Throughout the first half of 2025, financially motivated threat actors have shifted their approach to intrusions, abandoning traditional implant-heavy methods in favor of a more cost-effective strategy.
Rather than deploying sophisticated malware payloads, attackers are leveraging stolen credentials and valid account access to establish persistence within target networks across multiple industries.
The FortiGuard Incident Response team responded to dozens of engagements, revealing a consistent pattern where adversaries gain initial access through compromised credentials, which are either harvested via phishing campaigns, purchased from Initial Access Brokers, or obtained through password reuse and infostealer malware distribution.
Fortinet analysts identified that attackers exploit three primary initial access techniques to compromise networks.
External remote services, particularly VPN infrastructure, serve as the most prevalent entry point, allowing adversaries to authenticate using stolen credentials and progress laterally through victim environments.
Additionally, threat actors exploit public-facing applications using n-day vulnerabilities to deploy legitimate remote management tools such as AnyDesk, Atera, Splashtop, and ScreenConnect.
Compromised credentials purchased from underground markets range from $100 to $20,000 depending on organizational size and geographic location, making this approach economically attractive for threat actors operating across developed and emerging economies.
Lateral Movement and Persistence Tactics
Once inside networks, Fortinet researchers noted that adversaries employ manual, operator-driven lateral movement using built-in tools including Remote Desktop Protocol (RDP), Server Message Block (SMB), and Windows Remote Management (WinRM).
This manual approach enables attackers to blend with legitimate administrator activity, significantly complicating detection efforts.
.webp "Stolen Credentials and Valid Account Abuse Fuel the Financially Motivated Attacks 3")
Adversaries maintain persistence by installing their own instances of remote access tools and leveraging privileged credentials obtained through Mimikatz execution and Zerologon exploitation for elevated account access.
Data exfiltration occurs through direct file transfers via RDP and RMM interface drag-and-drop capabilities, leaving minimal forensic artifacts compared to conventional web-based exfiltration methods.
In observed cases, attackers configured VPN infrastructure without multi-factor authentication, granting unrestricted network access and enabling rapid encryption of hypervisor infrastructure for ransomware deployment.
This low-complexity, high-return methodology allows financially motivated adversaries to operate undetected for extended periods while avoiding the detection signatures commonly associated with malware-centric intrusions.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
