The final quarter of 2025 has firmly established that while attackers continue to favor familiar gateways into corporate networks, their methods are evolving with alarming sophistication and precision, creating a complex and challenging environment for defenders. A comprehensive analysis of incident response engagements reveals a cybersecurity landscape defined by a dueling reality: the persistent and successful exploitation of public-facing applications remains the number one initial access vector, yet it is the dramatic surge in highly targeted phishing campaigns that tells the more dynamic story of the period. This rise in social engineering occurred alongside a surprising and continued downturn in ransomware incidents, signaling a potential recalibration of the cybercrime economy. These shifting dynamics underscore a critical truth for organizations—that foundational security weaknesses, rather than exotic zero-day attacks, continue to provide adversaries with the footholds they need to execute their campaigns, whether for financial gain, espionage, or disruption.
The Two-Pronged Attack: Exploits and Phishing Dominate
Exploitation of Public-Facing Applications: The Persistent Gateway
Despite a statistical decrease from the previous quarter, the exploitation of vulnerabilities in internet-facing applications solidified its position as the most prevalent method for initial network compromise, accounting for nearly 40 percent of all incident response engagements. This ongoing trend highlights a persistent failure in organizational patch management and security posture, demonstrating that adversaries continue to systematically scan for and capitalize on unpatched or misconfigured external services with great success. A prime example from the quarter involved the rapid weaponization of CVE-2025-61882, a vulnerability in Oracle E-Business Suite. In one notable incident, threat actors compromised a server shortly after the vulnerability’s public disclosure, launching a large-scale campaign to extort corporate executives by deploying multi-stage web shells to maintain persistent access. This rapid operationalization of a new exploit serves as a stark reminder of the speed at which attackers work. Similarly, another prominent campaign targeted React2Shell (CVE-2025-55182), a vulnerability affecting popular web development frameworks. One documented case saw an attacker gain shell access to a web server for the sole purpose of installing XMRig Monero cryptomining malware, illustrating a common attacker objective of quickly monetizing unpatched systems for illicit resource utilization.
A more concerning development observed during this period was the deployment of sophisticated malware implants traditionally associated with Advanced Persistent Threat (APT) groups, suggesting a dangerous blurring of lines between financially motivated cybercriminals and state-sponsored espionage operations. In one engagement, security teams observed activity consistent with the BadCandy implant on a Cisco IOS XE device, where attackers created an unauthorized account on the router. In another, the AquaShell backdoor, a lightweight Python-based implant, was deployed on a Cisco Secure Management Appliance to receive and execute encoded commands. While in both instances the attackers’ activity appeared automated and did not escalate, these events signal that advanced, stealthy tooling is becoming increasingly commoditized and accessible. The successful containment of these incidents was credited to the clients’ swift detection and response, underscoring the critical importance of a proactive defense strategy built on timely patching, robust vulnerability management, and network segmentation to limit the potential blast radius of a successful exploit.
Phishing’s Resurgence: Targeted and Persistent Campaigns
Phishing attacks re-emerged with significant force in the fourth quarter, rising to become the second-most common initial access vector and accounting for 32 percent of determined entry points. This resurgence was not characterized by indiscriminate, wide-net campaigns but by a highly targeted and persistent operation aimed at Native American tribal organizations, with the likely goal of widespread credential harvesting. The attackers demonstrated considerable sophistication and patience in their methodology. In one case study, adversaries initiated their attack by leveraging previously compromised email accounts alongside a legitimate but compromised web domain to distribute phishing emails disguised as mandatory sexual harassment training. Although early attempts failed, the attackers eventually compromised a single user account—a foothold they immediately weaponized. This single compromised account was then used as a trusted internal source to propagate the phishing campaign throughout the organization and to its external contacts, dramatically increasing the perceived legitimacy of the malicious emails and amplifying their success rate.
The attackers’ operational security and persistence were further highlighted in a related incident affecting another tribal organization. There, a specific user was subjected to an aggressive series of Outlook Web Access login attempts that triggered a flood of multi-factor authentication (MFA) push notifications. The attacker’s strategy relied on the victim eventually succumbing to “MFA fatigue” and mistakenly approving one of the prompts to stop the incessant alerts. Once access was gained, the compromised account was used to send out another wave of phishing emails. Demonstrating their tenacity, after the organization disabled the compromised account, the attackers continued their campaign by using an external email address carefully spoofed to resemble the disabled internal account. The significant overlap in tactics and indicators of compromise strongly suggests these incidents were part of a single, coordinated campaign. These events underscore a critical vulnerability in many organizations: a lack of robust MFA policies and user education, which allows adversaries to exploit human factors to bypass technical controls.
