Picus Security, a security validation company, has released the Red Report 2026, highlighting a notable shift in cyber threats: the emergence of the "Digital Parasite". This analysis of over 1.1 million malicious files and 15.5 million actions in 2025 shows a strong emphasis on stealth, evasion, and persistence by cyber adversaries.
Evolving Malware Techniques
The report identifies trends in malware behaviours:
- Malware Doing Math: Strains such as LummaC2 use trigonometry to calculate the Euclidean distance of mouse angles. By detecting perfectly consistent mouse movements, these strains can distinguish between human users and automated sandboxes, avoiding activation when monitored.
- The "Play Dead" Phenomenon: Virtualisation and sandbox evasion are now the fourth most common technique, allowing malware to remain dormant and evade detection by analysis tools.
- Shift From Encryption to Extortion: The use of encryption has dropped by 38%, with attackers increasingly exfiltrating data silently for extortion purposes.
Stealth and Persistence
Research by Picus Labs, validated through real-world attack simulations, shows a trend towards maintaining access and avoiding detection:
- Process Injection: For the third consecutive year, process injection is the most common technique, allowing malicious code to blend with legitimate applications.
- Physical Insider Threats: State actors, including DPRK operatives, are using physical IP-KVM devices to control hardware directly, bypassing software defences.
- Living Off the Cloud: Attackers route command-and-control traffic through trusted services such as OpenAI and AWS, blending with normal network activity.
- Identity is the New Perimeter: One in four attacks involve stolen passwords from browsers, enabling attackers to operate as valid users.
These techniques allow attackers to minimise their operational footprint, reducing signals that would normally trigger security alerts and increasing the potential impact of their activity.
Closing the Gaps in Cyber Defence
The Red Report 2026 highlights the need for continuous protection strategies. Static assessments are insufficient against threats designed to remain undetected. Regular validation of security controls against real adversary behaviours is essential.
By simulating attacks continuously, organisations can assess the effectiveness of detection and prevention controls against stealth-focused techniques and identify gaps before they can be exploited.
