Cybersecurity threatscape: H1 2025

This report contains information on current global cybersecurity threats based on Positive Technologies own expertise, investigations by Positive Technologies Expert Security Center, and reputable sources.

We estimate that most cyberattacks are not made public due to reputational risks. As a consequence, even companies specializing in incident investigation and analysis of hacker activity are unable to quantify the precise number of threats. Our report seeks to draw the attention of companies and individuals to the key motives and methods of cyberattacks, as well as to highlight the main trends in the changing cyberthreat landscape.

Our incident database is updated regularly. However, some incidents may be reported long after the actual attack took place. This report reflects the most current information available at the time it was first published.

This report considers each mass attack (for example, phishing emails sent to multiple addresses) as one attack, not several. For explanations of terms used in this report, please refer to the Positive Technologies glossary.
 

In the first half of 2025, cybercriminals primarily targeted government institutions (21% of all successful attacks on organizations), the industrial sector (13%), IT companies (6%), and healthcare organizations (6%). The most common methods used in successful cyberattacks on organizations were malware (63%), social engineering (50%), and exploitation of vulnerabilities (31%). During the period under review, data breaches occurred in 52% of successful attacks on organizations and 74% of those targeting individuals. The proportion of attacks that disrupted core operations of organizations rose by 13 percentage points from the prior half-year and by 15 percentage points versus H1 2024, driven by increased activity from ransomware groups and hacktivists. In 26% of successful attacks on individuals, victims suffered financial losses, continuing the trend from late 2024.

Government agencies accounted for 21% of successful attacks on organizations—up 6 percentage points from the second half of 2024. The share of attacks on the public sector hasn't been this high since 2022. The increase is tied to global geopolitical tensions, which have fueled both politically motivated hacktivist campaigns and heightened activity of APT groups. Hacktivists seek to disrupt critical infrastructure, steal or wipe data, and damage reputations, whereas APT groups primarily pursue cyberespionage. Security researchers report that in H1 2025, APT attacks against corporate networks rose 27% year over year.

The primary goals of attackers targeting the public sector are to disrupt agency operations (68% of attacks) and to harm state interests (29%). In February 2025, Roskomnadzor reported fending off 822 DDoS attacks on Russian government systems, with the longest attack running for 71 hours. In May, a massive DDoS campaign triggered a major outage across several core government services, including the Federal Tax Service platform, Goskey (legally binding e-document signing service), Chestny ZNAK (product track-and-trace system), and regional systems such as Moscow's EMIAS (e-health platform). For hours, users nationwide couldn't access digital services, sign documents, or file reports.

Throughout H1 2025, the hacktivist group NoName057(16) launched repeated, large-scale DDoS attacks. Targets included government agencies, airports, banks, and other organizations in Switzerland, France, Italy, Romania, and Germany. The attacks disrupted victims' websites for prolonged periods.

Data exposure remains significant: 32% of attacks on government agencies led to theft of sensitive data. In January, the APT group Sticky Werewolf (also known as Angry Likho) prepared a new wave of targeted attacks on government organizations and their contractors in Russia and Belarus, using the Lumma infostealer and other malware to exfiltrate data and gain control over devices. Primary targets included crypto wallets and employee accounts.

Between late 2024 and early 2025, PT ESC Threat Intelligence observed a new Cloud Atlas APT campaign against Russia's defense industry. The group relied on its usual initial access vector: phishing emails carrying weaponized Microsoft Office documents.

In early February, threat actors published over 50 GB of documents from 21 Taliban government institutions. The dump reportedly includes sensitive material such as lists of political prisoners and travel-ban records for certain civil servants.

Spain's city of Melilla suffered a citywide IT outage lasting three days, allegedly due to a ransomware attack. The incident severely degraded public services and disrupted municipal operations.

Blurring the line between hacktivism and profit-driven crime, adversaries are using advanced tradecraft to maximize impact on the public sector. Since mid-2024, the group BO Team has mounted sophisticated campaigns against Russian public-sector entities—not only government bodies but also IT, industrial, and telecom firms—mixing ideological messaging with financial extortion. Their modus operandi includes stealthy spear-phishing for initial access, followed by destructive actions (data wiping, denial of access to critical systems) and, in some cases, ransom demands to restore functionality.

