Radware Report Reveals Shifting Attack Vectors in Credential Stuffing Campaigns
Radware (NASDAQ: RDWR) has released a comprehensive research report revealing significant changes in credential stuffing attack patterns. The study analyzed 100 advanced credential stuffing configurations from the SilverBullet tool, highlighting a shift from simple password-spraying to sophisticated multi-stage attacks.
Key findings show that 94% of configurations use four or more business logic attack elements, while 83% implement API-targeting techniques. The technology/SaaS sector is the primary target (27%), with AI tools accounting for 44% of all technology targets. Notably, 51% of the analyzed configurations were created by just three advanced threat actors, each with over two years of specialized experience.
Radware (NASDAQ: RDWR) ha pubblicato un rapporto di ricerca dettagliato che rivela cambiamenti significativi nei modelli di attacco tramite credential stuffing. Lo studio ha analizzato 100 configurazioni avanzate di credential stuffing realizzate con lo strumento SilverBullet, evidenziando una transizione da semplici attacchi di password spraying a sofisticati attacchi multi-fase.
I risultati principali mostrano che il 94% delle configurazioni utilizza quattro o più elementi di attacco basati sulla logica di business, mentre il 83% impiega tecniche mirate alle API. Il settore tecnologia/SaaS è il principale bersaglio (27%), con gli strumenti di intelligenza artificiale che rappresentano il 44% di tutti gli obiettivi tecnologici. In particolare, il 51% delle configurazioni analizzate è stato creato da soli tre attori avanzati della minaccia, ciascuno con oltre due anni di esperienza specializzata.
Radware (NASDAQ: RDWR) ha publicado un informe de investigación exhaustivo que revela cambios significativos en los patrones de ataques de credential stuffing. El estudio analizó 100 configuraciones avanzadas de credential stuffing del herramienta SilverBullet, destacando un cambio de ataques simples de password spraying a ataques sofisticados en múltiples etapas.
Los hallazgos clave muestran que el 94% de las configuraciones utiliza cuatro o más elementos de ataque basados en la lógica de negocio, mientras que el 83% implementa técnicas dirigidas a APIs. El sector de tecnología/SaaS es el principal objetivo (27%), con herramientas de IA que representan el 44% de todos los objetivos tecnológicos. Cabe destacar que el 51% de las configuraciones analizadas fueron creadas por solo tres actores avanzados de amenazas, cada uno con más de dos años de experiencia especializada.
Radware (NASDAQ: RDWR)는 자격 증명 스터핑 공격 패턴에서 중요한 변화를 보여주는 포괄적인 연구 보고서를 발표했습니다. 이 연구는 SilverBullet 도구를 사용한 100개의 고급 자격 증명 스터핑 구성들을 분석하여 단순한 비밀번호 스프레이 공격에서 복잡한 다단계 공격으로의 전환을 강조했습니다.
주요 결과에 따르면 94%의 구성은 네 개 이상의 비즈니스 로직 공격 요소를 사용하며, 83%는 API 대상 기법을 적용합니다. 기술/SaaS 부문이 주요 타깃으로 27%를 차지하며, AI 도구는 전체 기술 타깃의 44%를 차지합니다. 특히, 분석된 구성의 51%는 2년 이상의 전문 경험을 가진 단 세 명의 고급 위협 행위자에 의해 만들어졌습니다.
Radware (NASDAQ : RDWR) a publié un rapport de recherche complet révélant des changements significatifs dans les schémas d'attaques par credential stuffing. L'étude a analysé 100 configurations avancées de credential stuffing issues de l'outil SilverBullet, mettant en lumière une évolution des attaques simples par password spraying vers des attaques sophistiquées en plusieurs étapes.
Les principales conclusions montrent que 94 % des configurations utilisent quatre éléments ou plus d'attaque basés sur la logique métier, tandis que 83 % mettent en œuvre des techniques ciblant les API. Le secteur technologique/SaaS est la cible principale (27 %), les outils d'IA représentant 44 % de toutes les cibles technologiques. Notamment, 51 % des configurations analysées ont été créées par seulement trois acteurs de menaces avancées, chacun disposant de plus de deux ans d'expérience spécialisée.
