H1 2025 saw a 16% rise in disclosed CVEs with 161 actively exploited vulnerabilities, many targeting Microsoft and edge/gateway appliances and frequently used to deploy backdoors, RATs, and ransomware. Legacy malware like Sality and Tofsee resurfaced while RATs (AsyncRAT, XWorm, Remcos) and mobile threats (SuperCard X, GodFather) grew prominent, and ransomware groups evolved affiliate models and novel evasion techniques. #Sality #AsyncRAT
Keypoints
- Total CVEs rose 16% in H1 2025 (23,667 disclosed); 161 vulnerabilities were exploited in the wild, 42% with public PoCs, 69% requiring no authentication, and 30% enabling RCE.
- Microsoft and edge/gateway security appliances (SSLâVPNs, nextâgen firewalls) were the top exploited targets (each ~17%), with many attacks enabling privileged network access and lateral movement.
- Command and Control (TA0011) dominated malware telemetry (over 194,000 detections); commonly observed techniques included data encryption for impact (T1486), valid accounts (T1078), and data from local system (T1005).
- Legacy malware resurgence (Sality, Tofsee) and increased RAT activity (AsyncRAT, XWorm, Remcos) signaled a shift from infostealer dominance to more persistent, handsâon tools for data theft and postâcompromise operations.
- Mobile malware expanded with at least eleven new strains and innovations like virtualizationâbased overlays (GodFather) and NFC relay fraud platforms (SuperCard X) targeting contactless payments.
- Ransomware actors refined affiliate models (DragonForce âcartelâ, Anubis tiered offerings) and adopted new TTPs including ClickFix social engineering, BYOI EDR evasion, JIT hooking/memory injection, and use of dualâuse legitimate tools (AnyDesk, Syteca, GC2).
- Magecart skimming remained prevalent with modular, stealthy chains abusing GTM, obscure HTML/CSS techniques, and WebSocket exfiltration to evade CSPs and target multiple eâcommerce platforms.
MITRE Techniques
- [T0011 ] Command and Control â Identified as the most frequently observed malware tactic with âover 194,000 detectionsâ illustrating heavy use of C2 for postâcompromise operations.
- [T1486 ] Data Encrypted for Impact â Used by ransomware actors; report notes âdata encrypted for impact (T1486)â highlighting widespread ransomware deployments.
- [T1078 ] Valid Accounts â Employed as an Initial Access and persistence vector: report references âValid Accounts (T1078)â indicating credential theft and reuse for access.
- [T1005 ] Data from Local System â Observed as a common technique for data theft: report lists âdata from local systems (T1005)â among top techniques.
- [T1190 ] Exploit PublicâFacing Application â Most frequent technique for exploited CVEs: âExploit PublicâFacing Application (T1190), observed in 73% of actively exploited vulnerabilities.â
- [T1203 ] Exploitation for Client Execution â Noted as a top technique: âExploitation for Client Execution (T1203)â indicating attacks requiring user interaction or clientâside exploits.
- [T1068 ] Exploitation for Privilege Escalation â Listed among top techniques: âExploitation for Privilege Escalation (T1068)â used to gain higher system privileges postâexploit.
- [T1586 ] Compromise Accounts â Observed in malware TTPs: report references âCompromise Accounts (T1586)â showing account takeover activity supporting persistence and access.
- [T1133 ] External Remote Services â Highlighted as an Initial Access and persistence technique: âExternal Remote Services (T1133)â used to leverage stolen credentials and remote access portals.
- [T1021 ] Remote Services â Mapped to lateral movement/persistence: report mentions âRemote Services (T1021)â as supporting lateral activities across networks.
Indicators of Compromise
- [File names / Malware families ] context â examples include Sality, LummaC2, and Remcos (malware families referenced in C2 detections and postâexploitation telemetry).
- [CVE identifiers ] context â examples include CVEâ2025â0282 (Ivanti Connect Secure), CVEâ2025â22457 (Ivanti Policy Secure), CVEâ2025â4428 (Ivanti EPMM), and CVEâ2025â24813 (Apache Tomcat).
- [Domains / Hosting providers ] context â example: LummaC2 infrastructure with âover 2,300 domainsâ seized and later reconstituted using Cloudflareâbacked C2 domains (Cloudflare IPs observed).
- [Tool names ] context â examples include Cobalt Strike and GC2 (used as postâexploitation C2 frameworks or cloudâbased C2 channels), and NETXLOADER (custom .NET loader used by Qilin ransomware).
- [Mobile app identifiers / APKs ] context â examples include GodFather and SuperCard X (mobile malware and MaaS platform used for virtualization overlays and NFC relay fraud), and Android.Spy.1292.origin (targeted APK lure).
Read more: https://www.recordedfuture.com/research/h1-2025-malware-and-vulnerability-trends