TLCTC
Blog / Strategic Threat Intelligence

M-Trends 2025: TLCTC Analysis

A cause-based analysis of Mandiant's M-Trends 2025 Report, reframed through the 10 TLCTC clusters to reveal root causes rather than just outcomes.

BK
Bernhard Kreinz
TLCTC v2.0 FRAMEWORK ANALYSIS

M-Trends 2025

Cause-based threat classification analysis of Mandiant's 2024 incident response investigations. The title "M-Trends" implies Data Risk Events (outcomes) at its center—this analysis identifies the cyber component (causal threat clusters).

View Original Report
33%
Exploiting Server (#2)
5th consecutive year as top vector
16%
Use of Stolen Credentials (#4)
↑ from 10% (2023)
632
New Malware Families (#7)
5,500+ total tracked
11d
Median Dwell Time
↑ First increase since 2010

TLCTC Cluster Threat Intensity

Score based on mention frequency and operational significance in M-Trends 2025

Cluster Prevalence Ranking

Cluster Evidence from M-Trends Report

Threat Actor Motivation Distribution

Financial 55%
Esp
Unknown 35%

Based on 302 threat groups observed in investigations (737 newly tracked)

Top 5 Targeted Industries

TLCTC Attack Velocity Classes

Initial Infection Vectors (TLCTC Mapped)

Detection Sources

Ransomware Operations (#7)

21%
Ransomware-Related Intrusions
↓ from 23% (2023)
37%
Data Theft Observed
In all investigations
6%
Multifaceted Extortion
Data theft + Encryption
5d
Ransomware Dwell Time
Adversary notification median

Top MITRE ATT&CK Techniques

Detailed Strategic Analysis

This section provides a deconstructed analysis of attack scenarios and methodologies derived from M-Trends 2025, mapped to TLCTC cause-based classification.

1. Executive Summary: The Data Risk Event Lens

M-Trends 2025 reports on outcomes (Ransomware Trends, Data Breaches, Dwell Times). Following TLCTC Axiom III ("Threats are on the cause side; outcomes and events are not threats"), we reframe these findings to focus on root causes—the specific generic vulnerabilities leveraged.

Critical Finding: Three clusters dominate 2024's threat landscape: #2 Exploiting Server (33% of initial infections), #4 Identity Theft (16%, overtaking phishing), and #7 Malware (632 new families). The shift from #9 Social Engineering to #4 Identity Theft signals a maturation of credential-based attacks.

2. Expanded Attack Path Analysis

Below are the precise sequences of clusters forming the complex threats described in M-Trends 2025.

A. Edge Device Exploitation Chain

The dominant initial vector (33%) exploiting perimeter security devices—VPNs, firewalls, and security appliances.

TLCTC Notation: #2 →[Δt=VC-4] #7 →[Δt=VC-3] #4 →[Δt=VC-2] #1
graph LR A["#2 Exploiting Server
CVE-2024-3400 PAN-OS"] -->|VC-4| B["#7 Malware
Backdoor/Web Shell"] B -->|VC-3| C["#4 Identity Theft
Credential Harvesting"] C -->|VC-2| D["#1 Abuse of Functions
Lateral Movement"] style A fill:#f97316,stroke:#ea580c,color:white style B fill:#3b82f6,stroke:#2563eb,color:white style C fill:#84cc16,stroke:#65a30d,color:white style D fill:#ef4444,stroke:#dc2626,color:white

B. Infostealer-to-Cloud Attack

Long-dwell credential attacks exploiting infostealer-harvested credentials, exemplified by UNC5537's Snowflake campaign.

TLCTC Notation: #7 →[Δt=VC-1] #4 →[Δt=VC-2] #1
graph LR A["#7 Malware
Infostealer (VIDAR, RACCOON)"] -->|VC-1 Weeks/Months| B["#4 Identity Theft
Credential Reuse"] B -->|VC-2| C["#1 Abuse of Functions
Cloud Data Exfiltration"] style A fill:#3b82f6,stroke:#2563eb,color:white style B fill:#84cc16,stroke:#65a30d,color:white style C fill:#ef4444,stroke:#dc2626,color:white

C. DPRK IT Worker Infiltration

A novel attack combining social engineering with physical access—false identity employment as an attack vector.

TLCTC Notation: #9 →[Δt=VC-1] #8 →[Δt=VC-1] #4 →[Δt=VC-2] #1
graph LR A["#9 Social Engineering
False Identity/Resume"] -->|VC-1| B["#8 Physical Attack
Laptop Farm Access"] B -->|VC-1| C["#4 Identity Theft
Legitimate Credentials"] C -->|VC-2| D["#1 Abuse of Functions
Data Theft/Extortion"] style A fill:#a855f7,stroke:#9333ea,color:white style B fill:#6366f1,stroke:#4f46e5,color:white style C fill:#84cc16,stroke:#65a30d,color:white style D fill:#ef4444,stroke:#dc2626,color:white

D. Ransomware Ecosystem Path

The complete ransomware attack chain from initial access to impact, featuring parallel data theft and encryption.

TLCTC Notation: #9 →[Δt=VC-3] #4 →[Δt=VC-3] #7 →[Δt=VC-2] (#1 + #7)
graph LR A["#9 Social Engineering
Phishing/Vishing"] -->|VC-3| B["#4 Identity Theft
Credential Theft"] B -->|VC-3| C["#7 Malware
Loader Deployment"] C -->|VC-2| D["#1 + #7
Exfil + Ransomware"] style A fill:#a855f7,stroke:#9333ea,color:white style B fill:#84cc16,stroke:#65a30d,color:white style C fill:#3b82f6,stroke:#2563eb,color:white style D fill:#dc2626,stroke:#b91c1c,color:white

3. Key Threat Actor TLCTC Profiles

Actor / Group Primary Objective TLCTC Attack Pattern Key Insight
UNC5267 (DPRK IT Workers) Regime Funding #9#8#4#1 $6.8M+ from 300+ US companies; 72% use Astrill VPN
UNC5537 (Snowflake) Financial (Data Theft) #7#4#1 Credentials from infostealers dating to Nov 2020
UNC5221 (Ivanti) Espionage (China) #2#7#4 Chained CVE-2023-46805 + CVE-2024-21887
APT44 (Sandworm) Disruption (Russia) #10#7#1 Trojanized installers via torrents
UNC3944 (Scattered Spider) Financial (Ransomware) #9#4#7 SMS/voice phishing to ALPHV deployment

4. Strategic TLCTC Insights

Cluster Concentration: Three clusters (#2, #4, #7) account for the majority of threat activity, suggesting focused control investment opportunities.
Identity as Pivot Point: #4 Identity Theft increasingly serves as the critical transition point between initial access and impact phases.
Velocity Patterns: Edge exploitation (#2) operates at VC-4 (real-time), while infostealer campaigns (#7→#4) demonstrate VC-1 (extended) timelines.
Underrepresented Clusters: #5 MITM and #6 Flooding show minimal activity, indicating current threat actor preferences favor discrete access over disruption.