The era of the Digital Parasite: Why stealth has replaced ransomware
For years, ransomware encryption functioned as the industry’s alarm bell. When systems locked up, defenders knew an attack had occurred. Not anymore.
New empirical data show that attackers are actively dismantling that signal. According to Picus Security’s Red Report 2026, adversaries are no longer optimizing for disruption; they’re optimizing for residency. Based on a thorough analysis of more than 1.1 million malicious files and 15.5 million adversarial actions from 2025, this year’s report documents a decisive shift in attacker behavior: a noticeable impact has become a liability. Stealthy long-term presence is now the objective.
This shift marks the rise of what Picus Labs refers to as the Digital Parasite; an intrusion model designed for quiet persistence rather than immediate, visible damage. It prioritizes identity-based access, low-noise execution, and prolonged operation inside an organization’s “trusted” environments.
Defensive performance gaps documented in the Blue Report 2025 back this assessment, adding strong evidence that this model is succeeding in practice.
Instead of breaking systems, more and more modern intrusions are being carefully engineered to blend in. The most frequently observed techniques now emphasize evasion, persistence, and identity abuse, allowing attackers to weaponize trusted infrastructure while remaining undetected, indistinguishable from legitimate activity.
Today’s breach no longer announces itself. It operates inside normal behavior, where activity is recorded but rarely recognized.
The invisibility gap: When stealth meets blindness
Attackers did not become stealthy by accident. They adapted to what defenders have consistently failed to see.
The Red Report 2026 shows that 80% of the Top 10 MITRE ATT&CK techniques are now dedicated to defense evasion, persistence, or stealthy command and control. Modern adversaries are optimizing for invisibility, not speed, because staying unnoticed has become the most reliable path to success.
Not surprisingly, this shift mirrors a structural weakness on the defensive side.
The Blue Report 2025 revealed a severe visibility breakdown across these same attack phases. While 54% of attacker activity is logged, only 14% of it generates an alert. The report noted that low-noise persistence and evasion techniques are routinely operating below detection thresholds.
As a result, stealth thrives in the liminal space between activity and awareness. Attackers do not need novel tooling or exotic exploits. They exploit a simple reality: when discovery is unreliable, the safest strategy is to stay quiet and wait for an opportunity.
This is the invisibility gap. And it is unfortunately where the Digital Parasite thrives.
The risk is still strong, but the ransomware signal is fading
Encryption is loud. It forces an immediate response and shortens an intrusion’s lifespan. Silent data theft does the opposite.
The Red Report records a 38% year-over-year decline in Data Encrypted for Impact (T1486), dropping from 21.00% in 2024 to 12.94% in 2025. This decline doesn’t indicate weaker attackers or stronger defenses. It reflects a fundamental shift in attacker economics, from locking data to quietly stealing it.
The report also reveals a troubling evolution in attacker behavior. Adversaries are increasingly “living off the cloud.” Covert data theft allows systems to remain operational, reduces detection pressure, and enables attackers to extract value over extended periods. To achieve this, attackers favor trusted channels, including cloud services and legitimate APIs, to move data out without triggering alarms.
Defensive data explains why this approach is so effective.
The Blue Report 2025 shows that data exfiltration prevention collapsed from 9% to just 3%, making it the least prevented attack vector measured.
As encryption fades as a reliable warning signal, its associated risk hasn’t disappeared. It migrated into quieter paths, longer dwell times, and activity that appears legitimate until the damage is irreversible.
One in four attacks start with identity
Stealth and persistence depend on access that doesn’t raise suspicion. Identity provides exactly that.
Attacker-side data from the Red Report 2026 shows that while noisy credential-dumping techniques have fallen out of the Top 10, credential theft remains central to modern intrusion chains. Credentials from Password Stores (T1555) appear in 23.49% of attacks, reflecting a clear move toward quieter, lower-risk entry points.
Defenders struggle the most once attackers cross the identity boundary. The Blue Report 2025 found that Valid Accounts (T1078) succeeded in 98% of tested environments, indicating that credential-based access is rarely stopped after an initial compromise.
At that point, malicious activity blends in, seamlessly hiding within normal operations, making identity the most reliable point for long-lived access.
Self-aware malware is outsmarting sandboxes
Stealth today is not just about evasion. It’s about restraint.
The Red Report 2026 shows Virtualization and Sandbox Evasion (T1497) climbing into the Top 5 attacker techniques, appearing in roughly 20% of observed attacks. Rather than racing past detection, modern malware increasingly avoids it altogether by refusing to execute when it is being analyzed.
Samples such as LummaC2 take this further by using mathematics to decide when execution is safe. By applying Euclidean geometry and trigonometric analysis to mouse movement, these samples distinguish automated, linear input from the irregular behavior of real users. Sandbox-like signals suppress execution. Human behavior permits it.
Defensive data again reveals the consequence.
The Blue Report 2025 shows T1497 is successfully prevented only 13% of the time, placing it among the least-prevented evasion techniques in real-world environments. When malware controls when it runs, detection becomes conditional rather than continuous, and silence can no longer be treated as evidence of safety.
AI hype vs. reality: Evolution, not revolution
Selective execution is often mistaken for intelligence. As malware becomes more deliberate about when and how it runs, artificial intelligence is frequently assumed to be the next driver of attacker advantage. Contrary to popular opinion, the data suggests otherwise.
The Red Report 2026 shows no meaningful increase in genuinely AI-driven attack techniques. Attacker success continues to rely on established tradecraft, with Command and Scripting Interpreter and Process Injection remaining among the most frequently observed techniques.
Where AI does appear, its role is, so far, still somewhat limited. As documented in the report, malware such as LameHug interacts with large language model APIs only to retrieve hardcoded commands. No autonomous reasoning or adaptive decision-making was observed, indicating superficial integration rather than a structural shift in attack mechanics.
AI may improve attacker efficiency, but it hasn’t yet changed the fundamentals of stealth, persistence, or low-noise operation that define the Digital Parasite.
Staying ahead of attackers: Proactive defense and validation
These findings point to a clear conclusion: staying ahead of modern attackers requires a threat-informed defense that is continuously tested against real adversary behavior. Organizations best positioned to reduce risk are those that align their controls to the techniques attackers are actually using.
The Red Report 2026 shows that a relatively small set of techniques accounts for most malicious activity, with heavy emphasis on evasion, persistence, and identity abuse. Given this concentration, security teams must regularly validate that their defenses can detect and block the most prevalent ATT&CK techniques across their environment.
True cyber resilience depends on continuously assessing control effectiveness through adversarial exposure validation. Breach and attack simulation, adversary-aligned testing, and validating response against real attacker behavior are no longer optional, they are table stakes.
Don’t wait for the breach signal – prepare for stealth
The Red Report 2026 paints a consistent picture of the current threat landscape: attackers are leaning heavily on silence over disruption, persistence over speed, and identity over exploitation. Encryption events are declining, while low-noise intrusion paths are dominating today’s attacks.
The challenge is not that these threats are unknown. It’s that they don’t announce themselves. As the Blue Report 2025 confirms, much of this activity is logged but never surfaced, allowing intrusions to persist undetected.
The difference now lies in preparation, not awareness. Security leaders must move beyond assuming coverage and actively and continually validate whether their defenses can detect and disrupt the most common stealth techniques, particularly identity abuse, low-noise persistence, and evasive command-and-control activity.
In an environment where attackers are optimizing for invisibility, waiting for a clear signal is no longer a viable strategy. Validation is how defenders can remove uncertainty before silence becomes just an invisible symptom of compromise.