.png)
Modern Trojan Horse: How Attackers Live Off the Land and How to Stop Them
Odysseus didn’t breach Troy with brute force.
He infiltrated them from the inside — hidden inside a wooden horse the Trojans thought was a gift. That night, his forces emerged and took the city from within.
It was the perfect deception: use what’s trusted, give no warnings — just strategy, patience, and knowledge of the enemy’s blind spots.
Today’s most advanced cyberattacks follow the same playbook. Attackers exploit the native tools already inside your systems. They move quietly and stay hidden. Like Odysseus, they use what’s trusted to break through undetected.
Trusted tools, hidden threats
In cybersecurity, living-off-the-land (LOTL) cyberattacks evade detection by using legitimate, built-in system tools like PowerShell or WMI.
These tools download malicious payloads, move laterally, and exfiltrate data — all alongside normal network traffic. No malware is installed, and no suspicious files are dropped, which is why these attacks often go unnoticed for months.
LOTL attacks now account for the majority of modern cyber intrusions. A 2025 analysis of over 700,000 incidents found that 84% of major attacks involved LOTL techniques.
Why are they so effective? Operating systems come preloaded with powerful tools meant for administrators, and attackers are turning them into weapons. Once inside, they use those same tools to blend in, maintain access, and quietly expand their reach.
A 2025 analysis of over 700,000 incidents found that 84% of major attacks involved LOTL techniques.
This makes Living off the Land attacks harder to detect — and much harder to stop.
While many LOTL attacks occur on Windows, using trusted tools and executing code in memory can also apply to macOS and Linux.
On macOS, attackers can exploit native services like AppleScript and the launchd command to persist and execute commands. On Linux, they could rely on Bash, SSH, cron jobs, and in-memory execution to operate without writing files to disk and evading traditional detection.
.webp)
Did the recent SharePoint ToolShell exploit “live off the land?”
In July 2025, Microsoft disclosed active exploitation of two SharePoint zero-day vulnerabilities (CVE202553770 and CVE202553771), collectively known as ToolShell.
The flaws — Linen Typhoon, Violet Typhoon, and Storm2603 — affected internet-facing on-premises servers and were exploited by state-backed actors.
These threat groups used vulnerabilities to execute remote code, steal machine keys, escalate privileges, and deploy ransomware, including Warlock and LockBit variants, across hundreds of vulnerable systems.
Michael Adjei, director of systems engineering at Illumio, shares his perspective on what stands out in the ToolShell exploits: “It isn’t just the use of native tools — it’s how attackers moved from initial access to lateral movement without triggering traditional alarms. This incident reinforces a key reality: if defenders are only watching for malware, they’re already behind.”
Ransomware + Living off the Land: a potent combo
Another powerful example of this stealthy approach is Medusa ransomware.
In February 2024, the FBI and CISA issued a joint advisory (#StopRansomware: Medusa Ransomware) warning of its growing threat to critical infrastructure. More than 300 organizations have already been hit, including hospitals, financial institutions, schools, and government services.
Medusa doesn’t rely on flashy zero-days or obvious malware. Instead, it blends in — using trusted tools like PowerShell, WMI, RDP, SSH, and remote access software like ScreenConnect to move across hybrid environments and avoid detection.
Modern ransomware doesn’t come crashing through the front door — it blends in like a spy.
Why the NSA sounded the alarm on LOTL
In 2024, the NSA, CISA, and international partners released a joint advisory warning of the surge in LOTL intrusions.
This wasn’t triggered by one breach, but by a disturbing trend: advanced threat actors, including state-sponsored groups, were increasingly using native tools to quietly infiltrate critical infrastructure.
The tipping point? Campaigns like Volt Typhoon, where attackers burrowed into U.S. communications, energy, and transportation systems without deploying traditional malware.
The advisory was clear: LOTL techniques had become a go-to strategy for nation-state attackers, and defenders needed to adapt immediately.
SolarWinds: a master class in LOTL
One of the earlier and most damaging examples of LOTL tradecraft happened in 2020, when threat actors quietly inserted malware into a routine Orion update from SolarWinds.
When customers installed it, attackers gained access to some of the most sensitive networks in the world, including U.S. government agencies and Fortune 500 companies.
By using native Windows tools and mimicking normal Orion activity, the attackers evaded detection for months. The malware activated only on high-value targets. Once inside, there was widespread data exfiltration, and they covered their tracks.
The White House later attributed the attack to Russian intelligence.
Stopping LOTL requires seeing what others miss
These attacks don’t rely on malware and abuse the legitimate tools already inside your network. Security teams need visibility into how systems normally communicate so that they can detect unusual behavior and quarantine threats in real time.
Key defenses include:
- Lateral movement detection: visibility into system-to-system communication is essential to uncover attackers moving within environments.
- Behavioral threat detection: analytics that identify abnormal use of native tools help surface activity that blends into normal operations.
- Alert prioritization: filtering out routine behavior and highlighting suspicious patterns is critical when attackers use trusted processes.
- Rapid containment: the ability to isolate compromised assets quickly — without waiting for malware signatures — can stop LOTL techniques before they spread.
In a world where attackers live off the land, defenders need the power to see and control how their environment is being used.
Discover how Illumio Insights stops LOTL threats before they spread. Start your free trial today.
.webp)
.webp)
.webp)