Infostealer malware is on the rise, according to the 2025 cybersecurity M-Trends report from Mandiant. Unsecured data repositories and risky cloud migrations were also security weak points in 2024 for the organizations Mandiant surveyed in its 16th annual M-Trends report.
How attackers breached organizations in 2024
Most common attack methods
The most common methods attackers used to breach organizations in 2024 were:
- Exploits (33%).
- Stolen credentials (16%).
- Email phishing (14%).
- Web compromise (9%).
- Prior compromise (8%).
The rate of exploits has declined slightly since 2023, when exploits were the initial vector for 38% of intrusions. Mandiant noted attackers who might otherwise start with email phishing can obtain the same credentials elsewhere, such as in mass leaks or cybercrime forums. The relatively common rate of prior compromise could indicate threat actors working together, too: Mandiant said some threat actors specialize in selling initial access to others.
Web compromise increased from 5% to 9%, with attackers using malicious advertisements, search engine optimization (SEO) poisoning, and compromised websites. Web compromise can be prevented through endpoint script blocking, content filtering for malicious redirects and software, policies against browser credential storage, and consistent patching of all systems, Mandiant said.
Most commonly targeted industries
The industries targeted most often were:
- Finance.
- Business and professional services.
- High tech.
- Government.
- Healthcare.
“With ransomware and extortion, we’re seeing threat actors using brute force attacks such as password spraying, and attacks against VPN devices using default credentials, indicating a less targeted approach,” said Jurgen Kutscher, vice president of Mandiant Consulting at Google Cloud, in a prepared statement. “This highlights the importance of auditing and securing Internet exposed systems and infrastructure and underscores the universal risk faced by organizations around the world. As in prior years, this report aims to provide timely insights to help our readers with preparedness.”
Most commonly exploited vulnerabilities
The most commonly exploited vulnerabilities were:
- CVE-2024-3400, which allows command injection in the GlobalProtect feature of Palo Alto Networks PAN-OS.
- CVE-2023-46805 and CVE-2024-21887, which allow authentication bypass and command injection, respectively in the Ivanti Connect Secure VPN.
- CVE-2023-48788 is a SQL injection vulnerability in the FortiClient Endpoint Management Server.
Most common malware types
Mandiant observed a variety of types of malware over 2024. Of all detected instances, 35% opened backdoors. The other malware Mandiant detected falls into the following categories:
- Ransomware (14%).
- Droppers (8%).
- Downloaders (7%).
- Tunnelers (6%).
- Credential stealers (5%).
DOWNLOAD: Malware Quick Glossary from TechRepublic Premium
Attackers’ main motivations
What do the threat actors want?
- Most (55%) are financially motivated.
- The next greatest share (35%) have unknown motivations.
- Following that, 8% are committed to espionage.
- Mandiant classified 2% as “other.”
Unrest in Ukraine and the Middle East drives cybersecurity hotspots
Russian and Chinese affiliated threat groups displayed significant activity in 2024, Mandiant found. The amount of data theft committed by such groups increased, with the attackers looking for key people, their emails, and documents.
Four of the politically affiliated groups Mandiant tracked were advanced persistent threat (APT) groups from China, Russia, and Iran.
SEE: During Google’s antitrust trial, an OpenAI representative said the AI company would be interested in buying the Chrome browser if Google is broken up.
In Ukraine, Russian cyber espionage threat clusters continue to engage, especially targeting mobile messaging applications for intelligence collection.
In the Middle East, Iran-based threat actor groups use social engineering and other techniques to spread malware and perform phishing attacks.
North Korean state-affiliated actors infiltrated tech companies
Mandiant specifically tracked North Korean IT worker scams, in which workers with fake identities funnel money from high-paying jobs to the North Korean government. The fraudulent workers were sometimes observed doing their own form of ransoms, stealing proprietary information and threatening to release it. The group associated with scam North Korean IT workers was Mandiant’s most frequently observed attacker in the Americas.
Tips for spotting job seekers affiliated with the North Korean government
Mandiant’s research has revealed tips for identifying job seekers affiliated with the North Korean government.
- Some fraudulent workers may claim they live in the US but have only studied at international universities, which may be the case with legitimate applicants but could be combined with red flags, such as inconsistencies between information provided in an interview and on the resume.
- The use of Voice over Internet Protocol (VoIP) services, while not a red flag by itself, seems to be a known practice among scammers.
- Employers should keep an eye out for resumes that seem to have left in default wording.
- Endpoint and network monitoring might help detect discrepancies between where and how the person claims to work and their real setup.
- Organizations should be aware of deepfake video capabilities that could be used to mask a person during an interview. For example, an AI-generated avatar may not be able to hold its hand in front of its face or perform other basic movements.
