Rapid7 Threat Landscape Report Q3 2025

Keypoints

• Typical report structure: an Introduction summarizing quarterly context and objectives; a Ransomware Landscape section covering actors, leak-site activity, victimology, and tactical shifts; a Nation‑State Activity section with APT case studies, espionage campaigns, and strategic targeting; an Incidents & MITRE ATT&CK section that maps observed incidents to techniques and initial access vectors; a Vulnerability Intelligence section detailing exploited CVEs, CWE trends, and Emergent Threat Response cases; an AI‑Supported Threats section describing AI-driven social engineering and evasive malware; a Recommendations section with prioritized defensive controls; and an About section describing the vendor and services.
• Contents of each main section: the Introduction sets the scene and key themes; Ransomware Landscape quantifies leak‑site activity, top groups, victim sectors, and alliance/affiliate trends; Nation‑State Activity provides telemetry-backed APT profiles (e.g., APT29, Volt Typhoon, Brickstorm) and notable toolsets; Incidents detail common TTPs, impacted industries, and incident-response observations; Vulnerability Intelligence highlights zero‑day incidents, timelines from disclosure to exploitation, and dominant CWEs; AI threats explore operationalized generative techniques for phishing, deepfakes, and malware generation; Recommendations prescribe concrete mitigations (MFA, EDR, VM, backups, segmentation).
• Ransomware landscape snapshot: 88 groups posting to leak sites in Q3 (up from 65 in Q2), with 28 newly active groups; Qilin retained the top leak‑site position and formed operational coalitions with LockBit and DragonForce; observed rise of collectives and non-RaaS actors like SafePay and WorldLeaks.
• Victimology and regional distribution: business services (18%), manufacturing (15%), and healthcare (13%) were the top-targeted industries; U.S. victims represented 67% of leak-site posts, followed by Germany (6%), and UK/Canada (5% each).
• Ransomware tactics and evolution: growth in double- and triple-extortion (data theft, leaks, harassment); fileless/extortion‑first approaches by some groups; increased operational secrecy (stripping identifiers from posts) to frustrate researchers and law enforcement.
• Nation‑state activity highlights: APT29 refined credential‑theft via OAuth and Azure app abuse; Sandworm deployed PathWiper (destructive wiper using standard Windows APIs); Brickstorm/UNC5221 exploited network‑edge appliances and long dwell times to harvest source code (F5 incident attribution); Volt Typhoon focused on maritime logistics and telecom pre‑positioning.
• DPRK operations: Lazarus and Kimsuky continued financial and espionage campaigns, adopting AI‑generated deepfakes and signed Python loaders; supply‑chain targeting via developer compromise (Void Dokkaebi/Contagious Interview) was emphasized.
• Zero-day and emergent vulnerabilities: five high‑impact zero days in Q3 included CrushFTP (CVE-2025-54309), Microsoft SharePoint exploit chain and bypasses (CVE-2025-53770/53771), Citrix NetScaler (CVE-2025-7775), GoAnywhere MFT (CVE-2025-10035), and multiple Cisco ASA/FTD CVEs (CVE-2025-20333/20362).
• Vulnerability intelligence metrics: AttackerKB tracked 53 vulnerabilities first reported as exploited in the wild in Q3; the overall quarterly count has trended down year‑over‑year, but exploitation timelines remain compressed with many zero‑day and near‑zero‑day attacks.
• Old vulnerabilities resurfacing: several exploited CVEs were years old (e.g., CVE-2007-0671), underscoring the risk of historical CVEs and the limits of relying solely on curated “known exploited” lists for remediation prioritization.
• Top CWEs observed: CWE-502 (unsafe deserialization) led the root‑cause list, followed by command‑injection classes (CWE-78, CWE-77), indicating preference for logic‑level vulnerabilities that yield reliable code execution.
• Common initial access vectors: exploitation of remote access services (SonicWall SSLVPN, Cisco ASA, FortiGate VPN), RDP, compromised credentials, social engineering (service‑desk MFA bypasses), and web shell deployment.
• Top MITRE ATT&CK techniques for Q3: T1078 Valid Accounts and T1133 External Remote Services dominated initial access; T1059 command interpreters, T1003 credential dumping, and T1021 remote services were frequent in post‑compromise activity; T1566 phishing and social engineering remained influential.
• Instrumentation and tools observed: widespread abuse of legitimate tools (Impacket, TruffleHog, Rclone, WinRAR, AnyDesk, Cloudflared) and common reconnaissance utilities (Advanced IP Scanner, ADExplorer) to evade detection and facilitate lateral movement.
• AI‑driven threat trends: operationalized generative AI produced highly convincing phishing lures, deepfake vishing, and dynamically generated malware (e.g., LAMEHUG) that defeats signature‑based detection—driving a shift toward behavioral and telemetry‑based detection.
• Supply‑chain risk and vendor trust erosion: incidents like the Salesloft breach and F5 source‑code exfiltration highlight attacker focus on SaaS ecosystems, developer accounts, and code repositories as scalable vectors for downstream compromise.
• Defensive priorities and recommendations: enforce phishing‑resistant MFA (FIDO2), maintain immutable and isolated backups with recovery testing, deploy and tune EDR/behavioral detections, implement robust VM with patching of both recent and historical CVEs, remove unnecessary internet‑exposed services, segment networks, and conduct continuous threat hunting and incident‑response exercises.
• Operational takeaways for security teams: prioritize edge and remote‑access hardening, assume adversaries will weaponize newly disclosed bugs quickly, shift detection to behavioral/telemetry signals to counter AI‑enabled and polymorphic threats, and integrate supply‑chain and identity risk into remediation and third‑party assessments.
• Recurring themes and long‑term shifts: consolidation among prolific ransomware groups, a move from noisy disruption to stealthy persistence by nation‑state actors, compressed weaponization timelines for vulnerabilities, and the mainstreaming of AI as a force multiplier for both social engineering and malware evasion.