Mandiant M-Trends 2025 Cyber Threat Intelligence Report: Key Findings and Defense Strategies

Understanding the Mandiant M-Trends 2025 Cyber Threat Intelligence Report

The Mandiant M-Trends 2025 report represents one of the most authoritative cyber threat intelligence publications in the security industry. Published annually by Google’s Mandiant team, the report distills findings from hundreds of frontline incident response investigations conducted throughout 2024, offering security professionals an unparalleled view into the evolving threat landscape. This executive edition synthesizes the most critical trends, statistics, and strategic recommendations that every organization needs to understand.

What makes the M-Trends 2025 report particularly valuable is its foundation in real-world incident data rather than theoretical threat modeling. Every statistic, from dwell time metrics to initial infection vector breakdowns, comes directly from Mandiant’s investigation of actual breaches across every major industry sector. For cybersecurity leaders and practitioners, this report serves as both a benchmark for measuring their own security posture and a strategic guide for resource allocation. Organizations looking to understand how AI-powered threat detection is reshaping cybersecurity will find the M-Trends data particularly relevant for validating their security investments.

The 2024 investigation landscape revealed 205 distinct malware families, with backdoors comprising 35% of observed samples, followed by ransomware at 14%, droppers at 8%, and downloaders at 7%. However, the report emphasizes that traditional malware-based attacks are increasingly supplemented by “living off the land” techniques where attackers leverage legitimate system tools to avoid detection, making behavioral analysis and threat hunting more critical than ever before.

Attack Vector Analysis: Exploits and Stolen Credentials Rising

The M-Trends 2025 report confirms that vulnerability exploitation remains the dominant initial access method for the fifth consecutive year, accounting for 33% of all initial infection vectors observed in 2024 investigations. This persistent dominance underscores the ongoing challenge organizations face in maintaining robust patch management programs, particularly as the time between vulnerability disclosure and active exploitation continues to shrink.

Perhaps the most significant shift in the 2024 data is the rise of stolen credentials to the number two position at 16%, marking the first time this attack vector has reached such prominence. This surge is directly correlated with the explosive growth of infostealer malware, which systematically harvests credentials from browsers, password managers, and authentication cookies. The stolen credential marketplace has become a thriving underground economy, with threat actors purchasing ready-made access to corporate environments at scale.

Email phishing remains a substantial threat at 14%, though its relative share has decreased as attackers diversify their initial access strategies. Web compromises account for 9% of initial infections, while prior compromises—situations where attackers leverage access obtained by other threat actors—represent 8%. This last category highlights the interconnected nature of the modern threat ecosystem, where one breach can cascade into multiple compromises through credential reuse and access trading on underground forums.

The diversification of attack vectors means that organizations can no longer rely on a single defensive strategy. A comprehensive security program must address vulnerability management, credential hygiene, email security, and web application protection simultaneously. The data strongly suggests that organizations investing in CISA’s Known Exploited Vulnerabilities catalog for prioritized patching will see the most significant reduction in their attack surface.

Global Dwell Time Metrics and Cyber Threat Detection Trends

The global median dwell time—the number of days an attacker remains undetected in an environment—stands at 11 days in the M-Trends 2025 report, a slight increase from 10 days in 2023 but still dramatically below the 16-day median recorded in 2022. This stabilization suggests that while organizations have made significant strides in detection capabilities over the past several years, they may be approaching a plateau where further improvements require fundamentally different approaches to threat detection.

The detection source breakdown reveals a concerning dependency on external notifications. In 57% of cases, organizations first learned about malicious activity from an external entity—such as law enforcement agencies, cybersecurity vendors, or the attackers themselves through ransom demands. Only 43% of compromises were identified through internal detection mechanisms. When notifications came from external sources, the median dwell time extended to 26 days, compared to just 10 days for internally detected incidents.

