A recent report from Picus Labs, has uncovered a chilling evolution in cyber warfare, that it calls “the rise of the Digital Parasite.”
The report analyzed more than 1.1 million malicious files and 15.5 million actions last year, and revealed that bad actors have shifted 80% of their resources toward stealth, evasion, and persistence.
The report highlighted distinct, highly sophisticated behaviors that allow malware to inhabit systems for months without detection. These include:
- Malware Doing Math: In a first-of-its-kind finding, malware strains like LummaC2 are now using trigonometry (calculating Euclidean distance of mouse angles) to distinguish between human users and automated security sandboxes. If the mouse moves too “perfectly,” the malware knows it is being watched and refuses to detonate.
- The “Play Dead” Phenomenon: Virtualization/Sandbox Evasion has surged to become the #4 most prevalent technique. Modern malware actively checks for analysis environments and goes dormant to create a false sense of safety.
- The Shift from Encryption to Extortion: The use of “Data Encrypted for Impact” (ransomware’s signature move) dropped by 38%. Attackers are no longer locking data immediately; they are silently exfiltrating it for extortion
Dr. Süleyman Özarslan, Co-founder and VP of Picus Labs, said: ”What we’re observing is the rise of the digital parasite. Attackers have realized it is more profitable to inhabit the host than to destroy it. They are embedding themselves inside environments, using trusted identities and even physical hardware to feed on access while staying operationally invisible. If your security relies on spotting a ‘break-in,’ you’ve already lost, because they are already logged in.”
Stealth and Persistence Dominate
The Red Report 2026 is based on year-long research by Picus Labs, and validates adversarial behaviors through real-world attack simulations and mapped to the MITRE ATT&CK framework. The analysis focuses on the techniques bad actors use most often to maintain access and evade detection once inside a business.
The report showed that for the third year in a row, process injection (30%) is the favoured technique, allowing malefactors to hide malicious code inside legitimate, trusted applications.
When it came to physical insider threats, the report said that state-sponsored actors (specifically DPRK operatives) are now using physical IP-KVM devices to bypass software agents entirely, controlling laptop farms at the hardware level.
Also in the report, threat actors are routing Command-and-Control (C2) traffic through high-reputation services like OpenAI and AWS to blend in with normal business traffic.
Pics Labs added that identity is the new perimeter, with one in four attacks now involve stealing saved passwords from browsers, allowing attackers to authenticate as valid users.
Bad actors are operating through trusted processes and standard network traffic to limit their operational footprint and extend dwell time. They can persist within environments while minimizing signals that would typically trigger alerts or responses, inflicting maximum damage, researchers explained.
Continuous Validation
According to the report, detecting these techniques means that static assessments and assumption-based coverage leave blind spots when threats are crafted to be as silent as possible. Today, protecting enterprises takes continuous validation of security controls against real attacker behavior.
“By validating defenses through ongoing attack simulation, organizations can confirm whether detection and prevention controls are effective against stealth-driven techniques and identify gaps before attackers exploit them,” Picus Labs said.
To read the Red Report 2026, click here.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.