Hackers are logging in, not breaking in: IBM warns of AI-fueled identity attacks dominating 2025 cyber landscape

How are cybercriminals changing tactics in 2025?

IBM‘s 2025 X-Force Threat Intelligence Index paints a sobering picture of how cybercriminals have evolved their tactics. The report highlights a major pivot toward stealth-driven attacks, notably credential theft, identity abuse, and phishing-based intrusions, as opposed to brute-force or ransomware-centric incidents. In 2024, credential theft was involved in nearly one-third of all cyberattacks IBM responded to, a trend expected to intensify through 2025. The report noted an 84% year-over-year increase in infostealers delivered via phishing emails, with early 2025 data pointing to a 180% spike from 2023 levels. These tactics, made increasingly scalable through generative AI, allow threat actors to infiltrate systems quietly by harvesting login credentials and bypassing detection mechanisms.

While ransomware remained the most common malware observed, accounting for 28% of malware-based incidents, overall ransomware activity declined. Instead, cybercriminals are leveraging infostealers and credential phishing to gain unauthorized access, then monetizing that access through extortion, lateral movement, or data resale. IBM’s findings indicate that “breaking in without breaking anything” is now the dominant cybercriminal paradigm, enabled by weak identity protection in complex hybrid cloud environments.

Why is credential theft replacing ransomware as a preferred tactic?

Credential theft has emerged as the preferred tactic among threat actors because it is faster, stealthier, and more scalable. Infostealers, often distributed through phishing emails or cloud-hosted malware links, allow attackers to extract user credentials, authentication tokens, and system information in seconds. These credentials are then monetized on dark web marketplaces or used for follow-on intrusions that remain undetected for extended periods. IBM X-Force reported that threat actors are increasingly favoring “living off the land” techniques by using valid login credentials rather than deploying traditional malware.

The appeal of credential-based attacks is bolstered by the wide availability of adversary-in-the-middle (AITM) phishing kits and infostealer-as-a-service tools that can bypass multi-factor authentication protocols. In 2024, IBM noted more than eight million infostealer listings on the dark web, each containing potentially hundreds of compromised credentials. The demand for unauthorized access continues to grow, indicating that the cybercriminal marketplace now values identity compromise over outright encryption.

Which sectors and regions are most affected?

Critical infrastructure remains a primary target for cyberattacks. IBM’s data shows that 70% of incidents it responded to in 2024 involved critical infrastructure organizations. These sectors are particularly vulnerable due to outdated legacy technology and delayed patch cycles. Of those attacks, more than a quarter were the result of vulnerability exploitation. Manufacturing stood out as the most attacked industry for the fourth consecutive year, driven largely by its susceptibility to downtime and reliance on unpatched systems.

Geographically, the Asia-Pacific region accounted for the highest share of attacks at 34%, followed by North America at 24%. The APAC region saw a 13% year-on-year increase in attack volume, underscoring its critical role in global supply chains and its attractiveness as a target due to rapid digital transformation and widespread industrial adoption.

How is AI changing the cyber threat landscape?

Generative AI has become both a weapon and a defense mechanism in modern cybersecurity. Threat actors are using AI to craft sophisticated phishing emails, write obfuscated malware code, generate deepfake content, and automate attack execution. IBM X-Force highlighted that although large-scale AI-specific attacks haven’t yet materialized, vulnerabilities in AI frameworks are increasingly being discovered and exploited. One notable example includes a remote code execution flaw identified by IBM researchers in an AI agent development framework, suggesting future attack surfaces are already being mapped.

Despite these risks, organizations are accelerating AI integration across business functions. In 2024, 72% of companies were using AI in at least one function, up from 55% the previous year. However, only 24% of generative AI projects were deemed secure, exposing a significant cybersecurity gap. IBM warns that attackers will increasingly develop dedicated toolkits for targeting AI models and infrastructure, particularly as the market consolidates around a few dominant platforms.

What are the main access vectors attackers use?