In successful attacks on organizations, ransomware usage rose by 6 percentage points versus H2 2024 (43% → 49%) and 8 percentage points versus H1 2024 (41% → 49%). The increase is partly driven by hacktivists adopting ransomware primarily as a disruptive tool to deny access to critical data rather than for monetization. Meanwhile, financially motivated actors continue to rely on ransomware because it remains an effective moneymaker.

In February 2025, Russian small and medium-sized businesses faced a new threat—the PE32 ransomware that affected dozens of companies. Ransom demands ranged from $500 to $150,000, typically payable in Bitcoin.

Cyberattacks rarely pose a direct threat to human life, but when hospitals and other healthcare organizations are targeted, the danger becomes real. A major New York blood center suffered a ransomware attack that affected its donor management platform used for scheduling appointments, managing donor records, processing lab results, and tracking distribution. This led to a complete shutdown of collection facilities and the cancellation of upcoming blood drives. As a result, the center reported a 30% drop in available blood supply.

In March, a ransomware attack crippled fire-and-rescue services across three Czech regions, taking down IT systems and knocking out mission-critical applications needed for daily operations.

Government agencies remained the top target of ransomware attacks in Q1 2025, but their share dropped from 23% to 18% in Q2. A key driver behind this trend is stricter public policy on cyber extortion. As we mentioned earlier, many countries have enacted legal bans on paying ransoms, which lowers the payoff and makes public-sector entities less attractive to cybercriminals. As a result, threat actors pivoted to less protected targets—especially industrial enterprises—in Q2. The share of attacks on the industrial sector rose from 8% in Q1 to 19% in Q2, with ransomware employed in 21% of the incidents. According to our data, ransomware infections are increasingly spreading beyond corporate IT into critical systems and OT environments, with potential for severe impacts: halted production, equipment outages, and substantial financial loss. The move toward industrial targets is also economic: manufacturers' dependence on uptime and process continuity increases the likelihood they will pay.

In April 2025, the biopharmaceutical company MJ Biopharm was hit by a ransomware attack, resulting in the encryption of 15 servers holding sensitive data. The cyberattack severely disrupted the company's operations, cutting off access to critical data and paralyzing internal systems. The unknown attacker left a message demanding $80,000 for the decryption key.

In H1 2025, social engineering continues to rank among the leading attack methods against both organizations (50%) and individuals (93%). Email remains the dominant channel in campaigns targeting organizations (88%), while websites lead in attacks on individuals (69%). Threat actors are also leaning more on messaging apps in scams against individuals: usage of this channel rose by 11 percentage points versus H2 2024. Telegram has become a favored platform for cybercriminals. It serves both as a mainstream messaging app and as an efficient distribution point for illicit goods and services. Its perceived privacy, anonymity, usability, and independence from other information sources foster user trust—and expand the pool of potential victims. According to the Coordination Center for .RU/.РФ domains, attacks against Telegram users surged 19 times in the last two months of 2024.

Since early 2025, threat actors have increasingly distributed malware through websites. In the first half of the year, the share of such attacks reached 13%—nearly double the figure from the same period last year and the highest level in three years. The trend is fueled by scams that leverage mainstream platforms and can fool even the most cautious users. Let's examine the key schemes.

Public code repositories seeded with malware

GitHub and GitLab have become go-to platforms for hosting and distributing malicious payloads. Threat actors spin up fake projects to lure victims into running malicious code that fetches and executes additional components from attacker-controlled repos—ultimately dropping remote access trojans (RATs) and spyware on victim devices.

One campaign, observed in Russia, Brazil, and Turkey, impersonated open-source projects on GitHub to target gamers and crypto investors. The advertised functionality was entirely bogus; the payload was an infostealer used to exfiltrate personal data, banking details, and crypto wallet addresses.

The intended victims of such attacks are software developers. By inserting malware into developer workflows, adversaries can compromise individual victims as well as the downstream projects and systems they contribute to.

The Lazarus group has actively leveraged this approach. In a developer-focused attack, the group delivered a JavaScript implant via an open-source repository. The implant collects system metadata and can be embedded into websites and npm packages, creating a software supply chain exposure. At least 233 victims have been confirmed across the U.S., Europe, and Asia.

Typosquatting

In the first half of 2025, the typosquatting technique¹ became widespread. Open-source ecosystems are particularly vulnerable, as they are often used by developers in both personal and commercial projects. Attackers rely on developers or regular users to accidentally make a typo when entering the names of libraries or packages—and end up downloading fake packages that have similar names.