Particularly striking is the adversary notification category, where victims learn about the breach directly from the attackers. These cases, often involving ransom notes or data leak threats, had a median dwell time of only 5 days—reflecting the rapid operational tempo of modern ransomware groups that move quickly from initial access to encryption and extortion. For ransomware-specific incidents, 49% were first identified through adversary notification, 30% through internal detection, and 21% through external entity notification.

These metrics carry profound implications for security operations centers worldwide. The gap between internally detected and externally notified dwell times suggests that investments in advanced detection technologies—including endpoint detection and response, network traffic analysis, and security information and event management platforms with behavioral analytics—can dramatically reduce the window of opportunity for attackers. Every day shaved off dwell time translates directly into reduced breach impact and recovery costs.

Ransomware Trends and Financially Motivated Cyber Threat Actors

Financial motivation continues its steady upward trajectory among threat groups, rising from 48% in 2022 to 52% in 2023 and reaching 55% in 2024. This means that more than half of all active threat groups tracked by Mandiant are primarily driven by financial gain—predominantly through ransomware deployment, data theft extortion, and business email compromise schemes. The relentless growth of financially motivated cyber threats reflects both the profitability of these operations and the maturation of the cybercrime ecosystem.

The ransomware economy has evolved into a sophisticated supply chain. Initial access brokers sell entry points into corporate networks, ransomware-as-a-service operators provide the encryption tools, and specialized negotiators handle victim communications. This division of labor means that even relatively unsophisticated threat actors can execute devastating attacks, lowering the barrier to entry and increasing the overall volume of incidents. The M-Trends data shows that ransomware accounts for 14% of all malware families observed, making it the second most common malware category after backdoors.

Meanwhile, espionage-motivated threat groups declined slightly from 10% in 2023 to 8% in 2024. However, this decrease in proportion does not necessarily indicate reduced espionage activity—rather, it reflects the comparatively faster growth of financially motivated operations. State-sponsored espionage campaigns often target fewer organizations with more precision, making them less visible in aggregate statistics while remaining among the most impactful and difficult-to-detect threats that organizations face.

A notable trend in the financial threat landscape is the targeting of unsecured data repositories within organizations. Internal file shares, SharePoint sites, and cloud storage systems often contain credentials, financial records, and intellectual property accessible to any employee with standard privileges. Mandiant observed that both financially motivated actors and espionage groups are increasingly targeting these repositories, which allow attackers to achieve their objectives—including privilege escalation and data exfiltration—without deploying sophisticated malware or zero-day exploits.

Nation-State Cyber Threats: DPRK IT Workers and Iran Operations

The M-Trends 2025 report highlights two particularly concerning nation-state threat campaigns. The first involves North Korean operatives who have developed an innovative approach to generating revenue and gaining access to sensitive systems: deploying citizens as remote IT contractors at Western technology companies. Using stolen or fabricated identities, falsified employment histories, and supporting documentation, DPRK IT workers secure high-paying positions primarily in the United States and increasingly in Europe.

Once hired, these operatives mask their true locations using VPN services—with Astrill VPN being particularly prevalent—and local facilitators who receive corporate equipment and relay network connections. While direct malicious activity from these insider threats has been limited to date, the infrastructure access they gain presents significant risks for espionage, data theft, and extortion. Mandiant has already observed instances where DPRK IT workers attempted extortion after their covers were compromised, suggesting this threat vector will become increasingly aggressive.

The second major nation-state development is the dramatic escalation of Iran-nexus cyber operations. The report documents a 35% increase in custom malware attributed to Iranian threat actors compared to 2023, with over 45 new malware families discovered in 2024 alone. Israeli entities bore the brunt of these campaigns, facing destructive and disruptive operations involving wiper malware—software designed to permanently destroy data rather than encrypt it for ransom. These attacks were frequently accompanied by hack-and-leak operations designed to amplify their psychological impact.

