Remote takeover tools have overtaken controlled malware as the preferred method for cybercriminals, according to CrowdStrike, which says that threat actors are now eschewing installed malware payloads and opting for remote control tools that offer an instant payout.“During 2024, adversaries matured faster than ever, innovating techniques and tools as well as finding creative solutions to circumvent modern defenses, all while staying laser-focused on their targets,” said the cybersecurity firm.“Adversaries are streamlining their tactics, refining and scaling successful strategies, and learning from both their own and their colleagues’ mistakes and successes to conduct attacks with a business-oriented approach.”A big factor in the pivot amongst cybercrooks was turnaround time. Rather than wait on the installation and execution of a malware payload, threat actors are opting to go with real-time monitoring tools such as remote administration programs.This is particularly beneficial to hacking groups that seek to gather trade secrets and intelligence data rather than extort a ransomware payout. By getting a foothold via remote administration tools, the hackers are able to exfiltrate data quickly without leaving a footprint or recognizable malware payload.“These shifting initial access methods are consistent with a larger trend identified in the CrowdStrike 2024 Threat Hunting Report: Rather than delivering malware, eCrime adversaries are increasingly leveraging legitimate remote management and monitoring (RMM) tools to access a victim’s system — and therefore making malware non-essential for successful operations,” CrowdStrike said in its report.“Throughout 2024, eCrime actors frequently leveraged RMM tools in their campaigns.”The CrowdStrike team noted that China has picked up its activity against Western organizations, focusing special attention toward companies in the U.S. and Europe that hold industrial and technical interest to Chinese manufacturers.“Decades of government investment into China’s cyber workforce and programs have yielded matured capabilities and efficiencies as well as an increasing number of new, specialized China-nexus adversaries,” CrowdStrike said.“In 2024, CrowdStrike graduated seven new China-nexus adversaries and observed a 150% increase in China-nexus activity across all sectors on average compared to 2023. Additionally, China-nexus adversaries increasingly prioritized operations security (OPSEC) and at-scale.”The CrowdStrike team also noted the efforts of North Korean hacking crews. The security firm noted that North Korean intelligence teams continue to extort IT professionals for cryptocurrency transfers as a way to circumvent sanctions on conventional bank transfers.“While DPRK adversaries have skillfully shifted their operations to support large-scale currency generation over the years, the specific tactics deployed in their 2024 operations — such as leveraging virtual interviews, allocating significant resources and staffing, and using laptop farms at scale — highlight the DPRK’s enterprising approach to computer network operations,” the researchers noted.