Radware (NASDAQ: RDWR) hat einen umfassenden Forschungsbericht veröffentlicht, der bedeutende Veränderungen in den Mustern von Credential-Stuffing-Angriffen aufzeigt. Die Studie analysierte 100 fortschrittliche Credential-Stuffing-Konfigurationen des SilverBullet-Tools und hob eine Verschiebung von einfachen Password-Spraying-Angriffen zu komplexen mehrstufigen Angriffen hervor.
Wesentliche Erkenntnisse zeigen, dass 94 % der Konfigurationen vier oder mehr Elemente von Business-Logic-Angriffen verwenden, während 83 % API-gezielte Techniken einsetzen. Der Technologie-/SaaS-Sektor ist das Hauptziel (27 %), wobei KI-Tools 44 % aller Technologieziele ausmachen. Bemerkenswert ist, dass 51 % der analysierten Konfigurationen von nur drei fortgeschrittenen Bedrohungsakteuren erstellt wurden, die jeweils über mehr als zwei Jahre spezialisierte Erfahrung verfügen.
- Demonstrates Radware's leadership and expertise in cybersecurity research
- Provides valuable intelligence about emerging cyber threats
- Positions the company as a thought leader in application security
- Reveals increasing sophistication of cyber threats that could challenge Radware's security solutions
- Highlights potential vulnerabilities in current security approaches
Insights
Radware's research reveals sophisticated evolution in credential stuffing attacks, strengthening their position as thought leaders in application security.
Radware's new research report reveals a significant shift in the credential stuffing attack landscape that has profound implications for cybersecurity approaches. 94% of examined attack configurations now implement multiple business logic attack elements, with over half demonstrating advanced orchestration using 13+ distinct techniques. This marks a critical evolution from simple password-spraying to sophisticated multi-stage infiltration techniques.
The research identifies three key attack methodologies: business logic manipulation, API exploitation (present in 83% of configurations), and multi-device spoofing that transitions between different operating systems. These tactics effectively bypass traditional security measures that focus primarily on credential verification.
What makes this research particularly valuable is its identification of high-priority targets. Technology/SaaS emerged as the primary target (27%), with financial services/government (16%) and travel/airline sectors (13%) following. The concentration on AI tools (44% of technology targets) and corporate systems like Microsoft 365 (30%) signals that attackers are strategically pursuing high-value assets with potential for both financial gain and organizational access.
The revelation that 51% of analyzed configurations originated from just three threat actors demonstrates the specialized nature of this threat landscape. Each actor has over two years of operational experience in specific exploitation areas, highlighting the professionalization of the credential stuffing ecosystem.
For Radware, this research positions them as thought leaders in application security, showcasing their deep threat intelligence capabilities while simultaneously highlighting the need for their security solutions that can detect these advanced attack patterns.
MAHWAH, N.J., July 31, 2025 (GLOBE NEWSWIRE) -- Radware® (NASDAQ: RDWR), a global leader in application security and delivery solutions for multi-cloud environments, today released a new research report—The Invisible Breach: Business Logic Manipulation and API Exploitation in Credential Stuffing Attacks. The report reveals a paradigm shift in credential stuffing attacks. It underscores a fundamental transformation from volume-based attacks leveraging a series of repeated password attempts to sophisticated, multi-stage infiltration techniques.
“To bypass traditional defenses, modern credential stuffing attacks are shifting away from traditional password-spraying techniques in favor of business logic manipulation, cross-platform device spoofing, and strategic API exploitation,” said Arik Atar, senior cyber threat intelligence researcher at Radware. “The message for defending organizations is clear. To match this new reality, they must move beyond credential-centric controls to adopt security strategies that validate entire user journeys, correlate cross-request behavior, and detect suspicious patterns in business logic flows.”