Iranian threat actors demonstrated increasingly sophisticated tradecraft, leveraging legitimate tools such as remote monitoring and management software to evade detection, creating graphical user interfaces to disguise malware as legitimate applications, and crafting social engineering campaigns themed around current events and employment opportunities. Their use of public resources and cloud infrastructure to blend malicious activity with legitimate traffic represents a significant challenge for traditional network-based detection approaches.

Cloud Security Gaps and SaaS Environment Exploitation

One of the most critical findings in the M-Trends 2025 report is the accelerating shift of attacker focus from on-premises infrastructure to cloud-based environments and SaaS platforms. Mandiant identifies three recurring themes in cloud compromises: identity solutions with insufficient security policies, improperly secured on-premises-to-cloud integrations, and poor visibility into the extended cloud attack surface. Together, these gaps create opportunities for attackers to move laterally between hybrid environments with minimal detection.

The identity challenge is particularly acute. Mandiant observed that compromised cloud identities frequently stem from the lack of multi-factor authentication, easily bypassed password reset portals, and inadequate third-party access controls. Social engineering campaigns now specifically target users with privileged access to SaaS environments, bypassing traditional network perimeter controls entirely. Once an attacker compromises a single sign-on portal or a privileged cloud identity, they can rapidly access data and resources across multiple connected services.

The report emphasizes that many organizations still do not fully understand the shared responsibility model for cloud security. While cloud service providers secure the underlying infrastructure, customers remain responsible for identity management, access controls, data classification, and monitoring. Insufficient logging and monitoring in cloud environments create dangerous blind spots—organizations may not even have the telemetry necessary to detect or investigate a compromise. Mandiant recommends enabling comprehensive logging across all cloud services, including network traffic, firewall, storage access, compute monitoring, audit, database, and IAM logs.

The UNC5537 campaign serves as a stark example of these risks. This threat group used stolen credentials obtained from infostealer malware logs to target Snowflake customer database instances, demonstrating how the convergence of credential theft, cloud adoption, and insufficient access controls can lead to massive data breaches. Organizations exploring how to better protect their cloud environments should consider how interactive cloud security training experiences can improve team awareness and readiness.

Infostealer Malware and the Rise of Identity-Based Attacks

The M-Trends 2025 report identifies infostealer malware as one of the most consequential developments in the current threat landscape. These malicious programs systematically harvest credentials, browser data, authentication cookies, and sensitive information from infected systems, feeding a massive underground economy of stolen access. The rise of stolen credentials to the number two initial access vector at 16% is a direct consequence of infostealer proliferation across both personal and corporate environments.

What makes infostealers particularly dangerous is their ability to compromise corporate security through personal devices. When employees use personal computers for work or synchronize browser profiles between personal and corporate devices, an infostealer infection on a personal system can capture corporate credentials, VPN configurations, and session tokens. Similarly, contractor systems with less rigorous security controls can serve as collection points for enterprise credentials, creating supply chain risks that extend well beyond an organization’s direct security perimeter.

The cryptocurrency and Web3 ecosystem has become a significant target for identity-based attacks as well. DPRK-affiliated actors have stolen substantial digital assets using sophisticated social engineering and vulnerability exploitation. A new “drainer-as-a-service” market has emerged, where malicious smart contracts are sold as turnkey tools for cryptocurrency theft. The immutability of blockchain technology, while a feature for legitimate use cases, also means that malicious smart contracts used to host attack infrastructure cannot be easily taken down.

Mandiant’s defensive recommendations against infostealer threats prioritize phishing-resistant multi-factor authentication—specifically FIDO2-compliant hardware security keys and mobile authenticator applications that are resistant to adversary-in-the-middle attacks. Additional measures include deploying endpoint detection and response tools, establishing strict separation between personal and corporate device use, restricting browser autofill and third-party extensions, and implementing enterprise application stores to control software installation. These layered defenses address the full lifecycle of credential theft from initial infection through unauthorized access.

