The Stealth Intrusion: Hackers Bypass Detection by Logging In with Stolen Credentials
FortiGuard’s mid-year report for 2025 reveals that financially motivated attackers are increasingly eschewing complex exploits and bespoke malware. Rather than deploying heavy toolsets, they rely on legitimate accounts and authorized remote-access applications to slip quietly into corporate networks. This approach has proven not only cheaper and simpler, but markedly more effective — attacks that leverage stolen credentials are increasingly evading detection.
Analysts report that, in the first six months of the year, they investigated dozens of incidents across sectors — from manufacturing to finance and telecommunications. Their case reviews uncovered a recurring pattern: adversaries gain entry using stolen or purchased credentials, connect via VPN, and then traverse networks with remote administration tools such as AnyDesk, Atera, Splashtop and ScreenConnect. This tactic allows them to cloak their activity as routine administrator work and avoid arousing suspicion.
FortiGuard’s findings align with open-source trends: leaked password patterns observed publicly mirror those uncovered in corporate investigations. In essence, attackers no longer need to “break” systems in the traditional sense — they simply log in as legitimate users, credentials often harvested through phishing or sold by info-stealer services on underground marketplaces.
In one analyzed intrusion, the attackers used valid credentials to access the corporate VPN in the absence of multi-factor authentication, then extracted saved hypervisor passwords from the compromised user’s browser and encrypted virtual machines. In another case, the operator leveraged a stolen domain-administrator account to mass-deploy AnyDesk across the environment via RDP and Group Policy, enabling lateral movement and prolonged stealth. There were also episodes where adversaries exploited an old vulnerability on an external server, installed multiple remote-management tools, and created fake service accounts to move covertly and exfiltrate documents.
The analysis shows that credential theft remains among the cheapest and most accessible strategies. The price of access scales with company size and geography: for organizations with revenues exceeding one billion dollars in developed regions, access can command up to $20,000, whereas for small firms in developing markets it may cost only a few hundred dollars. Large-scale info-stealer campaigns supply a steady stream of fresh data, and the low barrier to entry makes such attacks attractive even to poorly resourced groups.
The principal advantage of this scheme is stealth. Adversary behavior is often indistinguishable from that of legitimate employees, especially when connections occur at customary hours and target familiar systems. Defenses that focus on malicious files and suspicious processes frequently fail to notice anomalies when the attack reduces to ordinary login operations and routine network activity. Moreover, when data is manually harvested via RDP interfaces or built-in RMM capabilities, it becomes difficult to trace which files were transferred — these actions often leave few overt network artifacts.
FortiGuard observes that these campaigns still commonly employ Mimikatz and its variants to extract credentials from memory, and that Zerologon continues to be used for privilege escalation. Occasionally, attackers resort to manual utilities such as GMER — often renamed to resemble system tools — to obscure traces of their presence.
FortiGuard stresses that defending against these threats requires a rethink of traditional practices. Relying solely on legacy EDRs that hunt for malicious code no longer ensures robust protection. A more effective posture centers on account security and behavioral analytics. Organizations should build baselines of normal activity and swiftly respond to deviations — for example, logins from unusual geolocations, concurrent connections to multiple servers, or activity outside normal working hours.
Special attention should be paid to multi-factor authentication — not only at the external perimeter but within the internal network. Even if an attacker acquires a password, requiring an additional verification step will slow their progress and create more opportunities for detection. It is also crucial to limit administrator privileges, prohibit the use of privileged accounts via VPN, and monitor administrative movement across infrastructure.
FortiGuard advises strict control over remote-administration tools. If such software is not required for business purposes, it should be blocked; any new installations or network connections associated with these tools must be monitored. Additionally, organizations should disable SSH, RDP and WinRM on systems where they are unnecessary and configure alerts for any reactivation of these services. Analysts believe these measures can unmask even covert attempts at horizontal movement within a network.
Report authors note a persistent defensive gap: attackers do not always “hack” — they often simply log in under real names. Consequently, authentication, access control and user-behavior analysis should become the cornerstones of defensive evolution. FortiGuard recommends solutions for continuous perimeter monitoring, event correlation in hybrid environments, and anomalous-activity detection. These tools enable organizations to surface subtle incidents, reduce attacker dwell time, and avert large-scale damage.
Researchers conclude that today’s most dangerous intrusions do not require novel malware. Attackers exploit existing technologies and trusted credentials, turning invisibility into their primary weapon. Companies that strengthen identity controls, remote-access governance and behavioral analytics will be far better positioned to reduce risk and detect such intrusions at an early stage.
Fortinet underscores that the semiannual analysis reaffirms a trend identified in 2024: the rise of incidents leveraging legitimate accounts and sanctioned administration tools continues. Despite heightened attention to artificial intelligence and new forms of cyberattack, these seemingly simple methods remain the criminals’ most reliable route into corporate networks.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
