Identity and the Shift from Malware

The world of cyber threats is rapidly evolving, and while we can see these changes more generally, it’s always crucial to understand them concretely. As the 2025 CrowdStrike Global Threat Report shows us, the landscape of our industry is changing. 

We’re digging into this report to discuss a challenging trend: the move of hackers foregoing malware and traditional attacks to leverage issues with identity management.

This change presents a fundamental rethinking of how modern cybercrime operates and how that impacts compliance.

Malware as an Attack Vector Keeps Falling Behind

For decades, defenders focused their efforts on detecting malicious binaries, reverse-engineering payloads, and building antivirus signatures. This trend isn’t as true today as it was 20-30 years ago. 

According to CrowdStrike, 79% of detections in 2024 were malware-free, compared to 40% in 2019. Within five years, the majority of successful intrusions no longer relied on malicious code. Attackers now rely on legitimate tools and stolen credentials to move across networks, effectively blending into normal user activity.

This shift reflects the increasing sophistication of both attackers and defenders. Endpoint detection and response systems have made it much harder for malware to succeed. Modern EDR platforms can identify suspicious binaries, detect abnormal process behavior, and block execution before payloads deploy. 

The Rise Of Hands-On Intrusions

CrowdStrike defines this emerging category as “interactive intrusions.” These operations involve human attackers using legitimate tools and credentials to conduct their attacks directly. Interactive intrusion campaigns increased 35% year over year in 2024, marking the seventh consecutive year of growth.

The most targeted industries were 

• Technology
• Consulting
• Manufacturing, and 
• Retail

Attackers exploit these openings with social engineering, vishing, and help desk manipulation rather than technical exploits. Because these attacks appear as normal administrative activity, defenders struggle to identify them quickly. CrowdStrike observed that the average breakout time fell to 48 minutes, with the fastest observed lateral movement occurring in just 51 seconds. 

Identity As The New Perimeter

Identity attacks target the credentials and trust relationships that define access across corporate environments. The report notes that valid account abuse accounted for 35% of all cloud-related incidents in 2024. 

The move toward identity-based attacks also reflects the increasing importance of the cloud. The report highlights that new cloud intrusions increased 26% compared to 2023. attackers increasingly target management tools, misconfigured permissions, and connected services rather than physical infrastructure. 

Why Attackers Have Abandoned Malware

CrowdStrike attributes the shift away from malware to two main factors: the success of modern security controls and the evolution of adversary business models.

• First, endpoint security has matured. Behavioral analytics, machine learning, and cloud-based telemetry have made traditional malware delivery inefficient. attackers realized that custom malware often provides diminishing returns when compared to simpler, credential-focused attacks.
• Second, attackers now operate more like businesses. The report repeatedly refers to the “enterprising adversary,” a term that captures how threat groups optimize operations for profit and scale. Access brokers, for instance, specialize in obtaining and selling credentials. 

The report observed that advertisements from access brokers increased 50% year-over-year. 

Social Engineering And The Human Factor

Identity attacks often start with social engineering. In 2024, CrowdStrike saw an explosion in phone-based social engineering, particularly voice phishing (or vishing), which rose 442% between the first and second half of the year. Attackers impersonated IT staff or help desk personnel and persuaded employees to install remote management tools.

CrowdStrike highlights several attackers that used social engineering as their main intrusion method, including:

• CURLY SPIDER: Combined spam bombing with vishing. Attackers flooded a victim’s inbox with junk messages, then called pretending to be IT support. They guided victims to install remote access tools, gained control within 4 minutes, and established persistence. CURLY SPIDER often partnered with WANDERING SPIDER to deploy Black Basta ransomware.
• CHATTY SPIDER: Used callback phishing. Attackers sent fake billing or payment emails that tricked victims into calling a phone number. Once on the call, they installed remote tools like WinSCP or Rclone to steal data. CHATTY SPIDER primarily targeted the legal and insurance sectors, demanding ransoms of up to $8 million.
• PLUMP SPIDER: Focused on Brazil-based organizations. Attackers called victims, posing as IT support, and directed them to download RMM tools such as RDP or Supremo. After gaining access, they manipulated payment systems to conduct wire fraud and sometimes recruited insiders for help.
• SCATTERED SPIDER: Exploited help desk procedures. Attackers called IT support lines, pretending to be employees, and requested password resets or MFA resets, often outside business hours. They used publicly available personal data to pass verification checks and registered their own devices for MFA to maintain long-term access.

These examples show how modern attackers have turned social engineering into a professional operation. 

The Challenges of Security in the Cloud

Identity attacks and cloud exploitation now go hand in hand. The CrowdStrike report notes that 52% of vulnerabilities observed in 2024 were related to initial access, reflecting the growing market for access-as-a-service. Cloud environments, with their reliance on single sign-on and federated identities, provide attractive targets. Once an attacker compromises a valid account, they can often pivot between on-premises systems and multiple cloud services without tripping conventional alerts.

Attackers also evolve their tactics to evade detection. Many no longer change passwords after compromising accounts, knowing that a reset would alert the user. Instead, they register their own devices for multifactor authentication or manipulate help desks into doing it for them. CrowdStrike documented a surge in help desk social engineering, where attackers call IT staff to request password or MFA resets while posing as employees.

Defensive Implications

Defenders must adapt to this new reality. Malware-based detection is no longer sufficient. Organizations need to shift focus to identity protection, behavioral analytics, and real-time monitoring of user activity.

CrowdStrike recommends several proactive measures:

• Strengthen identity verification and monitor credential use continuously.
• Implement risk-based patching, especially for initial access vulnerabilities.
• Detect and respond to credential abuse early to prevent lateral movement.
• Use AI-driven threat hunting to uncover anomalies in user behavior.

Defenders must also rethink how they train employees. Awareness programs should prioritize social engineering threats, particularly phone-based attacks, and help desk verification. Attackers now exploit trust rather than code.

The Future Of Identity-Based Threats

Looking ahead, identity-based attacks will continue to expand because they scale efficiently. They require minimal technical overhead and exploit fundamental human and procedural weaknesses.  That statement captures the urgency of adapting defenses to match the new pace and methods of intrusion.

Generative AI will likely amplify this trend. Attackers already use AI models to craft convincing phishing content and voice clones, automate reconnaissance, and even develop scripts. When AI-generated communications become indistinguishable from authentic ones, verifying identity will be both more critical and more complex.

Shore Up Security and Compliance with Lazarus Alliance

CrowdStrike’s report provides clear data to support this conclusion: malware-free attacks now dominate, valid account abuse drives most cloud incidents, and social engineering is the primary path to compromise. It’s critical that you have your controls in place, properly documented, to ensure that you’re meeting this challenge (and meeting compliance standards addressing it as well). 

To learn more about how Lazarus Alliance can help, contact us. 

• FedRAMP
• StateRAMP
• NIST 800-53
• FARS NIST 800-171
• CMMC
• SOC 1 & SOC 2
• HIPAA, HITECH, & Meaningful Use
• PCI DSS RoC & SAQ
• IRS 1075 & 4812
• ISO 27001, ISO 27002, ISO 27005, ISO 27017, ISO 27018, ISO 27701, ISO 22301, ISO 17020, ISO 17021, ISO 17025, ISO 17065, ISO 9001, & ISO 90003
• NIAP Common Criteria – Lazarus Alliance Laboratories
• And dozens more!