Recently, Socket researchers identified six malicious npm packages attributed to Lazarus and engineered to steal credentials, deploy backdoors, and exfiltrate sensitive crypto-related data. These packages had been downloaded 330 times.

In June 2025, security researchers reported a new wave of attacks through infected packages in the Python Package Index (PyPI) repositories and npm. Threat actors disguised malicious code as legitimate libraries used in Python and JavaScript development. For example, a PyPI package named chimera-sandbox-extensions posed as an ML tool but actually exfiltrated authentication tokens, environment variables, and configuration data. In the npm ecosystem, researchers from Veracode and SafeDep discovered multiple malicious packages that were downloaded over 3,600 times in total. These packages used heavy obfuscation and multi-stage infection chains, ultimately dropping remote access trojans (RATs) that gave attackers full control over compromised systems.

PT ESC researchers likewise found malicious PyPI packages targeting developers, ML practitioners, and hobbyists interested in integrating DeepSeek into their systems. Post-install, the packages collected host and user metadata and siphoned off environment variables. The payloads were triggered via CLI commands "deepseeek" or "deepseekai"—depending on the package. Because environment variables often contain sensitive data required for applications to run—such as API keys for the S3 storage service, database credentials, and other infrastructure access tokens—this posed a significant risk.

Email remains the top malware delivery channel for attacks on organization, from early last year through today. Recently, though, threat actors have been moving away from classic payloads like weaponized docs and malicious links, favoring formats that evade detection more easily.

Windows LNK files are normal shortcuts that point to files, folders, or programs and are generally seen as benign because they don't inherently contain executable code. However, attackers have learned to abuse LNK behavior to launch malware. Palo Alto Networks reports that detections of malicious LNK files have more than tripled year-over-year.

This technique has been adopted by many hacker groups specializing in cyberespionage and financial crimes, including Kimsuky, Confucius, Skeleton Spider, Ocean Lotus, and Charming Kitten. In April 2025, researchers from Seqrite Labs reported a campaign called Swan Vector, attributed to one of the APT groups operating in East Asia. The campaign targeted educational institutions and mechanical engineering firms in China and Japan. The attackers used phishing emails with archive attachments containing malicious LNK files that kicked off a multi-stage infection chain.

In another series of attacks targeting Russian organizations in the industrial, energy, and utilities sectors, the PhantomCore group also used phishing emails containing archives with malicious LNK files disguised as PDF documents. Clicking the shortcut deployed a backdoor, giving the operators remote control of the infected system. The objective was data theft and long-term covert persistence inside the victim network.

Cybercriminals also actively use LNK files in attacks targeting individuals. In a recently discovered phishing campaign, malicious shortcuts posing as tax documents triggered a multi-stage infection chain via PowerShell commands that downloaded Stealerium, a piece of spyware designed to steal personal data, passwords, browser information, cryptocurrency wallet details, and other sensitive data.

Throughout the first half of 2025, we observed attacks that utilized the ClickFix technique to gain initial access. It is based on social engineering that tricks users into initiating the infection of their device with malware. Attackers disguise malicious actions as familiar UI elements: CAPTCHA, file opening instructions, software updates, or system notifications. The visual design of these elements closely mimics that of legitimate processes, which significantly lowers user vigilance and increases the effectiveness of such attacks. According to ESET Research, ClickFix usage surged over 500% in H1 2025 versus H2 2024.

Most such attacks target Windows users and involve running PowerShell scripts on the target device, with these scripts subsequently downloading ransomware or infostealers. However, in Q2 2025, researchers from Hunt.io spotted a Linux-tailored variation of the ClickFix technique. The attack, attributed to APT36 (Transparent Tribe), begins with a phishing website offering users a fake press release. When the link is followed, the site detects the user's operating system and redirects the user to an OS-specific CAPTCHA page. As a result, the system uploads a bash script that retrieves a JPEG image from the attackers' server. Although the current version of the script appears harmless, researchers believe this attack vector is still in a testing phase. In the future, attackers could swap the image for malicious code enabling full remote control or theft of sensitive data.

In the second quarter of 2025, ClickFix appeared for the first time in attacks against Russian organizations. Previously, such attacks were observed only against non-Russian targets. Threat actors sent phishing emails with PDF files disguised as official notices from law enforcement agencies, using fake CAPTCHA to coax users into manually executing malicious code. The attack chain involved loading a remote access trojan concealed in PNG images with political memes, enabling data theft and remote control of infected hosts. At least 30 Russian organizations were impacted in May and early June.

