Democratic People’s Republic of Korea uses citizens as distant IT contractors and assumes fraudulent identities.
- In 2024, threat actors with ties to Iran will increase their cyber operations, particularly targeting Israeli companies and employing a range of techniques to increase the success of intrusions.
In order to obtain widespread access, attackers target cloud-based repositories of centralized authority, including single sign-on portals.
- Increased use of Web3 technologies, such blockchains and cryptocurrencies, for money laundering, theft, and illegal activity financing.
Recommendations for Organizations
Every article in M-Trends 2025 provides important suggestions for improving cybersecurity postures for organizations, many of which are relevant to several trends. Also suggest that companies:
- Put into practice a tiered security strategy that prioritizes good principles like hardening, least privilege, and vulnerability management.
- Implement multi-factor authentication that complies with FIDO2 for all user accounts, particularly privileged accounts.
- Invest in cutting-edge detection tools and create solid incident response strategies.
- Enhance monitoring and logging procedures to spot questionable activities and cut down on dwell time.
- To proactively look for signs of compromise, think about conducting danger hunting exercises.
- Put in place robust security measures for cloud deployments and migrations.
- Examine and audit cloud environments on a regular basis for errors and vulnerabilities.
- Reduce insider risk by restricting access, monitoring suspicious activity, and thoroughly vetting employees, especially remote workers.
- Stay current on threat intelligence, adjust security strategies, and frequently review and adapt security policies and processes to manage emerging threats.
Learn more on How AI Protection Enhances Cybersecurity & Prevents Attacks
Be Ready to Respond
The goal of Mandiant M Trends has always been to give security experts up-to-date, firsthand knowledge of the most recent, evolving assaults and to offer useful, actionable lessons for improved organizational security.
There is Mandiant M Trends 2025 available!
Mandiant experts frequently find themselves on the front lines of cyber crises, conducting in-depth analyses and investigations of the latest attacks. It continue the commitment to giving vital information to individuals entrusted with protecting organizations by disseminating our findings to the larger security community through the publication of our yearly M-Trends report.