Midyear Cyber Threat Trends for 2025

Trends driving cyberthreat demand

As digital ecosystems grow and modern adversaries advance, new waves of cybercrime and disruptive tactics have emerged. The first half of 2025 saw notable changes in attacker motivation, technology, and the overall business risk landscape.

Three major drivers underline this dynamic environment:

• Disruption and resurgence: Major outages among ransomware groups (like RansomHub) led to both temporary reductions in attacks and rapid affiliate migrations, fueling resurgence among groups like Qilin.
• Advanced technology adoption: Threat actors, especially cybercriminals, are harnessing artificial intelligence (AI) for more sophisticated attacks—leveraging deepfake videos, modular toolkits, and Generative AI-powered scams.
• Professionalization and specialization: Organized criminal networks now operate with business-like structures, developing new tactics to maximize extortion, scale operations, and target critical sectors, including government and public services.

To stay resilient amid these threats, organizations should navigate rapidly changing tactics, exploit intelligence-sharing, and invest in advanced defense. Explore the full Midyear Cyber Threat Trends report for detailed guidance on maximizing protection and readiness in 2025.

Key trends in the cyberthreat landscape

Ransomware acceleration

• Ransomware remains the leading cyberthreat, driven by shifting affiliate loyalty, modular extortion methods, and centralized leak sites for maximum impact.
• Outages in prominent ransomware groups (8Base, RansomHub) forced affiliates to migrate operations, which contributed to spikes in attacks from actors like Qilin and DragonForce.
• Tactics now include multilayered extortion—with data theft, threat campaigns, and immediate public disclosure, reducing the reliance on file encryption alone.

Artificial intelligence in attack and defense

• AI-powered tools like WormGPT (and successor variants) are used by cybercriminals to lower skill barriers and automate attack processes, including phishing and social engineering.
• Deepfake video and Generative AI pose new risks, making impersonation and fraud harder to detect.
• Agentic AI is expected to reshape both attacker and defender strategies, with broad implications for the threat landscape.

Malware and infostealer proliferation

• Evolving malware strains are released with greater frequency; innovations in infostealer variants (Lumma Stealer, StealC, Vidar) drive credential theft and modular payloads.
• Large-scale law enforcement takedowns have disrupted key infrastructure, but the underlying strains remain persistent and adaptable.
• Infostealer activity is now embedded in hybrid campaigns, maximizing extortion by first exfiltrating sensitive data before encrypting systems.

Underground market and threat actor trends

• Sale of access, credentials, and confidential information continues in underground forums, supporting global campaigns.
• The underground market increasingly features modular attack kits, ransomware builder tools, and service-for-hire models, reflecting the business-like evolution of cybercrime.
• Emerging and reemerging threat actors are tracked by CTI analysts, with notable shifts in geography and sector targeting—government and public services, financial services, and health care remain primary targets.