Cybercriminals don’t really need malware to sow chaos on computer systems, a new report claims. Instead, they’re shifting to a stealthier approach known as Living Off the Land (LOTL).
Indeed, malware – or malicious software – has long been and remains the primary vector for attacks on computer systems. Cyber defenders have reacted accordingly and mostly work on identifying and blocking hostile codes before they can cause trouble.
However, cybercriminals are now increasingly using a stealthier approach, LOTL. This method includes using legitimate tools and software to carry out malicious activities, allowing crooks to blend in and avoid detection.
According to the 2025 State of Malware report, prepared by ThreatDown by Malwarebytes, a cybersecurity platform, our own software is now the new malware.
“The most pressing security challenge has shifted from stopping malicious software to stopping malicious people using legitimate software,” the report states.
Essentially, threat actors who use LOTL techniques to gain access to your systems will try to disguise themselves as legitimate users and use commercial tools that don’t look out of place on your network.
That’s why detecting LOTL techniques and defending against them requires careful work and monitoring of Endpoint Detection and Response (EDR) alerts to identify out-of-place behavior, ThreatDown said.
“Understanding the environment is paramount. With this baseline, security analysts can identify anomalies that might not seem malicious but aren’t common for the environment,” said Hiep Hinh, an analyst at ThreatDown.
The report claims that LOTL techniques have become indispensable to ransomware groups’ attack chains. They especially favor the Windows Remote Desktop Protocol (RDP) – 58% of ransomware attacks dealt with by ThreatDown began with an RDP intrusion.
“Although we tend to think of RDP as a method of initial access, it is also a LOTL tactic. A ransomware group that correctly guesses an RDP password hasn’t broken into a network using malware or a vulnerability – it has logged in and authenticated itself and is operating as a legitimate user on the network,” ThreatDown said.
However they gain access to a target, attackers often establish persistence with another kind of remote desktop software – remote monitoring and management (RMM) software such as AnyDesk and ConnectWise.
According to the cybersecurity platform, RMM tools afford the same convenient access as RDP and also don’t look out of place on a company network.
This is why defenders should look for suspicious behavior and anomalies, such as software being used in unexpected ways, files being modified, activity at strange times, or accounts that shouldn’t be there.
The most popular LOTL techniques detected by ThreatDown in 2024 were network service scanning, suspicious PowerShell executions, and unauthorized local account creations.
Your email address will not be published. Required fields are markedmarked