The cyber threat landscape showed several new developments. Attack types became more diverse: for example, the MOVEit incidents illustrated a shift from encryption-based ransomware to data theft for extortion. Attackers also reduced reliance on traditional malware and increasingly abused legitimate tools such as remote monitoring and management (RMM). In addition, identity-based attacks continued to surge as adversaries sought to evade endpoint detection and response (EDR) controls.
Industry analysts and security researchers from firms including Huntress, CrowdStrike, Zscaler, Mandiant, Microsoft, and Cisco identified 10 emerging threat trends and attacker techniques worth attention, covering phishing and social engineering, data theft and extortion, and software supply chain attacks.
01 Minimal-destructive attacks
Researchers observed that many attackers prioritize data theft and profit over causing widespread disruption. As a result, attacks that inflict minimal operational damage have become more common, replacing broad data-encrypting approaches. Some attackers even attempt to portray themselves as "security advisors" after an attack, offering paid post-incident audit reports that outline how organizations could better protect their environments.
02 New ransomware variants and tactics
Access to leaked source code and build tools has enabled ransomware groups to continuously refine their tools and tactics, producing more complex and targeted campaigns. Organizations often find these next-generation ransomware attacks difficult to defend against. The FBI warned of two notable trends: first, threat actors conducting multiple ransomware attacks against the same victim in quick succession, often deploying different ransomware variants; second, the use of destructive tools such as wipers during attacks to increase pressure on victims.
03 Increased pressure on victims
Attackers believe that applying greater pressure increases the chance of receiving ransom payments. For example, the Clop group, responsible for one of the largest MOVEit-related extortion campaigns, experimented with different disclosure methods. Traditional public leak sites are easy to detect and block, so attackers moved to distributing torrent seed files and decentralized distribution systems, which are harder to remove and faster to access.
04 Alliances for profit
Investigations into attacks against casino operators such as MGM and Caesars revealed several worrying trends. Attackers used social engineering against IT service desks to obtain unauthorized access. More concerning was evidence of collaboration among multiple criminal groups, including English-speaking groups such as Scattered Spider partnering with Russian-speaking ransomware groups like Alphv. Scattered Spider reportedly used BlackCat ransomware provided by Alphv, whose members have links to earlier groups such as DarkSide, the actor behind the Colonial Pipeline attack. Such cross-language partnerships could push threat activity in new, more dangerous directions.
05 RaaS targeting virtual environments
Ransomware-as-a-service has increasingly targeted VMware ESXi hypervisors. A group using the name MichaelKors offered ransomware binaries targeting both Windows and ESXi/Linux systems. ESXi environments are attractive because they often lack security tooling, suffer from insufficient network segmentation for management interfaces, and contain many exploitable vulnerabilities.
06 Generative AI-enabled threats
Generative AI introduced new risks by lowering the bar for producing convincing malicious content, such as more realistic phishing messages. Specialized generative AI tools marketed to criminal users, including WormGPT, FraudGPT, and DarkGPT, have emerged. Even general-purpose models can help attackers, for example by improving grammar for non-native speakers. Effective defenses against AI-enabled attacks remain limited.
07 Deepfake tools
Deepfakes continue to pose threats by deceiving victims. A notable development was the appearance of deepfake video creation tools explicitly advertised for phishing campaigns on underground forums. These tools aim to make social engineering attempts appear more personalized. Audio deepfakes also grew in use for fraud and transfer scams, with voice cloning software becoming more accessible. The prospect of real-time voice cloning poses an escalating risk due to its potential for near-instantaneous impersonation.
08 Phishing via collaboration platforms
Researchers identified attacks leveraging Microsoft Teams. Adversaries used compromised Microsoft 365 accounts to send phishing lures via Teams messages, prompting multi-factor authentication prompts and harvesting credentials. A group tracked as Midnight Blizzard likely achieved objectives using Teams-based social engineering. Other incidents used Teams-based lures to distribute payloads such as the DarkGate loader, which can facilitate further malicious activity including ransomware deployment. Separate campaigns, including those attributed to Storm-0324, used Teams chats to deliver phishing lures and achieve initial access for subsequent malicious actions.
09 Dual-layer supply chain attacks
The widely used communications software vendor 3CX was hit by a SolarWinds-style supply chain compromise. Investigators described it as a double supply chain attack because the incident stemmed from an earlier supply chain compromise: attackers tampered with software distributed by financial software firm Trading Technologies, which then enabled the subsequent 3CX compromise. The 3CX incident was discovered within weeks rather than months, which appears to have limited its overall impact on 3CX and its customers.
10 Upgraded accounts payable fraud
Accounts payable fraud, where attackers impersonate suppliers and send invoices tied to attacker-controlled accounts, is not new. A more covert variant has emerged: attackers gain access to corporate mailboxes via social engineering, modify mail rules to forward incoming invoices to themselves and delete originals to prevent detection, then alter the invoices to include their own banking information before submitting them to the target organization.