In Q2, malware featured in 76% of successful attacks on organizations, up 26 percentage points quarter-over-quarter and 12 percentage points versus Q2 2024. Malware remains a highly effective tool: it enables rapid initial access to target systems, long periods of stealth, and persistent control of compromised assets. The .RU/.РФ Domain Coordination Center also reported continued growth in malware distribution across the Russian segment of the internet in April.

However, as malware detection mechanisms improve, threat actors are forced to find fresh evasion paths, developing ever stealthier malware variants. Between April and June, for example, Arctic Wolf Labs reported new GIFTEDCROOK spyware builds that have matured from a basic browser data grabber into a capable cyberespionage platform. Versions 1.2 and 1.3 gained functionality that allows them not only to steal data from popular browsers, but also to scan the file system for documents created or modified within the last 45 days, with priority on specific types (DOC, PDF, XLSX, EML, and others) and VPN configuration files. With these upgrades, operators can exfiltrate not only credentials but also highly sensitive data, including commercial or state secrets.

Operators of malware distributed under the malware-as-a-service (MaaS) model are particularly creative in introducing new capabilities. In a recent update to their ransomware, the Qilin group introduced a Call Lawyer feature that brings in attorneys to amplify pressure on victims and drive ransom payments. Built into the ransomware admin panel, this feature offers consultations on maximizing financial impact, legal assessments of stolen data, and even direct negotiations with the victim organization.

Another example is the Anubis ransomware virus, which recently received a new module called wiper. This module adds functionality that allows malware to not only encrypt files but also completely delete them from the compromised device. When triggered, the wiper erases the contents of targeted files, leaving only filenames and directory trees behind. This means that even if a victim pays the ransom, recovery is impossible because the files are reduced to empty 0-KB stubs.

In H1 2025, ransomware was most frequently used in successful attacks against organizations (49% of attacks), followed by RATs (33%) and spyware (22%). In successful attacks against individuals, the trend toward using spyware (45%) persisted throughout the period, along with continued elevated interest in banking trojans (20%, up 6 percentage points from the previous half-year and up 8 percentage points compared to H1 2024). According to ThreatFabric, campaigns distributing the banking trojan Crocodilus have significantly expanded since March 2025. Initially, it was spotted across Europe, with attackers primarily focusing on Turkey. However, recent data indicates an increase in campaigns targeting other European countries as well as South America. One Poland-focused campaign stood out: the attackers disguised the trojan as official banking apps and e-commerce platforms. To drive distribution, they used Facebook ads offering bonus points for downloading the app.

Cybercriminal toolkits are constantly expanding through the development of new malware. Analysts at Insikt Group identified two new malware families—TerraStealerV2 and TerraLogger—linked to the Golden Chickens group (also known as Venom Spider), recognized for its MaaS offerings used by cybercriminal groups such as FIN6 and Cobalt Group. TerraStealerV2 is aimed at stealing browser-stored credentials, cryptocurrency wallet data, and Chrome extension artifacts. It uses Telegram and legitimate Windows utilities to exfiltrate stolen data. TerraLogger is a standalone keylogger that writes keystrokes to local files. Both malware families are still under active development and currently lack the stealth seen in Golden Chickens' more mature tooling. But given the group's track record, further improvement of these tools is likely.

Malware loaders (or droppers) are another illustration of how rapidly modern malware is evolving. According to our data, these malware types gained particular popularity among cybercriminals in Q2: loader use in attacks on organizations reached its highest level since early 2023, roughly tripling quarter-over-quarter. This aligns with the shift toward more complex cyberattacks: threat actors increasingly deploy loaders for multi-stage malware deployment to complicate detection and analysis. At the early stages of an attack, heavily obfuscated or polymorphic components are used to conceal their true purpose from antivirus programs. The actual payload—such as stealers, remote access trojans, or ransomware—is delivered only at the final stage. One case involved the ModiLoader (DBatLoader), delivered via phishing emails with attachments disguised as official banking documents. The attack's final stage deployed SnakeKeylogger spyware, which captures keystrokes, scrapes clipboard contents, and harvests stored credentials.

