According to Google’s latest Mandiant M-Trends 2025 Report, BEACON remains the most frequently observed malware family worldwide for the fifth year running. The report also gives credit to Operation MORPHEUS, which resulted in an 80% reduction of the unauthorized (or illicit) copies of Cobalt Strike over the past two years.
Additional findings indicate that the majority of organizations found out they were compromised from an external source, one-third of all attacks originated with exploits, and that unsecured data repositories present a “largely overlooked” risk.
Operation MORPHEUS, BEACON, and Cobalt Strike
What happens when you create a tool that’s just too good? Since its release in 2012, Cobalt Strike has been one of the most highly abused offensive security tools by adversaries around the world. Because of its sophisticated post-exploitation capabilities like PowerShell scripts, malleable C2, and the ability to spawn additional payloads (besides its flagship BEACON), the red teaming tool is widely leveraged by nation state actors looking to gain persistence and execute long-term “low and slow” attacks.
Its high usage by APT groups and ransomware actors alike has been so alarming that a joint effort by international law enforcement government agencies alike — from Interpol to Europol to the UK’s NCA and the FBI — combined forces to combat it in 2021.
Fortra announced that since their participation in the operation in 2023 (alongside Microsoft’s Digital Crimes Unit and the Health Information Sharing and Analysis Center), instances of BEACON being found in the wild have decreased by 80%. And although BEACON remains the most popularly sighted malware family (coming in at over 5% of all cases worldwide), the numbers still indicate a significant drop from a peak in 2021, where it boasted a landslide 28 percent.
“The dramatic decrease in observations versus prior years in Mandiant’s M-Trends report validates the public/private partnership model that has been undertaken to disrupt the unauthorized usage of Cobalt Strike,” notes Bob Erdman, Associate VP, Research and Development at Fortra. “Fortra, in conjunction with Microsoft, H-ISAC, and our law enforcement partners continue to pursue these threat actors across the globe to combat the illicit usage of Cobalt Strike and other cybersecurity tools.”
As noted in the report, BEACON is a backdoor written in C/C++ that supports file transfer, file execution, keystroke capture, screenshots, port scanning, credential harvesting, and more.
Other Key Findings
57% Learned of Internal Compromise Externally
The report revealed that of all the organizations that fell prey to attack, most (57%) had to be told by an external party — and 14% of the time that was an adversary. Legitimate sources like law enforcement made up the other 43% of external notifiers. Last year, this trend was closer to 50/50 (54% external, 46% internal) but not by much. Still, the fact that the number of entities that can discover internal breaches for themselves is decreasing is alarming.
This further emphasizes the need for not only detection and response tools, but additional offensive security techniques like red teaming that can keep teams sharp for when tell-tale indicators of compromise (IOCs) appear.
Exploits Are Gateway for 33% of All Attacks
The need for vulnerability management is underscored by the finding that exploits were responsible for a third (33%) of all cyberattacks in 2024. Next was Stolen Credentials at 16%, and Email Phishing at 14%. The sad fact is that the exploitation of a vulnerability was not only top of the attack vector this year but has been every year for the past five years. With over 40,000 CVEs published last year alone, it is important to have a robust VM solution in place and be scanning, patching, and repeating on a regular basis.
Unsecured Databases Are an “Overlooked” Risk
Another point in the column of offensive security testing is the fact that this year’s Mandiant report cites unsecured databases as a risk that doesn’t get the attention it deserves. They note that in an effort to defend against sophisticated attacks, many organizations can fail to double down on security basics like ensuring internal data repositories are encrypted.
Such an oversight happened at a staff management firm earlier this year and resulted in another “external notification” — but by an ethical hacker, fortunately. Again, proper defensive measures at the front end and an additional layer of offensive security at the back end should help ensure that mistakes like these get caught internally before news of them gets published, or worse.
Conclusion
This latest Mandiant report draws attention to one overarching principle: threat actors are using their best to attack us, so we need to use our best to defend. Cobalt Strike — its use and misuse — are a prime example. The fact that there are so many instances of BEACON still out in the wild proves the need for organizations to learn to defend against it in a safe environment (i.e., a red team operation). The more familiar SOCs are with its capabilities and actions, the better they will be at pushing back real-world attacks when the time comes.
Want to improve your offensive security stance?
Explore Fortra’s Offensive Security Product Bundles today.