Geographical distribution of APT activity

As the primary target of APT detections, Türkiye accounted for 38% of total detections from October 2024 to March 2025. While Türkiye's dominance decreased but remained significant in Q1 2025, US share increased substantially, and Qatar emerged as a new target.

Why Türkiye?

Potential interest in Türkiye can be attributed to its strategic position as a crucial crossroads between Europe and Asia, its significant role in regional geopolitics, and its involvement in various international diplomatic initiatives. The country’s strategic geopolitical position and its role as a NATO member make it a valuable target for intelligence gathering about Western military and diplomatic activities.

The top 10 affected countries account for 77% of all APT detections:

Threat actor analysis

During the period observed in this report, APT40 overtook Mustang Panda as the most active threat actor, and APT41 (113%) showed a significant increase in activity in Q1 2025 compared to the previous quarter.

Sectoral impact

Analysis of the top affected sectors excluding unknown reveals the telecom sector as heavily targeted. When breaking down by quarters, there is a significant increase in APT detections targeting telecom (92%) and technology (119%).

Tools and techniques

Analysis of the tactics, techniques, and procedures (TTPs) of APT groups observed during the period reflected in this report finds actors maturing and utilizing more sophisticated and advanced tooling.

• Tool selection patterns: A heavy reliance on legitimate system and native Windows tools is observed, along with the increased use of LOTLbinaries and growing sophistication of post-exploitation tools. 

• Operational trends: Tools are likely chosen to blend with normal activity, while ensuring they have redundant capabilities and the ability to be used for evasion purposes. Custom malware is used less frequently. 

• Security implications: Attackers are selecting tools that provide persistent access mechanisms and advanced lateral movement to aid them in executing sophisticated multi-stage attacks.

• Defense evasion focus: Memory-resident operations, fileless malware, and signed binaries are being used more frequently to support evasion. 

• Future trends: The Trellix Advanced Research Center anticipates further increases in tool sophistication, greater emphasis on evasion, an evolution of post-exploitation frameworks, and more complex attack chains.

Its critical security teams use enhanced PowerShell monitoring to discover misuse and abuse. CISOs should also focus on command-line activity analysis and ensure rigorous credential access monitoring is in place.

Who’s hacking the United States?

The United States was the target of 36% of detected APT activity in the period observed in this report. Notably, there was a 45% increase in detections in Q1 2025, up from Q4 2024. Türkiye precedes and Germany follows the United States as the most targeted by APT groups. 

Detections are primarily attributable to APT groups aligned with China (47%)and Russia(35%), and the activity targeted the telecom (64%) and technology (28%) sectors.

Targeting Edge Devices for Mass Exploitation

Based on recent campaign trends, Chinese APT groups have been evolving their strategies, gradually moving away from traditional methods like spear-phishing and social engineering as the primary means for gaining initial access to their targets. These techniques, which have historically been effective for infiltrating specific individuals or organizations through tailored, deceptive communications, are being increasingly supplemented, or in some cases replaced, by more direct and sophisticated approaches.

One notable shift has been the growing reliance on exploiting zero-day vulnerabilities, as well as leveraging known vulnerabilities in commonly used network edge devices—such as routers, firewalls, and other critical infrastructure components. These vulnerabilities allow the threat actors to bypass traditional security defenses more efficiently and gain unauthorized access to systems on a much larger scale. By targeting network edge devices, which often serve as the entry points to an organization’s broader network, Chinese APT groups are able to compromise systems without the need for targeted social engineering efforts.

To combat threats at the edge, organizations should ensure they’re taking action outside of regular patching and firmware updates/upgrades. In practice, this looks like adopting network detection and response (NDR) and implementing strong network segmentation, Zero Trust, virtual patching, and strong operational threat intelligence.

This shift toward exploiting vulnerabilities represents a more automated, scalable approach to cyberattacks. 

• Mass exploitation campaigns: It enables Chinese threat actors to conduct mass exploitation campaigns that can potentially affect a wide range of targets, including critical infrastructure, government organizations, and private sector networks. 