In Q2, we are also seeing an increase in the use of legitimate software in successful attacks on organizations (11%, which is 7 percentage points higher than in Q1 2025, and 9 percentage points higher than in Q2 2024). Threat actors are constantly adding new legitimate software to their toolkits. In a recent attack by the Fog ransomware group, Symantec discovered a highly unusual toolkit, which included both legitimate software and obscure open-source utilities. Among them was Syteca—a legitimate program designed for remotely monitoring employee activity, with screen capture and keylogging capabilities. Syteca was covertly delivered via the Stowaway proxy tool and executed through Impacket's SMBExec. The operators also leveraged popular utilities such as PsExec, Process Watchdog, 7-Zip, MegaSync, and FreeFileSync.

In late May 2025, PT ESC reported new attacks by the Rare Wolf group (also known as Rezet), targeting Russia's defense industry. In this campaign, the actors shifted from using ngrok (a publicly available tunneling tool) to establishing a stealthier, more resilient C2 link via a reverse SSH tunnel built with the Tuna utility and the sshd process.

In January 2025, DeepSeek released R1 (a free, open-source large language model) and drew significant attention in the global AI market. However, this newfound popularity has also attracted threat actors who are abusing the DeepSeek name for criminal purposes.

In one campaign, cybercriminals created phishing sites that mimicked DeepSeek's official website and used them to distribute malware. The familiar interface led unsuspecting users to believe they were downloading the official DeepSeek app.

In another campaign, cybercriminals created a convincing fake DeepSeek site linked to malicious Google ads. Clicking the download button dropped an MSIL-based trojan. Analysts also found additional fake Google ads written in various languages.

H1 2025 also saw a fresh wave of LLMjacking attacks targeting DeepSeek. Adversaries used an OpenAI reverse proxy to siphon cloud API keys and then resold model access through dark web services, causing substantial financial losses for owners of the compromised accounts.

In February 2025, xAI released a new version of its Grok chatbot, Grok 3, and made it free to all users. As with DeepSeek, threat actors piggybacked on the hype to push malware. One campaign registered look-alike domains mimicking DeepSeek V3 and R1 and lured users to download a supposed Windows client for access to the LLMs. The download was an archive with a previously unknown infostealer that harvested browser data, email credentials, gaming and other service accounts, and crypto wallet data. The operators later swapped the DeepSeek branding for Grok to ride the surge in interest after Grok 3's release, while keeping the same malware and delivery method.

The wave of similar incidents continued into the second quarter of the year. In May, researchers discovered that lesser-known ransomware groups had been leveraging the popularity of AI tools to spread the CyberLock, Lucky_Gh0$t, and Numero ransomware. Infection occurs through SEO poisoning and malicious ads: attackers push their phishing pages to the top of search results for queries related to AI tools.

In Q1, the share of attacks involving spyware dropped to 16%, largely because ransomware surged. However, spyware should not be underestimated. Compromised credentials offer attackers a cheap and easy way to gain initial access. Using credentials lifted by infostealers, threat actors then pivot to larger, more destructive follow-on attacks.

The HELLCAT group exemplifies this playbook. It breached several major companies and leaked stolen data on the dark web. The victims include Orange (France, telecom), Jaguar Land Rover (UK, automotive), and Telefónica (Spain, telecom). In each case, the intrusion reportedly started with a simple infostealer harvesting Jira or Confluence credentials. From there, the attackers rapidly exfiltrated large volumes of data from internal servers and later posted the dumps on dark web forums.

The Orange data leak totaled 7.19 GB and included internal documents and correspondence. Data stolen from Telefónica included 24,000 email addresses and names of employees, 500,000 Jira records, and 5,000 internal documents.

Jaguar Land Rover was hit by two back-to-back cyberattacks, five days apart, by different criminal groups. In both cases, the attackers used compromised Jira server credentials tied to an LG Electronics employee. Those credentials were stolen and dumped on the dark web back in 2021. The intrusions resulted in the theft of multiple gigabytes of sensitive data, including internal documents, source code, and personal data belonging to employees and partners.

Credentials and other sensitive data captured by spyware are often consolidated into centralized databases. Stealer operators, typically running a stealer-as-a-service business, sell access to these data collections to other cybercriminal groups, which leverage them in downstream attacks. However, misconfigurations can leave these databases exposed to the open internet, resulting in the disclosure of enormous troves of sensitive information. In June 2025, researchers discovered a publicly available database containing 16 billion records, including usernames and passwords for popular online services, social media, messaging apps, corporate systems, and government platforms, along with authentication tokens, cookies, and other metadata. While a portion of the data may be stale or previously leaked elsewhere, a meaningful fraction can remain valid. Such large-scale leaks increase the risk of intrusions into corporate networks via compromised employee credentials, especially given the common practice of registering for third-party services with corporate email addresses and reusing the same passwords across multiple sites.

