Attackers are increasingly abandoning noisy, direct attacks in favor of more subtle, stealthy tactics. They are flying under the radar and achieving long dwell times with the aid of more modular strategies and complex, multi-stage malware.
As a result, defenders must rethink their approach to expose these hidden threats before they strike.
CTO of Threat Analysis at OPSWAT.
Is evasion the new normal?
Cyber attackers will typically take the path of least resistance – if a tactic works, they’ll keep using it. When enough companies are armed with effective defenses, the offensive tools and tactics will adapt to get around them.
We’re seeing such a tipping point now. Traditional detection systems can pick up standard attacks reliably enough so criminal groups are exploring more subtle and complex options. Instead of launching large-scale, brute-force campaigns, threat actors are optimizing for persistence.
They want to stay embedded for weeks or months, quietly collecting data or preparing for more impactful attacks.
This stealth-first mindset is also driven by economics. Cybercrime-as-a-Service has made sophisticated evasion techniques widely available, meaning even low-level operators can buy stealthy, modular tools off the shelf.
OPSWAT’s own telemetry showed a 127% increase in malware complexity in just six months, typically in the form of multi-stage, obfuscated payloads designed to bypass static detection.
What are the most striking trends?
The skyrocketing complexity of malware is definitely one of the most alarming developments.
While there is no shortage of basic malware out there, more groups are deploying multi-stage, obfuscated script chains. They often combine PowerShell, JavaScript, and Batch scripts that disguise each stage of execution. These lightweight, modular loaders make detection more difficult.
The average multi-stage sample we analyzed this year contained 18 behavioral nodes, up from eight six months earlier. That leap demonstrates how attackers are layering more obfuscation and decision logic into each chain.
We’re also seeing attackers weaponize platforms that are in widespread use by employees to help their evasive tactics with command-and-control traffic increasingly hiding inside tools such as Google Sheets or Calendar.
Campaigns will also aim to exploit human behavior, such as the ‘ClickFix’ attack, which tricks victims into running malicious Windows Run prompts. There’s no malware payload or malicious URLs involved, so nothing for standard tools to detect.
Why are so many defenders still struggling to detect these threats?
Many organizations are still operating with a “known threats” mindset, relying on static, signature-based tools to flag anything familiar. This has been fairly successful for many years, to the point where attackers have had to switch it up.
But today’s more advanced malware rarely looks the same twice. Obfuscation, encryption, and fileless execution mean there’s often nothing for these systems to match against.
We found that one in 14 files dismissed as benign by public feeds turned out to be malicious when behaviorally analyzed. That’s a huge blind spot for any defensive strategy relying on known threat signatures.
How can organizations cope with these stealth attacks?
Standard detection tools will still be necessary for the myriad lower-level threats making the rounds, but security architects must also adopt a behavior-first strategy.
This focuses on determining what a file does, not just what it looks like. Instead of trusting static indicators, defenders analyze execution in real time to see how a file behaves. This includes assessing what processes it spawns, which registries it touches, and how it interacts with the network or system memory.
Adaptive sandboxing and emulation can safely expose hidden behaviors such as memory-only malware or scripts that decrypt and execute only at runtime.
At OPSWAT, we’ve seen that combining behavioral analysis with machine learning-powered similarity search achieves 99.97% detection accuracy. This approach accelerates detection as well as precision, revealing new threats up to 24 hours before they appear in public OSINT feeds.
What else security leaders can do to build resilience
One of the most important factors in building true resilience is to take a multi-layered approach.
So, while a behavior-first approach is crucial, there are other elements to consider. One important capability is the implementation of data diodes. These are hardware units that enforce unidirectional data flow, providing an effective barrier to the more subtle C2 and exfiltration tactics.
Alongside this, deploying a Managed File Transfer (MFT) solution will provide another layer of defense by automatically blocking and sandboxing potential risks.
Finally, another valuable approach is to implement Content Disarm and Reconstruction (CDR). This treats all incoming files as malicious by default and will rebuild and sanitize them to fully remove any hidden threats before they are allowed into the system.
The most important step is to accept that stealth is becoming the default attack mode. Defenders need to evolve accordingly by prioritizing adaptability across people, processes, and technology. Continuous detection and response should replace point-in-time scanning, while threat intelligence must flow freely between tools and teams.
Security leaders should focus on knowing how a threat behaves. Building behavioral context into every stage of the security pipeline helps teams make faster, smarter decisions.
Above all, successful defense demands a continuous approach to security. The organizations that learn from each incident will always stay ahead.
We’ve featured the best online cybersecurity course.
This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
https://cdn.mos.cms.futurecdn.net/co3X3Vbz8avMLRgvKTSfgC-970-80.jpg
Source link
