More than half of attacks exploiting vulnerabilities were conducted by state-backed threat groups in the first half of 2025,
according to a report by Recorded Future’s Insikt Group published Thursday.
The H1 2025 Malware and Vulnerability Trends report outlined evolving exploitation patterns to help organizations better understand their attack surface and prioritize defenses.
The paper also revealed that edge devices and
Microsoft products were the most common targets for vulnerability exploitation, each making up 17% of attacks observed by Insikt Group.
Overall, 23,667 CVEs were disclosed in H1 2025, a 16% increase from H1 2024. A total of 161 CVEs were identified by Recorded Future as being actively exploited.
Most of the exploited vulnerabilities required
no authentication to exploit (69%) and 30% enabled RCE. Additionally, 42% had
a public proof-of-concept (PoC) exploit, with exploitation activity typically picking up after the release of a PoC exploit, according to Insikt Group.
State-sponsored threat groups were behind 53% of attributed vulnerability exploit attacks, followed by financially motivated non-ransomware actors (27%) and ransomware and extortion groups (20%). Most state-linked attacks originated from China, with the group
UNC5221 notably targeting
Ivanti flaws such as
CVE-2025-4428,
CVE-2025-22457 and
CVE-2025-0282.
Use of backdoors, RATs increased in H1 2025 among other malware
Backdoors were the most common malware type deployed in attacks at 22.9%, and remote access trojans (RATs) such as AsyncRAT, XWorm and Remcos overtook infostealers in popularity in H1 2025.
Cobalt Strike, a legitimate but often misused offensive security tool (OST), was the most common post-exploitation tool observed, with OST use appearing in 15.6% of attacks.
Amidst the
disruption of LummaC2 by law enforcement,
the Sality malware family overtook LummaC2 as the most popular malware observed in command-and-control (C2) detection references. The report noted the resurgence of older malware families like Sality and Tofsee in 2025.
The most common MITRE ATT&CK-defined tactic observed was command and control, with more than 194,000 observations, followed by data encrypted for impact at nearly 1,100 observations and data from local system at 263, emphasizing the impact of ransomware in the attack landscape.
Ransomware threat actors were noted to increasingly use
the ClickFix social-engineering technique for initial access in H1 2025, along with bring-your-own-installer (BYOI)-based endpoint detection and response (EDR) evasion methods and just-in-time (JIT) hooking and memory injection to avoid detection, according to the report.
Cl0p claimed the most ransomware victims (374) in H1 2025, largely through its
exploitation of the Cleo managed file transfer system, while LockBit was still the most common ransomware strain observed at 2,023 attacks, followed by Chaos (1288) and Akira (944).
The mobile malware landscape saw the addition of 11 new strains, with abuse of accessibility services and NFC signal relay attacks being common among mobile attackers. The report noted the use of a new virtualization-based overlay technique by the Android trojan GodFather in June 2024, as well as the emergence of a malware-as-a-service (MaaS) platform called SuperCard X that facilitates NFC relay for fraudulent contactless transactions.
Insikt Group also highlighted the evolution of the popular Magecart e-skimmer, which has remained popular after a record-high attack volume in 2024, and has now extended from targeting Adobe Commerce’s Magento platform to also targeting WooCommerce plugins for WordPress.
Ultimately, the report stresses the importance of prioritizing patching and mitigation of heavily targeted vulnerabilities such as those in Microsoft products and devices at the network edge, as well as those with public exploits available. Organizations should keep tabs on real-time threat intelligence to identify and block emerging threats, as well as expand detection capabilities to include behavioral monitoring and C2 traffic analysis for greater coverage.