Radware’s research examined 100 advanced credential stuffing configurations deployed through a well-known account takeover tool called SilverBullet.
Advanced attack methodologies
- Business logic attacks:
94% of configurations implement four or more business logic attack elements, with54% demonstrating advanced orchestration, using 13+ distinct techniques. - API exploitation:
83% of configurations contain explicit API-targeting techniques. - Multi-device spoofing:
24% of attack scripts alternate between two device types during execution, with71% employing cross-platform transitions, primarily between iOS and Windows.
Primary targets
- Industries: Technology/SaaS emerged as the primary target sector (
27% ), followed by financial services/government (16% ), and the travel/airline (13% ) sectors. - Online tools: There is a significant shift toward high-value AI tools (
44% of all technology targets), potentially exploited by spammers who engage in account cracking to create large-scale phishing content. In addition, corporate tools (30% ), including Microsoft 365, OneDrive, and Outlook, are likely targets for ransomware groups pursuing initial access to organizational systems.
Centralized threat landscape
- Concentration:
51% of the analyzed configurations, randomly collected over six months, were written by just three advanced threat actors: SVBCONFIGSMAKER, t.me/mrcombo1services, and @Magic_Ckg. - Specialization: Each threat actor had over two years of operational experience in distinct areas of specialization, including AI platform authentication bypass, mobile API exploitation, and Microsoft cloud services.
Radware’s complete report—The Invisible Breach: Business Logic Manipulation and API Exploitation in Credential Stuffing Attacks—can be downloaded here.
The research methodology was based on an analysis of 100 SilverBullet credential stuffing attack scripts to identify emerging trends, techniques, and tactics in modern account takeover (ATO) campaigns. The scripts were collected from Telegram channels of threat actors and published between December 2024 and May 2025.
About Radware
Radware® (NASDAQ: RDWR) is a global leader in application security and delivery solutions for multi-cloud environments. The company’s cloud application, infrastructure, and API security solutions use AI-driven algorithms for precise, hands-free, real-time protection from the most sophisticated web, application, and DDoS attacks, API abuse, and bad bots. Enterprises and carriers worldwide rely on Radware’s solutions to address evolving cybersecurity challenges and protect their brands and business operations while reducing costs. For more information, please visit the Radware website.
Radware encourages you to join our community and follow us on: Facebook, LinkedIn, Radware Blog, X, and YouTube.
©2025 Radware Ltd. All rights reserved. Any Radware products and solutions mentioned in this press release are protected by trademarks, patents, and pending patent applications of Radware in the U.S. and other countries. For more details, please see: https://www.radware.com/LegalNotice/. All other trademarks and names are property of their respective owners.
THIS PRESS RELEASE AND RADWARE’S THE INVISIBLE BREACH: BUSINESS LOGIC MANIPULATION AND API EXPLOITATION IN CREDENTIAL STUFFING ATTACKS REPORT ARE PROVIDED FOR INFORMATIONAL PURPOSES ONLY. THESE MATERIALS ARE NOT INTENDED TO BE AN INDICATOR OF RADWARE'S BUSINESS PERFORMANCE OR OPERATING RESULTS FOR ANY PRIOR, CURRENT, OR FUTURE PERIOD.
Radware believes the information in this document is accurate in all material respects as of its publication date. However, the information is provided without any express, statutory, or implied warranties and is subject to change without notice.
The contents of any website or hyperlinks mentioned in this press release are for informational purposes and the contents thereof are not part of this press release.