Vulnerability exploitation remains one of the most effective vectors for attacking organizations, appearing in 31% of successful intrusions.

The most high-profile issue in Q1 was CVE-2025-0282, a critical vulnerability in Ivanti Connect Secure devices. This is an RCE vulnerability caused by a stack overflow. It enables unauthenticated remote attackers to execute arbitrary code on target devices. Multiple threat actors weaponized the flaw and used it at scale:

• Mandiant attributes active exploitation to the espionage group UNC5337 associated with China.
• Microsoft reports additional exploitation by Silk Typhoon (formerly known as Hafnium).
• Nominet, the official .UK registry and one of the largest domain registrars globally, was compromised via exploitation of this vulnerability.
• The U.S. agency CISA flagged a new malware variant dubbed RESURGE observed in exploits for this vulnerability. One of the key features of this malware is its ability to survive system reboots and covertly integrate into critical processes.

The headline issue in Q2 was CVE-2025-31324, a critical vulnerability in SAP NetWeaver (an application and data integration platform) that carries a maximum CVSS 3.1 score of 10.0. The vulnerability lets unauthenticated attackers upload arbitrary files—including malware—to targeted servers, enabling security bypasses and direct deployment and execution of malicious code on affected devices. At the height of exploitation, over 3,400 internet-facing SAP NetWeaver servers were vulnerable. Threat actors exploited this vulnerability in various attack scenarios:

• According to Forescout, the Chaya_004 group, allegedly linked to China, exploited the vulnerability to drop custom web shells and conduct espionage.
• EclecticIQ reported that the vulnerability was exploited by the UNC5221, UNC5174, and CL-STA-0048 groups to infiltrate corporate networks and steal sensitive data.
• According to ReliaQuest, the vulnerability was also exploited by ransomware operators BianLian and RansomEXX.

Other prominent vulnerabilities widely exploited in Q1–Q2:

• CVE-2024-4577 is a critical RCE vulnerability in PHP-CGI impacting Windows PHP builds running in CGI mode. It enables remote execution of malicious commands on Windows hosts. Since January 2025, threat actors have used it against Japanese organizations, aiming to steal credentials, gain persistence in compromised systems, escalate to SYSTEM privileges, and deploy additional tools and frameworks. GreyNoise warns that the same actors are conducting broad, global exploitation of vulnerable devices, with attacks surging since January 2025 in the United States, Indonesia, India, Malaysia, and beyond.
• CVE-2024-27564 is a server-side request forgery (SSRF) vulnerability in ChatGPT. It enables remote attackers to force the application to send arbitrary requests by injecting malicious URLs into certain parameters. According to Veriti, there have been more than 10,000 attack attempts per week originating from multiple threat actors. The primary targets are U.S. government agencies, but financial and healthcare organizations in Germany, Thailand, Indonesia, Colombia, and the UK have also been affected.
• CVE-2025-24071 is a vulnerability affecting various versions of Windows. It involves File Explorer's handling of .library-ms files during archive extraction: when such a file includes a link to a network share, Windows automatically processes it. If successfully exploited, the vulnerability allows attackers to intercept NTLM hashes through specially crafted network shares, enabling credential theft and increasing the risk of further compromise. PT ESC experts observed attempts to exploit this vulnerability in organizations across Russia and Belarus.
• CVE-2024-24919 is a vulnerability in Check Point security gateways that allows unauthenticated attackers to read arbitrary files on firewall devices. Attackers exploited this vulnerability to breach organizations in Europe, Africa, and the Americas. The attacks primarily targeted the manufacturing sector, but also affected healthcare, logistics, and energy companies.
• CVE-2017-11882 is a vulnerability in the Microsoft Office Equation Editor that enables attackers to execute arbitrary code as the current user. Exploitation requires crafting a malicious file and convincing the victim to open it. On January 27, the TA558 group conducted a large-scale phishing campaign targeting financial, logistics, construction, travel, and industrial companies in Russia and Belarus. Malicious email attachments triggered malware that exploited this vulnerability to deploy Remcos RAT, granting remote access to the compromised systems.
• CVE-2024-52875 is a critical CRLF Injection vulnerability in GFI KerioControl that allows remote code execution with just one click. The threat intelligence platform GreyNoise detected exploitation attempts from four different IP addresses. These actions were classified as malicious activity rather than security research. Data from Censys indicates that more than 23,000 KerioControl instances are publicly accessible online.
• CVE-2025-2783 is a critical vulnerability in Google Chrome for Windows that allows attackers to bypass the browser's sandbox and remotely execute arbitrary code on a victim's device. This vulnerability was exploited in APT attacks on Russian organizations in March 2025. The threat group Operation ForumTroll sent phishing emails with malicious links, and clicking these links resulted in previously unknown malware infecting Windows systems. The campaign primarily targeted government agencies, educational institutions, and media outlets, with espionage believed to be the attackers' main objective.
• CVE-2025-5419 is the second critical zero-day vulnerability that Google fixed in 2025. It affects Google Chrome versions earlier than 137.0.7151.68 on Windows, macOS, and Linux. By exploiting this vulnerability, an attacker can create a specially crafted HTML page that, when opened in Chrome, triggers a heap overflow, enabling the attacker to read or write data outside of the browser's allocated memory space. This makes the device susceptible to arbitrary code execution, allowing remote attackers to deploy malware. Such attacks can result in data theft, malware installation, or full system compromise.
• CVE-2025-4427 and CVE-2025-4428 are two vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) that have been under active exploitation since mid-May 2025. Researchers from Wiz report that both on-premises and cloud-based deployments are being targeted. CVE-2025-4427 enables attackers to bypass authentication and gain access to protected resources on vulnerable devices, while CVE-2025-4428 allows an authenticated attacker to execute malicious code remotely. When combined in an attack chain, these vulnerabilities can give threat actors full control over compromised devices, including the ability to deploy malware, extract configuration data, and move laterally within the corporate network.

