CyberProof Mid-Year Cyber Threat Landscape 2025

Keypoints

• The report typically starts with an Executive Summary, outlining key trends and high-profile incidents, followed by detailed sections on Major Threat Trends, Major Cyber Events, Top Attack Indicators, and a comparison of previous predictions versus current realities, concluding with future outlook and company information.
• H1 2025 saw a 60% increase in ransomware attacks, with the manufacturing sector and the US being primary targets; AI-powered ransomware groups like FunkSec emerged, reducing barriers for cybercriminals.
• Chinese APT groups Silk Typhoon and Salt Typhoon have shifted focus toward IT supply chains and critical telecommunications infrastructure, exploiting trusted relationships for downstream access.
• High-impact attacks increasingly target low-resilience organizations such as municipal governments, using data exfiltration to amplify extortion pressures.
• The adoption of infrastructure-as-a-service tools like TAG-124 by diverse threat actors streamlines malware delivery to high-value targets, exemplifying the commercialization of cybercrime.
• DragonForce has developed a cartel-style ransomware model, offering affiliates operational autonomy while sharing core infrastructure, enhancing scalability and financial returns.
• Significant cyber events include geopolitical cyber spillovers from India-Pakistan and US-Iran tensions, targeting government and critical sectors through advanced spear-phishing and hacktivism.
• The UK retail sector faced coordinated ransomware attacks linked to Scattered Spider and DragonForce, causing widespread service disruptions and data breaches.
• Widespread exploitation of critical zero-day vulnerabilities such as CVE-2025-31324 in SAP Visual Composer demonstrated persistent attacks by state-aligned APTs and ransomware groups.
• Top attack vectors identified include email attacks, fake captcha, and vulnerability exploitations; leading malwares include LummaStealer, RedLine, and AgentTesla; common tools abused involve ScreenConnect and Powershell.
• Most malicious TLDs involve .top, .shop, and .ru domains, while popular abused third-party platforms include WhatsApp, Telegram, and Discord.
• 2024 predictions around increased targeting of critical sectors, sophisticated ransomware tactics, and supply chain trust erosion were confirmed or exceeded, while regulatory progress was partial.
• The blurring lines between nation-state, cybercriminal, and hacktivist groups highlights hybrid threat motivations and operational models, exemplified by groups like SideCopy and Moonstone Sleet.
• Expectations for H2 2025 include maturation of AI-driven threats, continued focus on critical infrastructure, deeper supply chain attacks, increased threat actor collaboration, regulatory tightening, and geographic shifts in targeting.
• The report concludes that evolving attacker techniques and regulatory landscapes demand adaptive, cooperative defense strategies involving faster detection, improved coordination, and public-private partnership.