The 2025 Cyber Threat Intelligence Report provides a detailed analysis of global malicious infrastructure, highlighting increased use of Sliver and Brute Ratel frameworks and ongoing dominance of Cobalt Strike. It also covers significant trends in information stealers and ransomware ecosystems, emphasizing evolving adversary tactics and geographic hosting distributions. #CobaltStrike #Sliver #BruteRatel #LummaStealer #RedlineStealer #FogRansomware
Keypoints
- The report structure includes Foreword, Executive Summary (covering Malicious Infrastructure, Information Stealers, Research), detailed Adversary Infrastructure Tracking, Information Stealer Landscape, Research sections, and an Outlook for 2025.
- Executive Summary reveals a 10% increase in tracked threat groups, with 40% of malicious infrastructure hosted in the US and China.
- Notable trends include a rise in Sliver and Brute Ratel C2 infrastructure, contrasted with a decline in Cobalt Strike servers.
- Top tracked threats comprise various C2 frameworks and RATs, notably Cobalt Strike, Sliver, Brute Ratel, PlugX, ShadowPad, and Supershell.
- Hosting distribution shows 24% of infrastructure in the US and 18% in China, with leading providers like Amazon, Tencent, and Alibaba.
- Information stealers such as Lumma Stealer, Redline Stealer, StealC, and Meduza remain primary tools for initial access and ransomware operations.
- Law enforcement actions reduced Qakbot and Raccoon Stealer activity but compromises still peak seasonally.
- EDRKillers like EDRKillShifter have seen increased adoption, employing techniques such as Bring-Your-Own-Vulnerable-Driver (BYOVD).
- Research highlights include the emergence of Fog ransomware, which shares tactics with Akira ransomware, targeting mainly the US and Germany.
- Phishing kits like ClickFix have evolved with widespread use by cybercrime and nation-state actors, increasing notably late 2024.
- Adversary Infrastructure Tracking monitors over 28,000 servers linked to financially motivated actors and nation-state groups, covering C2 servers, phishing, and RATs.
- Shift observed from Cobalt Strike to alternative frameworks such as Sliver and Brute Ratel, driven by threat actor innovation and law enforcement pressure.
- Sliver shows diverse global distribution with significant deployment in the US, Netherlands, Germany, and China, used by APT groups and ransomware actors.
- Specific campaigns include North Korean Andarielβs use of Sliver and exploitation of vulnerable RMM tools for initial access.
- The report emphasizes challenges in detecting obfuscated C2 infrastructure and focuses primarily on UK, US, and EU threat landscapes.
- Outlook for 2025 discusses emerging trends including edge device vulnerabilities, operational relay box networks, generative AI, geopolitical impacts, cloud native attacks, and ransomware ecosystem evolution.
Source: Awesome Annual Security Reports - The reports in this collection are limited to content which does not require a paid subscription, membership, or service contract. (https://github.com/jacobdjwilson/awesome-annual-security-reports/)