• Widespread access: By focusing on these vulnerabilities, attackers can gain widespread access to vulnerable systems, often with a much lower detection risk compared to traditional social engineering techniques. 

• Efficiency and speed: Additionally, this tactic allows for faster deployment of attacks across multiple targets, enabling the APT groups to achieve their objectives more quickly.

The move away from spear-phishing and social engineering also reflects a broader trend of adapting to increasingly sophisticated defense mechanisms, where relying on direct exploitation of software vulnerabilities allows threat actors to bypass increasingly sophisticated email filters, user-awareness programs, and multi-layered security systems. This shift indicates the changing landscape of cyber threats, with APT groups moving towards more advanced, persistent, and large-scale operations that can impact a broader range of targets simultaneously.

As Chinese APT groups continue to refine their techniques, it is likely the exploitation of network edge devices and the use of zero-day vulnerabilities will become even more prominent in their future campaigns, requiring organizations to adopt more proactive and advanced security measures to detect and mitigate these sophisticated, high-impact attacks.

Use of ORB networks for espionage operations

While Operational Relay Box (ORB) networks have been used for several years, their adoption and sophistication has grown considerably, particularly within Chinese cyber operations. These networks are leveraged by state-sponsored groups to perform highly covert operations spanning multiple industries, from governmental and military targets to intellectual property theft and economic espionage. These ORBs facilitate a range of different threat clusters simultaneously, meaning multiple cyberattack groups can operate within the same network infrastructure without raising suspicion.

The growing popularity and sophistication of Chinese ORBs underscore the increasing reliance on proxy networks to evade detection and expand the reach of cyber espionage campaigns. This trend highlights the need for advanced detection systems capable of monitoring and analyzing network traffic at a granular level, especially when conventional methods may not suffice to identify the use of compromised devices and VPNs. With ORBs evolving in complexity and scale, they represent a significant challenge to cybersecurity professionals tasked with defending against these highly adaptive and stealthy forms of cyberattacks.

Heavy use of living-off-the-land tools

China’s nation-state cyber operators have increasingly relied on LOTL techniques as part of their cyber operations to maintain persistent and undetected access to information technology (IT) networks. LOTL techniques leverage existing legitimate tools, features, and functions present within the target environment to execute their malicious activities. By utilizing tools native to the system or commonly used within an organization, attackers can traverse networks and conduct operations without triggering traditional security alarms.

This approach allows them to blend in with normal network activity, making it far more difficult for security measures to detect their presence or distinguish their actions from legitimate user behavior. As a result, LOTL techniques significantly reduce the likelihood of the attacker being flagged as suspicious, giving them more time to execute their objectives while evading detection. These tactics are increasingly favored because they avoid the need for the attacker to introduce external or easily identifiable tools, making them more stealthy and harder to trace.

Volt Typhoon

As a case in point, Trellix telemetry data shows that Volt Typhoon makes heavy use of command-line tools like Cmd (Command Prompt) and ARP (Address Resolution Protocol) to explore the system and conduct network discovery after gaining initial access to a target environment. The attackers execute a variety of commands to gather data about the system's resources, user accounts, and running processes. At the same time, ARP can help map out network infrastructure by identifying devices and their respective IP addresses.

For lateral movement, our data suggest that Volt Typhoon threat actors utilize Dnscmd (a command-line utility for DNS server management) to manipulate DNS records, enabling further network traversal and persistence through DNS-based changes. They also leverage Impacket, a suite of Python tools, for remote code execution, system enumeration, and maintaining persistent access. For data exfiltration, Volt Typhoon uses 7-Zip to compress stolen data for easier transfer and FRP (Fast Reverse Proxy) for tunneling, bypassing firewalls and NAT (Network Address Translation) devices by establishing reverse shell connections to external systems. These tools enable efficient and covert exfiltration, evading detection by traditional security measures.

