Annual threat reports highlight faster intrusions and expanding cloud-focused attacker activity
CrowdStrike’s 2025 global threat reporting says financially motivated intrusions are accelerating, with average breakout time (lateral movement after initial access) dropping to 29 minutes and the fastest observed breakout time at 27 seconds; the report also describes attackers increasingly using social engineering, living-off-the-land techniques, and abuse of trusted systems to move across cloud, identity, enterprise, and unmanaged device boundaries, alongside a reported 37% year-over-year increase in cloud-focused attacks and a growing set of tracked adversaries (281 named groups plus additional activity clusters). Check Point Research’s 2025 retrospective similarly emphasizes that many 2025 operations relied on familiar techniques combined in new ways, highlighting themes such as early ToolShell exploitation assessed as Chinese-nexus activity against North American government targets and identity-centric intrusions (including AiTM credential theft) against US think-tank researchers.
Several other items in the set are not about these annual threat-report findings and instead cover separate topics: Romania’s cyber chief warning that ransomware incidents against critical infrastructure may align with Russian hybrid objectives; sector-level reporting that manufacturing remains heavily targeted by ransomware due to IT/OT interconnectivity and downtime pressure; and US law-enforcement/FBI reporting on a surge in ATM jackpotting losses and related indictments. Additional entries are primarily generic commentary, newsletters, or professional/educational content (e.g., quantum-preparedness opinion, Enigma/RSAC history piece, a weekly video briefing, a malware-newsletter link roundup, a recon how-to article, and a governance/career feature page) and do not substantively corroborate the specific annual threat-report story.
Related Entities
Vulnerabilities
Malware
Organizations
Sources
Related Stories
2025 Threat Landscape Reports Highlight Identity-Based Intrusions and High-Impact Ransomware Losses
Multiple 2025 retrospective threat reports describe **identity compromise** as the dominant initial access vector, with attackers repeatedly exploiting predictable control gaps such as weak identity security, third-party access paths, and exposed/perimeter systems. Barracuda’s Managed XDR telemetry analysis (spanning trillions of events and hundreds of thousands of alerts) reported that **Microsoft 365 anomalous login** and **“impossible travel”** detections were among the most common signals, consistent with credential theft and account takeover activity; it also noted post-compromise behavior including suspicious privilege manipulation (e.g., adding users to high-risk Windows groups). Dataminr’s 2026 Cyber Threat Landscape Report similarly characterized 2025 as a structural shift toward **accelerated identity-based intrusions**, citing that a significant share of intrusions leveraged **valid credentials**, alongside growth in **infostealer malware** and AI-enabled social engineering, and increased exploitation of third-party weaknesses. The same reporting also emphasizes that while overall ransomware activity may have stabilized in volume, **loss severity increased**, with “mega-loss” incidents exceeding **$100M** and in some cases **$1B**, driven by multi-vector campaigns combining credential theft, data exfiltration, and disruption. Other items in the set are broader commentary rather than incident- or disclosure-driven intelligence: an opinion piece argues that the rapid expansion of AI-driven data center infrastructure raises systemic risk from ransomware, supply-chain compromise, and OT disruption, while a predictions article discusses 2026 security investment themes without tying to a specific campaign. A separate news roundup recaps multiple 2025 events (including third-party/SaaS integration compromises and other vulnerabilities) rather than providing new, single-story reporting, making it only loosely aligned with the identity-and-ransomware trend narrative.
3 weeks ago
Ransomware and Extortion Trend Reporting and Threat-Activity Roundups
Multiple sources published **trend-focused reporting** on ransomware/extortion rather than describing a single discrete incident. Analyst1’s 2025 year-in-review reports a record rise in ransomware **data leak site (DLS)** postings (7,819 claims in 2025, up ~49.7% YoY), with the **U.S.** representing roughly half of observed claims and a concentration of activity among a small set of groups (e.g., **Qilin**, **Akira**, **CLOP**, **PLAY**). Ransom-DB similarly promotes ongoing “weekly trends” and group analyses (e.g., Qilin and other crews driving high weekly volumes), reinforcing that extortion ecosystems continue to scale and diversify across geographies and sectors. Several other items in the set are **not about ransomware trend reporting** and should be treated as separate stories: Kaspersky-reported supply-chain compromise of Android tablet firmware with the **Keenadu** backdoor (persistence via Android `Zygote`), Dragos reporting continued PRC-linked **Volt Typhoon/Voltzite** activity in U.S. energy/OT environments, and a Check Point weekly bulletin summarizing multiple unrelated breaches (e.g., Odido, BridgePay, Flickr, ApolloMD) plus AI-misuse research. Additional content is either **generic thought leadership** (cybersecurity predictions; secure-by-design op-ed) or **out-of-timeframe/marketing-leaning reposting** (Arete summarizing a 2020 TrickBot healthcare alert; identity-attack discussion based on an IR report), and does not materially contribute to a single cohesive event narrative.
3 weeks ago
Mixed threat reporting: APT campaigns, malware delivery via compromised web assets, and ransomware exploitation
The provided items do not describe a single cohesive cybersecurity event; they span multiple unrelated threat reports and opinion pieces. Notable incident-level reporting includes **APT28** activity in Western/Central Europe (“Operation MacroMaze”) using spear-phishing lures with Office macros that beacon via `INCLUDEPICTURE` to `webhook[.]site` and then execute VBScript/CMD/batch stages for persistence and follow-on payload delivery. Separately, **MuddyWater** (Iran/MOIS-linked) was reported running “Operation Olalampo” against organizations in the Middle East and Africa, delivering new custom malware (including a **Char** backdoor using a **Telegram bot** for C2) and, in some cases, attempting exploitation of public-facing servers in addition to phishing. Criminal activity and initial-access tradecraft were also covered across distinct stories: a DFIR case study described exploitation of **Apache ActiveMQ** `CVE-2023-46604` to gain RCE, conduct post-exploitation (Metasploit/Meterpreter, privilege escalation, LSASS access, lateral movement), and ultimately deploy **LockBit**-branded ransomware via RDP using previously stolen credentials (with indications the payload was built using the leaked builder and used *Session* for communications). Multiple reports described malware delivery via compromised web assets and social engineering, including **GrayCharlie** injecting malicious JavaScript into WordPress sites to push **NetSupport RAT**, **Stealc**, and **SectopRAT** via fake updates/ClickFix-style CAPTCHAs, and a separate **ClickFix** campaign delivering a custom C++ RAT (**MIMICRAT**) through fake Cloudflare verification prompts that trick users into running PowerShell. Additional, unrelated threat reporting included a **NuGet** supply-chain attack (typosquatted `NCryptYo` plus companion packages) targeting ASP.NET Identity data and enabling backdoored authorization rules, and malicious Chrome extensions using a “**Promise Bomb**” browser-crash technique to drive users to run fake “CrashFix” PowerShell steps. Several other items were generic commentary/roundups (data breach trends, quantum preparedness, Enigma history, NATO public opinion polling, recon how-to, and a malware-newsletter link list) and do not add event-specific intelligence.
3 weeks ago