Industry Targeting Data and Sector-Specific Cyber Threat Trends

The M-Trends 2025 report reveals that industry targeting patterns remain largely consistent with prior years, though the specific percentages provide valuable context for risk assessment and security investment decisions. The financial sector continues to lead as the most targeted industry at 17.4% of all investigations, reflecting both the high-value data these organizations hold and the direct monetization opportunities they present to financially motivated attackers.

Business and professional services rank second at 11.1%, a positioning that highlights the supply chain risk these organizations represent. Accounting firms, law offices, consulting companies, and managed service providers often maintain privileged access to their clients’ systems and data, making them attractive targets for attackers seeking to compromise multiple downstream organizations through a single breach. The high technology sector follows closely at 10.6%, targeted for its intellectual property, source code repositories, and the infrastructure access it can provide.

Government entities account for 9.5% of targeted organizations, reflecting both espionage-motivated campaigns and financially driven attacks against government-adjacent systems. Healthcare rounds out the top five at 9.3%, a sector that faces unique challenges due to the critical nature of its operations, the sensitivity of patient data, and often legacy infrastructure that resists rapid security improvements. Understanding these sector-specific cybersecurity risk profiles enables organizations to contextualize their security posture relative to their peers.

Across all sectors, the convergence of financially motivated attacks and nation-state operations creates a complex threat environment where organizations must defend against both opportunistic ransomware campaigns and targeted espionage operations. The fact that 55% of active threat groups are financially motivated does not diminish the impact of the 8% focused on espionage—these campaigns often represent the most sophisticated and persistent threats that an organization will face, with the potential for significant strategic damage far beyond the immediate financial costs of a ransomware incident.

Defensive Strategies and Incident Response Recommendations

The M-Trends 2025 report provides comprehensive defensive recommendations that span technical controls, organizational processes, and strategic investments. At the foundation, Mandiant emphasizes the deployment and optimization of advanced threat detection capabilities including endpoint detection and response, SIEM platforms with advanced behavioral analytics, and network traffic analysis tools. These technologies address the detection gap highlighted by the 57% external notification rate, giving organizations the visibility needed to identify compromises internally rather than learning about them from law enforcement or attackers.

Multi-factor authentication—specifically FIDO2-compliant, phishing-resistant implementations—emerges as the single most frequently recommended control across every threat category in the report. Whether defending against infostealer-driven credential theft, DPRK IT worker infiltration, Iranian social engineering campaigns, or cloud identity exploitation, strong MFA serves as a critical barrier that prevents stolen credentials from translating into unauthorized access. Organizations still relying on SMS-based or basic push notification MFA should prioritize migration to hardware security keys or advanced authenticator applications.

For cloud and hybrid environments, Mandiant recommends a security-first design approach that includes defining security controls before deployment, ensuring visibility across all cloud services, and maintaining data for threat hunting and incident response. Specific measures include strengthening identity security with phishing-resistant MFA, securing password reset processes, tightly controlling third-party access, implementing privileged identity management, and maintaining separate identity stores for extended workforce populations including contractors and partners.

The report also stresses the importance of incident response preparedness. Organizations should develop and regularly test incident response plans with specific playbooks for ransomware scenarios, conduct tabletop exercises and realistic simulations, and engage red teams for adversary emulation that measures detection and response times. These exercises should explicitly account for hybrid environments where attacks may traverse both on-premises and cloud infrastructure, requiring coordinated response across multiple teams and technology stacks.

Finally, Mandiant recommends proactive measures to reduce the attack surface before incidents occur. This includes inventorying and auditing data repositories to remove unnecessary data, implementing role-based access controls with clear read versus write distinctions, encrypting data in transit and at rest, deploying data loss prevention technologies, and conducting regular security assessments. For organizations operating in the Web3 space, combining transaction data analysis with endpoint security telemetry and thoroughly vetting third-party software before deployment addresses the unique risks of that ecosystem.