Safe Harbor Statement
This press release includes “forward-looking statements” within the meaning of the Private Securities Litigation Reform Act of 1995. Any statements made herein that are not statements of historical fact, including statements about Radware’s plans, outlook, beliefs, or opinions, are forward-looking statements. Generally, forward-looking statements may be identified by words such as “believes,” “expects,” “anticipates,” “intends,” “estimates,” “plans,” and similar expressions or future or conditional verbs such as “will,” “should,” “would,” “may,” and “could.” For example, when we say in this press release that to match this new reality, organizations must move beyond credential-centric controls to adopt security strategies that validate entire user journeys, correlate cross-request behavior, and detect suspicious patterns in business logic flows, we are using forward-looking statements. Because such statements deal with future events, they are subject to various risks and uncertainties, and actual results, expressed or implied by such forward-looking statements, could differ materially from Radware’s current forecasts and estimates. Factors that could cause or contribute to such differences include, but are not limited to: the impact of global economic conditions, including as a result of the state of war declared in Israel in October 2023 and instability in the Middle East, the war in Ukraine, tensions between China and Taiwan, financial and credit market fluctuations (including elevated interest rates), impacts from tariffs or other trade restrictions, inflation, and the potential for regional or global recessions; our dependence on independent distributors to sell our products; our ability to manage our anticipated growth effectively; our business may be affected by sanctions, export controls, and similar measures, targeting Russia and other countries and territories, as well as other responses to Russia’s military conflict in Ukraine, including indefinite suspension of operations in Russia and dealings with Russian entities by many multi-national businesses across a variety of industries; the ability of vendors to provide our hardware platforms and components for the manufacture of our products; our ability to attract, train, and retain highly qualified personnel; intense competition in the market for cybersecurity and application delivery solutions and in our industry in general, and changes in the competitive landscape; our ability to develop new solutions and enhance existing solutions; the impact to our reputation and business in the event of real or perceived shortcomings, defects, or vulnerabilities in our solutions, if our end-users experience security breaches, or if our information technology systems and data, or those of our service providers and other contractors, are compromised by cyber-attackers or other malicious actors or by a critical system failure; our use of AI technologies that present regulatory, litigation, and reputational risks; risks related to the fact that our products must interoperate with operating systems, software applications and hardware that are developed by others; outages, interruptions, or delays in hosting services; the risks associated with our global operations, such as difficulties and costs of staffing and managing foreign operations, compliance costs arising from host country laws or regulations, partial or total expropriation, export duties and quotas, local tax exposure, economic or political instability, including as a result of insurrection, war, natural disasters, and major environmental, climate, or public health concerns; our net losses in the past and the possibility that we may incur losses in the future; a slowdown in the growth of the cybersecurity and application delivery solutions market or in the development of the market for our cloud-based solutions; long sales cycles for our solutions; risks and uncertainties relating to acquisitions or other investments; risks associated with doing business in countries with a history of corruption or with foreign governments; changes in foreign currency exchange rates; risks associated with undetected defects or errors in our products; our ability to protect our proprietary technology; intellectual property infringement claims made by third parties; laws, regulations, and industry standards affecting our business; compliance with open source and third-party licenses; complications with the design or implementation of our new enterprise resource planning (“ERP”) system; our reliance on information technology systems; our ESG disclosures and initiatives; and other factors and risks over which we may have little or no control. This list is intended to identify only certain of the principal factors that could cause actual results to differ. For a more detailed description of the risks and uncertainties affecting Radware, refer to Radware’s Annual Report on Form 20-F, filed with the Securities and Exchange Commission (SEC), and the other risk factors discussed from time to time by Radware in reports filed with, or furnished to, the SEC. Forward-looking statements speak only as of the date on which they are made and, except as required by applicable law, Radware undertakes no commitment to revise or update any forward-looking statement in order to reflect events or circumstances after the date any such statement is made. Radware’s public filings are available from the SEC’s website at www.sec.gov or may be obtained on Radware’s website at www.radware.com.
FAQ
What are the key findings of Radware's (RDWR) 2025 credential stuffing attack report?
Which industries are most targeted by credential stuffing attacks according to Radware's research?
How has the nature of credential stuffing attacks changed according to Radware's 2025 report?
What percentage of credential stuffing attacks target AI tools according to Radware's study?
How many threat actors are responsible for the majority of credential stuffing attacks in Radware's research?
