More than anything, Mandiant’s M-Trends 2025 report demonstrates how attackers rapidly evolve their methods to counter improved defenses. There’s no let up.
The annual M-Trends report from Mandiant is a key source of threat intelligence for industry, packed with statistics from Mandiant’s own incident investigations and enriched with Google Threat Intelligence Group (GTIG) research. But it is important to understand how the report is compiled to maximize its value.
Firstly, while Mandiant is a major player in incident investigations, the telemetry involved is limited in comparison to other major security vendors’ telemetry (such as EDR providers). This doesn’t limit the value of Mandiant’s numbers but does mean they cannot be interpreted as global statistics. A good example is seen in the Targeted Industries section, which is dominated by attacks against the finance sector (17.4%). The healthcare sector comes fifth at only 9.3%.
This should not be viewed as indicative of global industry targets. There is an unquantified bias toward Mandiant’s direct clientele – and the finance sector is better able to afford Mandiant’s services than can the healthcare sector. The unknown aspect of this bias is exacerbated by the firm’s decision to withhold the precise number of incidents (or clients) from which the statistics are compiled, preferring only to quote the total number of hours spent on investigations (“more than 450k+ hours of incident response engagements globally”).
This is an impressive amount of time spent, effectively, on research for the report – but it gives no indication of the number of incidents or investigations included (which could be small if the investigations were lengthy, or large if the investigations were quick).
Stuart McKenzie, MD at Mandiant Consulting EMEA, explains Mandiant’s reasoning: the nature of incidents could muddy the waters. “We could investigate an incident and find a second threat actor in there – so is that a separate incident or still the primary incident? We could start one investigation and find three or four different incidents – so, we focus on hours spent because I think it provides the clearest measurement of exactly how much we’ve done.”
Nothing here reduces the value of Mandiant’s statistics, so long as the reader is aware that they are Mandiant client statistics and not global attack statistics. At the same time, the overall value of the report is enriched by the combined threat intelligence of Mandiant’s own researchers and those from Google – now known as the Google Threat Intelligence Group.
Initial infection vector
For the fifth year in a row, exploits (33%) are the most frequently seen initial infection vector (although less so than last year’s 38%). Intriguingly, this year stolen credentials (16%) have overtaken email phishing (14%) for the number two spot. The reasons are complex.
“People are more resistant to phishing, operating systems are more resistant, and security controls are more effective,” explains McKenzie. But attackers don’t just sit on their laurels. “As defenders get more proficient at patching vulnerabilities, exploits become less effective. As phishing resistance grows, phishing becomes less attractive.” The attackers move on to alternative approaches, and this currently seems to be the use of stolen credentials.
Partly, this is due to the widespread and effective use of infostealers. “Examples of prominent infostealers include Vidar, Raccoon, and RedLine Stealer,” warns the report. The volume of stolen logs containing stolen credentials is increasing on the dark web; and finding and using these credentials is easier than using phishing emails to deliver malware as the initial infection method.
“The reduction in phishing incidents likely stems from improved security tools and technologies such as Mark of the Web (MotW), which hinder malware deployment,” explains McKenzie. MotW is a feature in Windows that detects and flags files coming from an untrusted source, blocking or flagging them.
Interestingly, he doesn’t believe that the arrival of AI-assisted phishing will change this. “While AI could enable more sophisticated phishing lures, phishing’s primary use will most likely be for credential theft as part of broader attacks, rather than direct malware distribution. Consequently, phishing is evolving from a malware delivery mechanism to an element within a more elaborate attack chain, facilitating other methods.”
It doesn’t mean that the role of phishing becomes less dangerous, it just means that phishing is changing from an initial infection vector to a facilitator of other infections vectors – and that defenders will need to concentrate more on password hygiene and rotation, and more effective use of MFA to counter the credential-based attacks
DPRK IT workers
One new development is Mandiant’s decision to classify DPRK IT workers as a distinct threat group: UNC5267. This makes sense even if the sense is not immediately obvious.
The DPRK workers can be considered a group for two reasons. Firstly, they make use of ‘facilitators’, implying some form of external organization. Secondly, and more importantly – since access to the internet is strictly state controlled in the DPRK –they could not gain foreign employment without the connivance of the government.
If Mandiant’s logic is correct, there is the further implication that state-backed DPKR IT workers may eventually be elevated to the status of one or more APT groups. In the meantime, however, McKenzie comments, “I think the trend we are seeing with remote workers is analogous to the early days of ransomware. Groups like SamSam were very active in the US. In EMEA we’d watch this and think, ‘We don’t really have that problem’.”
But over time, perhaps with increasing pressure from US LEAs, these groups started looking for new and perhaps easier targets. The ransomware surge spread outwards from the US across the globe.
“I think the heavy targeting of North Korean remote workers in the US should be instructive to organizations outside of the US. We are already seeing their expansion into Europe and other parts of the world.” The early assumed motivation was to earn foreign exchange to fund the DPRK’s weapons program – and while this was and will remain true, the threat is unlikely to stop there. Once these ‘foreign agents’ are entrenched in western industry, they are also able to steal IP and deploy malware.
The message from Mandiant here, especially to Europe, is don’t relegate UNC5267 to the status of a mere annoyance. Get prepared for better detection of DPRK workers because they are likely to become a serious threat even before the UNC becomes an APT. Law enforcement cannot dismantle this group by arresting a few of the actors, nor does it have any infrastructure that can be taken down – this APT will have a different kind of Persistence.
Related: Cracking the Cloud: The Persistent Threat of Credential-Based Attacks
Related: AI-Powered Polymorphic Phishing Is Changing the Threat Landscape
Related: AI Now Outsmarts Humans in Spear Phishing, Analysis Shows
Related: The Battle Continues: Mandiant Report Shows Improved Detection But Persistent Adversarial Success