The leading initial access vectors observed in 2024 were the use of valid credentials and exploitation of public-facing applications, each accounting for 30% of IBM’s incident response engagements. This shift reinforces the broader trend that attackers prefer logging in through stolen credentials rather than relying on malware deployment to breach networks. Infostealers play a central role in enabling this, extracting credentials from user devices and funneling them into black markets where they are bought and sold at scale.

Phishing continues to play a vital supporting role. While it now accounts for a smaller share of initial compromises—down to 25% in 2024 from 46% in 2022—it remains instrumental in delivering infostealer payloads and initiating the credential harvesting cycle. Most infostealer campaigns now rely on malicious URLs embedded in PDF attachments or hosted on cloud platforms that provide attackers with trusted domains and infrastructure.

How is cloud infrastructure being exploited?

IBM’s report emphasizes the increased use of cloud hosting services by threat actors to distribute malware and conduct phishing campaigns. Services like Microsoft Azure Blob Storage and Brazil-based Locaweb were repeatedly exploited to host phishing pages and malware payloads. By using legitimate infrastructure, attackers gain the advantage of trust—users are less likely to suspect malicious activity from URLs associated with well-known cloud providers.

Phishing attacks in Latin America were particularly prevalent in this format. Campaigns often used malicious PDF attachments containing obfuscated URLs to deliver banking trojans like Grandoreiro. These tactics are harder to detect and disrupt, especially given the widespread use of PDFs and URLs in normal business workflows.

Are malware trends shifting to new platforms?

IBM’s threat intelligence shows that ransomware groups are increasingly targeting Linux environments, a shift that expands the threat surface as more organizations move to containerized and cloud-native platforms. Ransomware families like Akira, Clop, and Lockbit have begun supporting cross-platform payloads, enabling them to encrypt both Windows and Linux systems.

Malware distribution tactics also evolved. Traditional payloads such as ZIP files and macro-laced Word documents are in decline, with attackers pivoting to PDF-based delivery mechanisms that are more difficult for email filters to classify. In 2024, PDFs emerged as the top malicious file format in phishing emails. Many were found to contain encrypted or obfuscated URLs to avoid detection.

Why is patch management still a major vulnerability?

A persistent theme in IBM’s findings is the exploitation of known vulnerabilities that remain unpatched for extended periods. Of the vulnerabilities most discussed on dark web forums, four out of ten were linked to sophisticated threat actor groups, including those backed by nation-states. Exploit code for these vulnerabilities was often made public within days of disclosure, creating a narrow window for defenders to respond.

IBM’s analysis also revealed that over half of Red Hat Enterprise Linux customers had failed to patch at least one critical CVE in their environment, with nearly one in five failing to patch five or more. This gap in patch hygiene is particularly alarming given that 30% of cyberattacks exploited public-facing applications in 2024. Once inside, threat actors used automated scanners to identify additional vulnerabilities and escalate privileges, often staying undetected for weeks or even months.

What are the top impacts of these attacks?

Credential harvesting was the most frequent impact recorded in IBM’s 2024 incident response engagements, involved in 28% of cases. Data theft followed at 18%, with attackers leveraging stolen credentials to exfiltrate sensitive data over extended dwell times. Extortion, including both ransomware and data-leak-based shakedowns, was the fourth most common outcome, seen in 12% of incidents.

The impact of these breaches extends beyond financial loss. The global average cost of a data breach hit $4.88 million in 2024, according to IBM. Moreover, once credentials are compromised, they can be used in future attacks, recycled across different sectors, or sold multiple times on the dark web. The cumulative effect makes these breaches particularly damaging.

How can organizations adapt to this evolving threat landscape?

IBM urges organizations to prioritize identity security, adopt AI-driven threat detection, and secure their AI development pipelines. Credential protection strategies should include comprehensive multi-factor authentication, identity fabric architecture, and consolidation of identity management systems. AI workloads must be secured from data ingestion through deployment, and only 24% of AI projects currently meet basic security benchmarks.

Beyond technical measures, IBM stresses the need for operational resilience, including dark web monitoring, updated incident response playbooks, and cross-ecosystem collaboration. Organizations should adopt proactive, layered defenses to minimize exposure to stealthy, AI-driven threats and evolve with the shifting cyber risk landscape.