To maintain long-term access to the compromised network, Volt Typhoon employs stealthy persistence techniques, as indicated by Trellix detection data. They use tools such as Dnscmd and Ldifde (LDAP Data Interchange Format Directory Exchange) to modify DNS records, ensuring malicious traffic is routed to their command and control servers. Additionally, Ldifde is utilized to manipulate Active Directory (AD) data, creating or altering accounts to maintain access even if initial entry points are detected and blocked. These methods make it difficult to fully remove their presence from the compromised network.

Salt Typhoon

Similarly, many of the top-ranked tools detected in use by Salt Typhoon are legitimate system utilities or widely used software, which makes them particularly effective for evading detection. These tools include, but are not limited to, Comsvcs.dll (a Windows system file for COM+ services), Dnscmd (a command-line utility for DNS server management), Ldifde (a tool for importing and exporting data from Active Directory), and Cmd (the Windows Command Prompt). This strategy of leveraging existing system utilities underscores the group’s advanced tactics for stealthily navigating and compromising target environments.

The above-mentioned top detected tools in Salt Typhoon’s operations show exceptionally high detection counts, indicating these tools are frequently deployed throughout their campaigns. The repeated use of these tools across multiple attacks suggests Salt Typhoon has strategically refined and standardized its toolkit over time, making it a core part of its attack methodology.

For this report, the following section looks at two sets of data:

• Victim posts: Public posts from groups sharing the details of their victims
• Trellix telemetry: Data from the Trellix ATLAS campaign and detection data set

Ransomware group activity

The ransomware ecosystem continues to evolve, with RansomHub maintaining its position as the most active group. However, the most notable development is Cl0p’s dramatic resurgence, firmly established as the second most active group. This marks a significant shift from our last report, when Cl0p was not among the top five actors.

Cl0p’s remarkable comeback

Cl0p’s activity shows a striking pattern over the reporting period.

This exponential growth in activity culminated in March 2025, when Cl0p published more victim posts than any other group in a single month during this reporting period. Our analysis suggests this surge is linked to Cl0p’s exploitation of vulnerabilities in managed file transfer systems, particularly targeting Cleo’s products through CVE-2024-50623 and CVE-2024-55956.

The resurgence of Cl0p demonstrates how quickly ransomware groups can adapt and return to prominence. Security leaders should avoid complacency when major threat actors appear to be in decline, as they often regroup and return with new tactics. Maintain a defense-in-depth approach that addresses current and emerging threats, with particular attention to critical data transfer systems that can serve as entry points for widespread compromise.

LockBit3’s diminished presence

LockBit3, once a dominant force, has seen its activity significantly reduced following sustained law enforcement actions. With just 40 victim posts over the six months (compared to 423 from RansomHub), LockBit3 has fallen out of the top 20 most active groups. This decline demonstrates the potential effectiveness of coordinated international law enforcement efforts when sustained over time.

Emerging groups

Between October 2024 and March 2025, we’ve witnessed several new ransomware operations, with Funksec and Vanhelsing standing out as legitimate new threats, while Babuk 2.0 has been identified as an impersonation attempt.

Funksec: The new powerhouse

Funksec has quickly established itself as one of the most sophisticated new ransomware operations. Since its emergence in December 2024, the group has demonstrated a level of technical sophistication and organizational structure that sets it apart from typical newcomers in the ransomware landscape.

The group's ransomware is built using the Rust programming language, demonstrating their technical acumen and focus on modern development practices. Their operation has already evolved to version 2.0, incorporating enhanced anti-detection capabilities and a comprehensive attack infrastructure.

What makes Funksec particularly noteworthy is their business approach. They've established a full-service criminal enterprise, operating a sophisticated Ransomware-as-a-Service (RaaS) model with multiple revenue streams. Their infrastructure includes a blog, auction site (FunkBID), and forum, showing a level of organizational maturity unusual for a new group.