For an extended list of the most prevalent vulnerabilities, please refer to our monthly digest on the website.

Most often, attackers succeeded in stealing sensitive information: this occurred in 52% of successful attacks against organizations and 74% of attacks against individuals. For organizations, another frequent outcome was disruption of core operations, resulting from 45% of successful attacks. This is an increase of 13 percentage points compared to H2 2024. Successful attacks on individuals led to direct financial losses in 26% of cases.

Major attacks in Q1–Q2 with significant impact and public attention:

• In Mission, Texas, a city on the U.S.–Mexico border, local officials requested the governor to declare a state of emergency after a cyberattack on government systems led to a possible data breach. According to the city's mayor, several network resources were taken offline. For example, the police temporarily lost access to systems for checking license plates and driver's licenses.
• The cryptocurrency exchange Bybit suffered an unprecedented theft of $1.46 billion from an ETH wallet. The stolen funds were quickly split into smaller portions and moved across nearly 50 different addresses. The Lazarus Group is suspected to be behind the incident. The attack was carried out by altering the logic of the smart contract.
• A ransomware attack by the Qilin group on media company Lee Enterprises caused severe disruption, including delays in publishing 79 print and digital publications, breakdowns in key business functions such as newspaper delivery and billing, and the exposure of sensitive data, including scans of IDs and corporate documents.
• A major cyberattack on the Platon² toll collection system, triggered by an attack on a telecom provider, had severe consequences. The resulting service outages brought truck transportation across Russia to a standstill, as drivers were unable to generate route permits. This caused significant supply chain disruptions, including delays in delivering goods to retail stores.
• Major UK retailer Marks & Spencer confirmed a customer data breach after a ransomware attack encrypted its servers and halted online order processing. The company's share price dropped by about 12% over the month, with total losses estimated at around £300 million.
• German tissue manufacturer Fasana filed for bankruptcy after a large-scale cyberattack on May 19 crippled its systems, causing roughly €2 million in losses over two weeks of downtime. The incident halted production, paused payroll, and prevented the processing of over €250,000 worth of orders.
• Unknown hackers breached the dam control system in Bremanger, Norway, fully opening a valve for four hours. Experts believe the attack was possible due to a weak password on the web interface controlling the valve. Although the excess water flow was minor and did not cause any accidents, the incident underscored the vulnerability of critical infrastructure to cyberattacks.
• United Natural Foods, North America's largest food wholesaler, was hit by a cyberattack that disrupted supply chains and customer service. Operating 53 distribution centers and serving over 30,000 retailers in the U.S. and Canada, the company faced delivery delays, widespread outages across internal systems, and canceled employee shifts, resulting in lower sales and increased operating costs. United Natural Foods also warned that the incident would significantly impact its annual financial results.

