Threat Actors TTPs You Need to Watch in 2025

News headlines are inundated with stories of companies falling victim to another ransomware attack or entire supply chains compromised by sophisticated breaches. And if you’ve ever been part of a vulnerability management program, you’ve likely spent hours combing through endless vulnerability reports.

But what’s really happening behind the scenes? Cybercriminals aren't just relying on outdated techniques. They're deploying constantly evolving tactics, techniques, and procedures (TTPs) to gain access, escalate privileges, and move laterally within networks. From cutting-edge identity-based attacks to stealthy API compromises, the cyber battlefield has grown more complex than ever.

At ApolloSec, we’ve seen it all—whether during penetration tests or through real-time threat intelligence monitoring. Some TTPs have been around for years, while others have surged in prominence recently. Based on our hands-on experience, we’ve highlighted five key TTPs that dominated in 2024 and are likely to persist in 2025.

Let’s dive into these attacks, how they work, and how you can detect and prevent them from wreaking havoc in your environment.

1. Non-Human Identity (NHI) Attacks

Imagine if someone stole your company’s master keys, not to access offices but to manipulate automated systems—like servers, APIs, or bots—without detection. NHI attacks target these "machine identities," granting attackers significant control over internal systems without requiring any human credentials.

NHI attacks focus on compromising non-human identities like service accounts, API tokens, and bots. These identities often have elevated permissions and lack the same level of monitoring as human users. Attackers use them to bypass traditional defenses, gain persistent access, and escalate privileges through lateral movement across interconnected services.

Detection:

• Monitor machine-to-machine (M2M) communication baselines for unusual patterns.

• Analyze API calls and service account activities for anomalies, such as access to critical resources not typically accessed.

Prevention:

• Implement mutual TLS, token expiration policies, and proper API access controls.

• Rotate service account credentials regularly and limit permissions to the minimum necessary.

2. Pass-the-Hash (PtH) Attacks

Think of this as a security badge that never expires. Even if attackers can't see your actual password, they can steal the digital version of it (a "hash") and use it to impersonate you without your knowledge. This allows them to move freely between systems in your network.

In a PtH attack, adversaries extract password hashes from compromised machines and use them to authenticate on other systems without cracking the hash. It exploits weaknesses in authentication protocols like NTLM. Attackers can use stolen hashes to perform lateral movement, escalating their privileges across multiple systems.

Detection:

• Monitor authentication events for unusual patterns, such as repeated logins using the same hash across various machines.

• Inspect network traffic for suspicious SMB and authentication requests that may indicate hash reuse.

Prevention:

• Disable NTLM and enforce Kerberos where possible.

• Implement tools like Local Administrator Password Solution (LAPS) to manage local passwords dynamically.

3. Supply Chain Attacks

Imagine if your organization installed software updates from a trusted vendor, but those updates contained hidden malware that compromised your entire network. This is the essence of a supply chain attack—threat actors exploit vulnerabilities in third-party vendors to infiltrate their clients.

Supply chain attacks involve compromising a trusted third-party supplier, allowing attackers to deliver malicious code or hardware to their target organizations. This technique gives attackers indirect access, often bypassing perimeter defenses. These attacks are especially dangerous because they exploit inherent trust in vendor products and services.

Detection:

• Monitor for unexpected system behaviors, such as new processes or changes in network traffic after software updates.

• Conduct regular security audits of third-party products and services.

Prevention:

• Implement strict supply chain security policies, including vendor risk assessments.

• Maintain an inventory of all assets to quickly identify compromised components.

• Apply security patches promptly and verify the integrity of software updates.

4. Golden SAML Attack

Imagine an attacker forging a digital "passport" that gives them access to all of your cloud services, even without a username or password. With this attack, adversaries can impersonate any user and maintain access indefinitely.

In a Golden SAML attack, attackers exploit identity and access management systems by creating forged Security Assertion Markup Language (SAML) tokens. After gaining control of the identity provider (IdP), attackers can authenticate to any SAML-based service as any user, bypassing normal security protocols.

Detection:

• Monitor authentication logs for anomalies, such as multiple logins from geographically dispersed locations using the same token.

• Analyze token issuance events for discrepancies, such as tokens issued without corresponding login activities.

Prevention:

• Secure identity providers with strong access controls, regular patching, and security monitoring.

• Enforce multi-factor authentication (MFA) for all users and critical systems.

• Implement strict auditing for access to IdP configuration and certificate management.

5. Compromised Remote Work Credentials

In a world where remote work is commonplace, attackers target employees' remote access credentials to infiltrate corporate networks. These credentials may be stolen through phishing, data breaches, or brute-force attacks on weak passwords.

Remote work infrastructures like VPNs, cloud services, and virtual desktops rely heavily on user credentials. Attackers use techniques such as credential stuffing—where stolen credentials from one breach are used to access multiple accounts—or brute force to compromise these remote systems.

Detection:

• Analyze remote access logs for anomalies, such as access from unusual locations, devices, or time zones.

• Implement behavioral analysis to detect deviations from normal login patterns.

Prevention:

• Enforce MFA for all remote access points to add an extra security layer.

• Require strong, unique passwords for each system and prevent password reuse.

Final Thoughts

The TTPs we've explored—whether targeting human identities, machine accounts, or exploiting trusted supply chains—highlight just how creative and relentless attackers will continue to be in 2025. Cybercriminals aren't sticking to a single approach; they're adapting, blending older techniques with emerging vulnerabilities to bypass defenses and maximize damage.

Organizations must take a proactive approach, investing in strategies that don’t just react to threats but anticipate them. This means improving both the basics and the advanced—tightening identity and access controls, continuously monitoring for suspicious behavior, and collaborating with security partners to test and refine defences.

At ApolloSec, we’ve seen firsthand that businesses with robust detection and prevention measures are far more resilient to evolving threats. By staying ahead of these tactics, improving visibility across your attack surface, and educating your workforce, you can prevent the next headline from being about your company. The key is continuous testing, vigilance, and preparation—because threat actors certainly aren’t slowing down.

Get in touch today for a free quote on how we can help.