Babuk 2.0: The impersonator

Investigation into the supposed reemergence of Babuk as "Babuk 2.0" in early 2025 has revealed this to be an impersonation attempt rather than a legitimate ransomware operation. The group, operated by an actor using the handle "Bjorka," appears to be focused on data sales rather than traditional ransomware operations.

This impersonation attempt highlights a growing trend in the cybercriminal underground where actors attempt to capitalize on the reputation of established ransomware groups. The operation has been widely identified as fraudulent by underground forum members, primarily focusing on selling allegedly stolen data rather than conducting actual ransomware operations.

Vanhelsing: The new entrant

Vanhelsing represents the newest addition to the ransomware landscape, having emerged in March 2025. While their operations are still in their infancy, with only four recorded attacks, they've already demonstrated a capacity for sophisticated target selection and global reach.

The group has shown particular interest in high-value sectors, including electronics manufacturing, government institutions, and pharmaceutical companies. Their geographical focus appears to be primarily on Western nations, with confirmed activities in the United States, France, and Italy.

Given their recent emergence, technical details about their ransomware strain remain limited, and their operational patterns are still developing. However, their initial target selection suggests a well-planned and strategic approach to operations.

Targeted sectors

Based on ransomware group sites, the industrial sector emerged as the overwhelming target for ransomware actors, accounting for over a third of all attacks with identified sectors. This represents a significant concentration of activity and suggests ransomware groups are increasingly focused on organizations where operational disruption can create maximum pressure to pay.

Consumer services organizations rank second, highlighting the targeting of businesses that directly interface with customers, where service disruptions can quickly lead to reputational damage and revenue loss. Technology companies remain highly targeted, likely due to their valuable intellectual property and the potential for supply chain attacks that could affect their customers.

Healthcare organizations continue to face significant threats, consistent with previous reporting periods. The persistent targeting of this sector is particularly concerning given the potential impact on patient care and safety.

Finally, the correlation between campaigns and detections shows consistent targeting of critical sectors with government/administration, finance, and manufacturing sectors generating the most detections of ransomware activity.

Geographic distribution

The United States continues to be the overwhelming focus of ransomware attacks, accounting for nearly 58% of all victim posts with identified locations. This represents a significant increase from the previous reporting period (42%), suggesting ransomware groups are intensifying their focus on US-based organizations.

While developed Western economies remain primary targets, India’s position in the top five most targeted countries represents a notable shift. This suggests ransomware groups are increasingly expanding their focus to include rapidly developing economies with growing digital infrastructure. India’s rise in the rankings indicates organizations in emerging markets should be particularly vigilant about ransomware threats.

For government agencies, industrial organizations, and financial institutions, enhance monitoring on critical systems such as PowerShell and other command-line tools. Deploying geolocation-based access controls and applying additional security measures in high-risk regions is also recommended.

TTPs detected

PowerShell and Cobalt Strike remain the preferred tools for ransomware operators.

Security operations teams should monitor for anomalies in the use of legitimate administrative tools (e.g., Net, PsExec, AnyDesk) and secure file transfer systems through regular patching and enhanced surveillance. This should also include extending security controls beyond Windows to include Linux and mobile platforms.

Ransomware outlook

The October 2024 to March 2025 period reinforces ransomware remains a dynamic and persistent threat. While law enforcement actions have disrupted some major players, the overall ecosystem continues to thrive through adaptation and innovation. The dramatic resurgence of Cl0p, continued dominance of RansomHub, and emergence of new actors all point to a threat landscape that will continue to challenge security teams throughout 2025.

Post Translation

Toggle Translation

The threat actor claims their GABBERS SHOP has consolidated over half a billion unique strings and the starting price for a URL begins at $0.30 USD. The Gabber77 allegedly implemented an AI-powered validation system for their criminal marketplace, focusing on automated data cleaning and verification. Their AI software seems to employ pattern recognition mechanisms to validate stolen credentials, significantly improving the efficiency and reliability of their illegal operations. 