In successful attacks on organizations that led to the exposure of sensitive information, cybercriminals most often targeted login credentials (25% of cases), personal data (17%), and trade secrets (15%). When attacking individuals, threat actors primarily sought access to credentials (32%), payment card information (19%), personal data (12%), and private messages (11%).

We are seeing a decline in the number of attacks on organizations that result in personal data breaches: this metric fell by 9 percentage points compared to the previous six months, and by 14 percentage points year-over-year. This decline is linked to stricter personal data protection regulations being implemented both in Europe and in Russia. With turnover-based fines for personal data breaches set to be introduced in Russia, demand for data loss prevention (DLP) solutions, which help prevent accidental data breaches or deliberate data leaks by employees, has risen significantly.

• Roseltorg, Russia's largest electronic platform for government and corporate procurement, was hit by a cyberattack carried out by the Yellow Drift group. The attackers claimed to have deleted 550 TB of data, including emails and backup files. The breach impacted the platform's clients, which include government agencies and suppliers.
• The Spanish government is investigating a major data breach that exposed the personal information of around 160,000 employees of the Civil Guard and the Ministry of Defense. The compromised data includes names, email addresses, service IDs, dates of birth, and results of medical examinations.
• Threat actors gained access to customer databases belonging to telecom operator Rostelecom. To prove the breach, the hacker group Silent Crow published screenshots on a dark web forum showing tables containing a total of 154,000 email addresses and 101,000 phone numbers. Reportedly, the stolen data came from the company.rt.ru and zakupki.rostelecom.ru services. After news of the breach appeared online, Rostelecom suggested that the breach was likely caused by one of its contractors.
• Oracle Health, a major provider of IT services for the healthcare industry, suffered a significant data breach that impacted multiple hospitals and medical facilities across the United States. The attacker used compromised credentials to gain access to patient information stored on outdated servers. The stolen data includes patient records from electronic medical record systems.
• Indian ride-sharing company Zoomcar disclosed a cyberattack in which hackers accessed the personal data of 8.4 million users. The investigation found that names, phone numbers, home addresses, email addresses, and vehicle registration numbers were stolen. Notably, no financial data or passwords were compromised.
• Resecurity researchers found 7.4 million records containing the personal data of Paraguayan citizens for sale on the dark web, stolen by the Cyber PMC hacker group. The attackers are demanding a $7.4 million ransom—one dollar for each citizen affected. The leak includes data from several government agencies, such as the National Road Traffic and Safety Agency, the Ministry of Public Health and Social Welfare, and another unidentified system. The Paraguayan government refused to pay the ransom and did not disclose the source of the breach, despite a history of large-scale data breaches in the country.
• The British online broker Infinox fell victim to a ransomware attack by the Arkana group. The attackers claimed to have stolen around 50 GB of sensitive company data, including KYC information from more than 202,000 applications and personal data of 163,000 clients, including names, dates of birth, document numbers, and scans of driver's licenses and passports. Server metadata and logs containing IP addresses and user device information were also compromised.
• A joint investigation by two international news organizations uncovered and analyzed hundreds of detailed technical documents related to the infrastructure of several Russian strategic facilities. The documents included blueprints and specifications for the modernization and upgrade of one of the country's key nuclear sites. These materials were accessed through a public government procurement database that had been left open for some time. The investigators were able to gather a substantial amount of information, including construction and renovation details, records of materials and equipment deliveries, and information about security systems and internal infrastructure. Once the exposure was discovered, access to the database was restricted.
• Two ransomware groups almost simultaneously claimed responsibility for breaches at Coca-Cola. The first group, Gehenna, leaked more than 64 GB of data, including 23 million records with details on customers, orders, sales, and other transactions, allegedly taken from the Salesforce CRM system of Coca-Cola Europacific Partners, a Coca-Cola subsidiary. The second breach involved 502 MB of personal data belonging to Coca-Cola employees in Middle Eastern countries. The group Everest, which published this information, said they had previously demanded a ransom in exchange for keeping the data confidential.