Skip to content
.ca
sign in
4 minhigh

2025 Identity Threat Landscape Report

The 2025 Identity Threat Landscape Report highlights a massive surge in credential theft driven by infostealer malware, with LummaC2 leading the ecosystem. A critical finding is the widespread theft of active session cookies, which allows attackers to bypass multi-factor authentication (MFA) and directly access high-value corporate systems, VPNs, and cloud platforms.

Conf:highAnalyzed:2026-03-19reports

Authors: Recorded Future

ActorsLummaC2 / LummaStealerCastleLoaderRedLineMETARhadamanthysVidarStealCAtomic macOS StealerMacSyncAcreedOdyssey Stealer
Credential TheftInfostealerLummaC2Session CookiesMFA Bypass

Source:Recorded Future

IOCs · 3
  • domain
    acme[.]comExample compromised domain surfaced in Recorded Future incident reports demonstrating targeted corporate access.
  • domain
    norsegods[.]onlineExample compromised domain surfaced in Recorded Future incident reports.
  • domain
    quantumsecure[.]ioExample high-security domain surfaced in Recorded Future incident reports.

Key Takeaways

  • Credential theft accelerated significantly in 2025, with a 50% increase in volume during the second half of the year.
  • 31% of malware-sourced credentials (276 million) included active session cookies, allowing attackers to bypass MFA entirely.
  • Attackers specifically target authentication systems, cloud platforms, VPNs, and RMM tools to gain broad organizational access.
  • LummaC2 was the dominant infostealer, utilizing 'ClickFix' social engineering and advanced sandbox evasion techniques.
  • A single compromised device yields an average of 87 stolen credentials, often blending personal and corporate access.

Affected Systems

  • Windows
  • macOS
  • Authentication Systems
  • Virtual Private Networks (VPNs)
  • Remote Monitoring and Management (RMM) Tools
  • Cloud Computing Platforms

Attack Chain

Attackers distribute infostealers like LummaC2 using social engineering tactics such as fake software downloads and 'ClickFix' CAPTCHA challenges. Once executed, the malware uses loaders like CastleLoader to run obfuscated payloads in memory, employing sandbox evasion techniques like mouse movement analysis. The infostealer harvests credentials, session cookies, and crypto wallets from the infected device. The stolen session cookies are then used to bypass MFA and access corporate authentication systems, VPNs, and cloud platforms.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

No specific detection rules or queries are provided in the report.

Detection Engineering Assessment

EDR Visibility: Medium — EDR can detect the initial infostealer execution and memory loading, but often lacks visibility into the subsequent credential abuse if it occurs off-network or via valid session cookies. Network Visibility: Low — Infostealer exfiltration is typically encrypted, and subsequent access using stolen cookies appears as legitimate user traffic. Detection Difficulty: Hard — Stolen session cookies bypass MFA and appear as legitimate user sessions, making behavioral anomaly detection crucial to identify the compromise.

Required Log Sources

  • Identity Provider (IdP) Logs
  • VPN Logs
  • Web Proxy Logs
  • EDR Telemetry

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Attackers are using stolen session cookies to bypass MFA.IdP logs showing session resumption or authentication from novel IP addresses or ASNs without a corresponding MFA challenge.Credential AccessMedium
Infostealers are executing via ClickFix social engineering.EDR logs showing unusual script execution (PowerShell/CMD) originating from web browsers after user interaction.ExecutionLow

Control Gaps

  • MFA bypass via session cookies
  • Lack of visibility into personal devices used for corporate access

Key Behavioral Indicators

  • Authentication from anomalous geolocations
  • Sudden changes in user agent strings for existing sessions
  • Execution of obfuscated payloads in memory

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Invalidate active sessions and force password resets for any user identified in an infostealer log.
  • Automate response workflows to clear sessions immediately upon credential leak detection.

Infrastructure Hardening

  • Enforce shorter session token lifespans for high-risk applications.
  • Monitor third-party and subsidiary domains for credential exposure.

User Protection

  • Extend credential monitoring to personal devices accessing corporate resources.
  • Implement device posture checks before allowing access to corporate applications.

Security Awareness

  • Train employees on the risks of 'ClickFix' CAPTCHA challenges and fake software downloads.
  • Educate users on the dangers of saving corporate credentials in personal browser profiles.

MITRE ATT&CK Mapping

  • T1566.002 - Phishing: Spearphishing Link
  • T1059 - Command and Scripting Interpreter
  • T1539 - Steal Session Cookies
  • T1555.003 - Credentials from Password Stores: Credentials from Web Browsers
  • T1111 - Two-Factor Authentication Interception
  • T1497.001 - Virtualization/Sandbox Evasion: System Checks
  • T1027.002 - Obfuscated Files or Information: Software Packing

Additional IOCs

  • File Hashes:
    • d6bc967b9ae645c092dec2c3fc98312d7e2f3e24 (SHA1) - Example SHA1 password hash from compromised credential logs.
    • 206267c2aeb8c87a8d97f5646de36d9263c9ec5b (SHA1) - Example SHA1 password hash from compromised credential logs.
    • 20a399f8604b65e72e123b00e692868e000e6678 (SHA1) - Example SHA1 password hash from compromised credential logs.
  • Other:
    • admin1407@acme.com - Example compromised administrative email address.
    • aegir.ymirsson@acme.com - Example compromised corporate email address.
    • guest9069@cloud413.net - Example compromised email address.

Related