The automated nature of the system, combined with its high claimed accuracy rate, indicates sophisticated machine learning models are being used to process, de-duplicate, and validate large volumes of stolen credentials in real-time. This represents a significant evolution in the automation of criminal marketplaces, with AI being used to enhance the quality and reliability of illegal services.

AI-based Telegram management console

On November 12, 2024, an underground threat actor E-137 on BreachForums advertised their Telegram bot called “X137 Management Console” designed to enhance Telegram user experience. It offers a wide range of powerful features, including an AI component powered by Gemini API.

The actor E-137 advised their pricing varies from 10 USD weekly to 100 USD for 6 months of tool usage. According to the demo shared, the X137 has two AI models: PXS, a lightweight model optimized for speed and ideal for simple tasks, and NEX, a recommended larger model designed for accuracy and best for complex analysis and creative work.

The threat actor developed a sophisticated Telegram automation tool that leverages the Gemini API for censorship-free AI-powered tasks. The system's AI capabilities are specifically trained on criminal datasets, including carding, hacking, OSINT and other uncensored datasets, enabling automated fraud operations and social engineering attacks. The integration of the psychological dataset suggests the X137 tool can potentially leverage human behavior manipulation and exploit psychological vulnerabilities.

The Telegram bot’s AI implementation focuses on automated message analysis and response generation, allowing for scalable social engineering operations across multiple Telegram accounts simultaneously. Including specialized criminal datasets and OSINT capabilities indicates this tool is designed for coordinated fraud campaigns and intelligence-gathering operations, with the uncensored AI models handling target profiling, automated conversations, translation, and data collection.

Phone calls with AI voice cloning

On January 28, 2025, an actor PatrickCompany created a thread on XSS.is forum called “[FIRST TIME ON MARKET] AI calls | WhatsApp & Telephone | Any voice, any language” where they offered an AI-based innovative solution in the world of phone calls.

Post Translation

Toggle Translation

The offered service combines advanced conversational AI with remarkably convincing voice synthesis technology, enabling seamless humanlike interactions across multiple languages. What makes this particularly noteworthy is its ability to clone voices from recordings and maintain context-aware conversations that can adapt to unexpected situations. The system's integration capabilities with various communication channels, including traditional telephone and popular messaging platforms like WhatsApp, alongside its ability to handle multiple concurrent calls, suggests a level of sophistication previously unseen in automated calling systems.

The criminal implications of this technology are profound and far-reaching. Imagine a scenario where cybercriminals deploy this system to impersonate bank officials or corporate executives at scale. They could simultaneously target hundreds of victims with convincing, contextually aware conversations, each using a perfectly cloned voice of a trusted authority figure. Financial institutions, in particular, face a significant challenge as their voice-based authentication systems could be compromised by the AI voice cloning capabilities, while their customers become targets of increasingly convincing social engineering attacks.

Black Basta ransomware’s usage of AI

Trellix's recent analysis of Black Basta ransomware chat leaks revealed that ransomware operators internally utilize AI for various malicious purposes. These include creating fraudulent formal letters in English, paraphrasing text, rewriting C#-based malware in Python, debugging code, and collecting victim data. Notably, Black Basta RaaS members frequently employed ChatGPT to facilitate these illicit activities.

In the case below, Black Basta actor NN unintentionally logged into an active user's PC on the victim organization's network, which notified the user of a remote login within their current session. NN then quickly used ChatGPT to create a deceitful message, falsely claiming that a professional network check was being performed and assuring the user there was no reason for alarm.

The Black Basta coder, mecor, also used ChatGPT to troubleshoot and fix a runtime error in the ARM build of a Go-based proxy server they developed, which included builds for ARM/Linux.

YY (coder of Black Basta) was instructed to rewrite the tools in Python as some of the gang’s malware got detected by AV/EDR. GG (Black Basta ransomware leader) asked YY to use ChatGPT for that, and if ChatGPT would complain about malware, YY can instead provide code in chunks. YY later inquired if GG's suggestion was to rewrite C# in C#, revealing that GG instructed to rewrite the malware from C# to Python using ChatGPT.

