Kaspersky report finds stolen credentials and password attacks dominating cyber threat landscape in 2025

A new global study highlights a growing shift in cyberattack strategies, with threat actors increasingly relying on compromised accounts and legitimate access methods rather than malware to infiltrate organisations and evade detection.

Cybercriminals are increasingly turning to credential-based attacks and legitimate account access to compromise organisations, according to a new report from Kaspersky Security Services. The findings suggest that attackers are moving away from traditional malware-centric tactics in favour of quieter, harder-to-detect techniques that exploit identity and access management weaknesses.

The report, titled Anatomy of a Cyber World, draws on insights gathered from Kaspersky’s Managed Detection and Response (MDR), Incident Response (IR), Compromise Assessment and Security Operations Center (SOC) Consulting services during 2025. It examines attack patterns, adversary behaviours and incident trends observed across organisations worldwide.

According to the analysis, techniques involving user credentials and account manipulation continue to be among the most effective methods used by threat actors to gain and maintain access to corporate environments.

Credential-based attacks lead threat activity

The study found that password guessing remains the most successful attack technique, accounting for 34.8% of monitored incidents that ultimately resulted in confirmed malicious activity. The method involves systematically attempting multiple password combinations until access is gained, highlighting the ongoing risks associated with weak or reused credentials.

Close behind was local account creation, representing 34.7% of incidents. Attackers commonly create new accounts after gaining access to a system, allowing them to maintain persistence even if their original point of entry is discovered and removed.

The report also identified valid account abuse as one of the most prevalent attack methods, accounting for 34.5% of confirmed incidents. In such cases, threat actors use stolen or compromised credentials to access systems and operate under the guise of legitimate users, making detection significantly more difficult.

Account manipulation, which includes actions such as modifying permissions, enabling dormant accounts or escalating privileges, represented 32% of incidents. Meanwhile, network service discovery accounted for 31.2%, underscoring the importance of detecting reconnaissance activities before attackers can move laterally within an environment.

Shift away from traditional malware

Kaspersky noted that modern attackers increasingly prefer using existing tools, legitimate credentials and built-in system capabilities rather than deploying malware that could trigger security alerts.

“Threat actors do not always need sophisticated malware to achieve their objectives. In many cases, legitimate administrative tools and compromised accounts remain the fastest and most effective way to move inside an organization while avoiding detection. The continued popularity of these techniques shows that organizations need deep visibility into attacker behavior and the ability to correlate suspicious activity across different stages of an attack. To address these challenges, companies can enhance their security with our solutions: Kaspersky Managed Detection and Response and Incident Response which cover the entire incident management cycle – from threat detection to continuous protection and remediation,” comments Sergey Soldatov, Head of Security Operations Center at Kaspersky.

The report concludes that organisations must prioritise visibility into user behaviour, strengthen identity security controls and improve threat monitoring capabilities to counter increasingly stealthy attacks that rely on legitimate access rather than malicious software.