Shifting Tides: Ransomware’s Decline and Industry Targeting
A Notable Downturn in Ransomware Activity
In a significant departure from the trends that dominated the first half of the year, ransomware and pre-ransomware activities experienced a continued and notable downturn, constituting only approximately 13 percent of all incident response engagements. This marks a steep drop from nearly 50 percent earlier in the year and continues a decline from the previous quarter’s 20 percent. This trend suggests a possible consolidation within the ransomware-as-a-service (RaaS) ecosystem or a strategic shift by cybercriminals toward other, perhaps less risky or more profitable, forms of monetization. The Qilin ransomware group, which emerged as a major player in the second quarter, remained the most prevalent variant observed, confirming its sustained and heavy presence in the threat landscape. However, the lack of any new or previously unseen ransomware families suggests a period of operational refinement among existing groups rather than innovation in malware development.
The re-emergence of the DragonForce ransomware variant, which had not been seen in an engagement for over a year, indicates that older or less common variants can resurface at any time, requiring defenders to maintain broad threat intelligence. One incident provided valuable insight into modern ransomware tactics, where attackers relied heavily on legitimate remote monitoring and management (RMM) tools to conduct their operations. After gaining initial access through valid accounts, the threat actors used ScreenConnect for persistence, SoftPerfect Network Scanner for internal reconnaissance, and the command-line tool rclone for data exfiltration. This “living off the land” technique, which involves using multiple legitimate tools, allows attackers to blend in with normal administrative activity, evade detection by security software, and build redundancy into their attack chain in case one of their tools is blocked. This reliance on legitimate software complicates detection and highlights the importance of behavioral monitoring and anomaly detection.
Public Administration Remains the Top Target
For the second consecutive quarter, the public administration sector remained the most-targeted industry vertical, a significant trend given that this sector had not previously held the top position until the third quarter of 2025. Organizations within public administration are uniquely attractive targets for a confluence of reasons that make them particularly vulnerable. They are often underfunded, which can lead to deficiencies in cybersecurity staffing, training, and technology. Furthermore, these entities frequently rely on legacy equipment that is difficult or impossible to patch, creating a permanent and exploitable attack surface. The sensitive citizen data they hold—from personal identification information to health records—is highly valuable on the dark web and makes them prime targets for data theft.
Moreover, public administration organizations typically have a very low tolerance for downtime, as their services are often essential for public welfare and safety. This operational criticality makes them more likely to concede to the demands of financially motivated cybercriminals, particularly in ransomware scenarios. These combined factors create a perfect storm, attracting both sophisticated state-sponsored groups conducting espionage and opportunistic cybercriminals seeking financial gain. The consistent targeting of this sector underscores the urgent need for increased investment in modernizing IT infrastructure, enhancing cybersecurity defenses, and developing robust incident response capabilities within government and public-sector entities at all levels to protect both sensitive data and critical public services from disruption.
Foundational Weaknesses and Critical Defenses
The attacks of the fourth quarter were not born from exotic techniques but were enabled by recurring and fundamental security weaknesses that persist across industries. An analysis of the engagements revealed that inadequate patch management was a primary contributing factor in 35 percent of incidents, a figure that aligns perfectly with the dominance of exploitation as an initial access vector. Adversaries proved equally adept at leveraging both brand-new vulnerabilities and flaws that have remained unpatched for years, reinforcing that a comprehensive and timely patch management program is a non-negotiable cornerstone of any effective defense. Likewise, deficiencies related to multi-factor authentication were a top security weakness, directly correlating with the success of the quarter’s sophisticated phishing campaigns. These issues were not limited to a complete lack of MFA on critical systems but also included misconfigurations and a failure to protect against MFA fatigue attacks, demonstrating that simple implementation is not enough. Organizations must also configure systems to monitor for and alert on signs of MFA abuse, such as the registration of new devices or the use of bypass codes.
Insufficient logging and monitoring once again emerged as a critical blind spot that significantly hampered investigative efforts. Without centralized and comprehensive logging capabilities from a Security Information and Event Management (SIEM) solution, determining the full scope of an adversary’s actions becomes nearly impossible, which in turn cripples effective remediation and prevents future defense enhancements. Perhaps the most crucial lesson from the quarter, however, was the value of a rapid and decisive response. In the cases involving APT-related implants, quick cooperation between the client and incident responders was instrumental in preventing follow-on attacks and further damage. In stark contrast, one ransomware incident where an organization delayed engaging responders resulted in the successful encryption and exfiltration of sensitive data that could have otherwise been protected. These outcomes from the past quarter painted a clear picture: a well-practiced incident response plan, combined with robust foundational hygiene, remained the most effective strategy against the persistent and evolving tactics of modern cyber adversaries.