Here GG requested that Tinker (negotiator) gather victim company contacts and emails from various sources for the purpose of spamming and calling. GG inquired about the resources Tinker utilizes, to which Tinker responded he uses an email database for spamming, verifies contacts via LinkedIn, and that with the new ChatGPT, everything is being automated through their API services.

Threat actors consistently endeavor to leverage vulnerabilities as a primary method of malicious operations, targeting a wide array of digital assets. These exploitable weaknesses can manifest in multiple forms, including software bugs that arise from errors in code, misconfigurations that stem from improper system setup, or fundamental design flaws inherent in the system's architecture.

These findings emphasize the critical and ongoing need for organizations to prioritize immediate patching of identified vulnerabilities, implement robust and multi-layered security measures, and maintain continuous monitoring of their environments to detect and respond to these evolving threats effectively, thereby strengthening their overall security posture.

Key findings

The Trellix Advanced Research Center has prioritized a subset of the vast number of CVEs published annually for in-depth analysis. While the total number of disclosed vulnerabilities is substantial – projections for 2025 suggest 41,000 to 50,000 new CVEs, while over 11,000 were recorded in Q4 2024 alone.

The most common attack types observed were:

1. Remote Code Execution

2. Cross-Site Scripting

3. Memory Corruption

4. Elevation of Privilege

5. Path Traversal

The distribution of the analyzed CVEs across different product categories highlights the foundational nature of operating systems and network devices in IT infrastructure, making them attractive targets for attackers. The significant number of vulnerabilities in enterprise software also underscores the risks associated with business-critical applications. Even the substantial percentage of vulnerabilities in development tools indicates a growing awareness of the potential for supply chain attacks.

The top five CVEs Trellix observed in our telemetry are:

1. CVE-2022-26134 (Atlassian Confluence): This critical vulnerability is an unauthenticated Object-Graph Navigation Language (OGNL) injection flaw that allows for remote code execution (RCE) on affected versions of Atlassian Confluence Server and Data Center products (excluding the Cloud offering). The severity of this vulnerability and relative ease of exploitation make it a desirable target for malicious actors seeking to gain control over vulnerable systems.

2. CVE-2021-26084 (Atlassian Confluence): Like CVE-2022-26134, this is a critical OGNL injection vulnerability that permits unauthenticated attackers to execute arbitrary code on vulnerable Atlassian Confluence Server or Data Center instances. This type of vulnerability provides attackers with a significant level of control over the affected systems.

3. CVE-2023-35078 (Ivanti EPMM): This critical vulnerability represents a remote unauthenticated API access flaw in Ivanti Endpoint Manager Mobile (EPMM), previously known as MobileIron Core. Unauthenticated remote actors' access to critical management interfaces poses a significant security risk. Successful exploitation of CVE-2023-35078 can enable unauthorized actors to potentially access users' personally identifiable information (PII) and make limited modifications to the affected server.

4. CVE-2023-29357 (Microsoft SharePoint): Privilege escalation vulnerabilities are particularly dangerous as they allow attackers who may have gained initial, limited access to a system to elevate their privileges to a higher level, potentially gaining administrative control. CVE-2023-29357 enables unauthenticated attackers to achieve administrator-level privileges to a vulnerable SharePoint Server.

5. CVE-2023-42793 (JetBrains TeamCity): This vulnerability affects JetBrains TeamCity, a widespread continuous integration and continuous delivery (CI/CD) server used in software development.

Impacted products and platforms

The distribution of vulnerabilities across different environment types revealed Enterprise Infrastructure was the most affected, followed by Development Environment, End-User Systems, and Industrial Systems. This distribution indicates attackers primarily target core enterprise assets, but development environments and end-user systems also represent significant risk areas.

Several specific products and product categories experienced significant vulnerability during the reporting period.

