CaaS Surges in 2025, Along With RATs, Ransomware – Source: securityboulevard.com

Cybercrime-as-a-Service (CaaS) now accounts for 57% of all cyberthreats, marking a 17% increase from the first half of 2024, according to Darktrace’s Annual Threat Report.

The report highlighted how offensive AI, automation, and CaaS are accelerating the scale and sophistication of cyberattacks, making even basic phishing schemes highly effective and enabling advanced threat actors to launch novel attacks with minimal effort.

The research also identified a sharp rise in malware and malware-as-a-Service (MaaS) threats, fueled by the growing cybercrime industry, which is now generating an estimated $8 trillion annually.

Attackers are increasingly focusing on evasion tactics, exploiting edge device vulnerabilities and leveraging compromised Software-as-a-Service (SaaS) credentials, emphasizing the persistent security challenges tied to identity management.

Email phishing remains one of the most widely used attack vectors, with AI-powered automation increasing both the volume and sophistication of phishing campaigns.

The report also cautioned traditional security measures are struggling to keep pace, leaving organizations vulnerable to increasingly deceptive tactics.

A significant concern highlighted in the study is the surge in threat actors prioritizing evasion over disruption.

Attackers are abusing legitimate tools and services, such as Dropbox, and frequently exploit security flaws in widely deployed firewalls and edge devices to remain undetected within networks.

This poses a growing challenge for critical national infrastructure (CNI) organizations, which are facing a record number of software vulnerabilities.

According to MITRE, the number of identified vulnerabilities in 2024 has surpassed 29,000, a significant increase from 18,000 in 2020.

RATs, Ransomware Surge in 2024

The use of Remote Access Trojans (RATs), which allow attackers to take full control of infected devices, facilitating data exfiltration, credential theft, and surveillance, surged in the latter half of 2024, accounting for 46% of campaign activity, up from just 12% in the first half of the year.

Ransomware threats also remained prominent, with new and re-emerging strains like Lynx, Akira, RansomHub, Black Basta, Fog and Qilin targeting enterprises.

While phishing remains a common entry point, attackers increasingly rely on legitimate remote management tools like AnyDesk and Atera to mask command and control (C2) operations.

The report also noted threat actors also leveraged Living-off-the-Land (LOTL) techniques, cloud storage for data exfiltration and file-transfer tech for double extortion schemes.

Phishing attacks remained a dominant tactic, with 30.4 million phishing emails detected across Darktrace’s customer network between December 2023 and December 2024.

Attackers have refined their tactics to increase success rates, with 38% of phishing emails launched as spear-phishing attacks targeting high-value individuals, while a third leveraged novel social engineering techniques, such as QR codes and AI-generated text.

An Evolving Threat Landscape

Jason Soroko, senior fellow at Sectigo, explained MaaS and CaaS are no longer niche tools but have become core enablers of an evolving threat landscape.

“Malware now drives over half of all attacks, and threat actors don’t just breach defenses, they live off them, using trusted platforms and overlooked vulnerabilities to evade detection,” he said. “The numbers leave no room for complacency because identity remains an expensive, unresolved liability.”

He noted email phishing, once a simple tactic, now leverages sophisticated, automated techniques that outsmart conventional security.

Attackers exploit edge devices and SaaS credentials with precision, blending malicious activity into normal operations.

“The bad guys have taught us that identity is at the center of their success, and we have largely failed to put stronger locks on the doors with better forms of authentication,” Soroko said.

Kris Bondi, CEO and co-founder of Mimoto explained identifying and responding to deepfakes is a continual battle and something that will continue to be a trend this year.

“While attackers continue to evolve their methods, companies are building adaptive methods to combat these,” she said. “Cybersecurity strategists with hacking expertise are skilled at staying in step with the most innovative attack methods.”

She added if organizations focus solely on keeping attackers out, they will fail.

“To feel comfortable, they need to have a security posture that also addresses bad actors that have already gotten into their systems,” Bondi said.