• Microsoft Windows Components, including TCP/IP (CVE-2024-38063), Task Scheduler (CVE-2024-49039), LDAP (CVE-2024-49113), and NTLM (CVE-2024-43451), were heavily affected by vulnerabilities, many of which were actively exploited.

• Security infrastructure products from vendors like Fortinet (FortiManager/FortiGate), Ivanti (Connect Secure VPN, EPMM, Cloud Service Application), and Palo Alto Networks (PAN-OS) were also prime targets, experiencing multiple zero-day vulnerabilities and active exploitation by various threat actors. 

• Network infrastructure products, encompassing Cisco ASA and Cisco IOS, VPN systems, management interfaces, authentication systems, and network management tools, also presented a considerable surface for attack. In network infrastructure, Remote Code Execution dominated 41%, followed by Denial of Service (27%) and Authentication Bypass (19%).

• Enterprise applications, such as Microsoft Exchange, Oracle WebLogic, IBM Enterprise products, VMware ESXi, and BeyondTrust security tools, were identified as affected by vulnerabilities. For enterprise applications, SQL injection was the most frequent at 31%, followed by Authentication Bypass (28%) and Information Disclosure (25%).

Web browsers (Mozilla Firefox and TOR Browser) also saw regular exploitation attempts, and Mobile Platforms (Samsung Firmware) showed emerging exploitation patterns.

This underscores the critical importance of having robust threat intelligence capabilities and advanced security solutions that can detect and mitigate novel attacks. The focus on platforms like Windows and essential infrastructure components such as VPN gateways highlights the strategic intent of attackers to gain widespread access and control over targeted environments.

This underscores the importance of continued employee education on phishing attacks through security awareness training and simulated exercises. 

Password spray attacks increase

Following Midnight Blizzard’s use of a password spray to access Microsoft's corporate email accounts, our last report detailed this method for the first time. Password sprays are an effective brute-force attack method. They are particularly attractive to cyber threat actors because they can be difficult to attribute as they are most often executed from globally distributed IP addresses leveraging botnets and services, and many organizations don’t have effective brute force detection. This leads to a high return on investment with a relatively low risk of detection, and they can take advantage of weak password policies and partial MFA deployments.

Between 2024 Q4 and 2025 Q1, the Trellix Advanced Research Center observed password spray attempts directed across regions and sectors.

• Expanding surface: While password spray attempts targeting Microsoft 365 grew 21% in Q1 2025 compared to Q4 2024, attempts targeting Cisco ASA VPN increased 399%. Interestingly, attacks targeting Okta had a sharp decrease. As attacks against cloud service authentication were rampant in 2024, attackers may be increasingly branching out to more traditional vectors like corporate VPNs. Cloud service providers like Microsoft 365 also offer sophisticated brute force and password spray detection capabilities, while VPN systems may not have such robust monitoring systems.

• Highly targeted: While Microsoft 365 authentication attacks on individual companies reduced the number of targeted organizations by 25%, the total volume of attacks increased quarter over quarter by 21% in Q1 of 2025. This may indicate a more focused approach; threat actors may have obtained a large list of usernames for these particular organizations, or inferred the usernames by learning the username naming pattern and finding a list of employees, to attempt authenticating to each account with a large list of passwords.

Comparison with previous six months

Compared to the previous report covering Q2-Q3 2024, several trends remain consistent, while others show evolution:

• The abuse of dual-use tools like PowerShell and CMD remains a persistent challenge

• Ransomware continues to be a major threat, with new variants and tactics emerging

• Phishing remains a prevalent initial access vector, with threat actors continuously refining their techniques

• There is a continued diversity in threat actors, ranging from APT groups to financially motivated cybercriminals

• Both reports highlight the targeting of a wide range of sectors, with government and finance remaining key targets

A notable difference is the increased visibility of attacks leveraging Linux-specific malware and techniques, which may indicate a shift or expansion in targeting by threat actors. Additionally, the emergence of AI-based social engineering tactics, as seen in the FIN7 campaign, suggests an ongoing evolution in attack sophistication.