CYBERSECURITY TRENDS AND INTELLIGENCE
The threat intelligence report built to sharpen defenses
Read report
Key Findings
What’s in the threat report (and why you should care)
- Identity-based attacks remain the most frequent and persistent threat in this year’s report. In 2025, nearly half (47.7%) of all identity incidents resulted in attackers successfully gaining account access using stolen credentials.
- Endpoint attacks made up 29% of all incidents, and were less about innovation and more about refinement. Attackers stuck with what worked. Malware remained the dominant threat, with well-tested delivery methods like ClickFix and backdoored productivity apps.
- Cloud infrastructure threats may be low in volume (2.5% of incidents), but they’re high in risk. The presence of “lesser” threats like cryptocurrency miners often point to larger security gaps that must be addressed.
Timeline
Cybersecurity events in 2025
There’s never a dull moment in cybersecurity. This timeline chronologically lays out the hottest cyber news and intel, alongside trends that we experienced within Expel’s SOC.
January 8
Ivanti Connect Secure identified and patched a remote code execution (RCE) zero-day vulnerability.
February 2
One of two days in 2025 with the fewest number of incidents Expel’s SOC investigated.
March
Ransomware gang Black Basta’s chats were leaked, giving defenders insight into their code-signing certificate tactics.
March 10
One of two days in 2025 with the fewest number of incidents Expel’s SOC investigated.
March 14
Security researchers found that a GitHub action (tj-actions) used by 23,000 repositories was trojanized, impacting the down-stream repositories.
March 24
Five vulnerabilities in the Ingress NGINX Controller for Kubernetes were publicly disclosed; they allowed threat actors to gain unauthorized access to secrets stored in the namespaces of Kubernetes clusters.
April 10
Expel released original research highlighting the threat group Atlas Lion.
April 15
Funding for the Common Vulnerabilities and Exposures (CVE) program was set to expire on April 16, 2025, but was extended for 11 months to avoid a lapse in service.
May 23
Operation Endgame announced it had successfully disrupted the infrastructure of Latrodectus malware.
June 20
Threat group Scattered Spider increased their attack volume against financial and insurance targets, and became a trending news topic.
June 28
Citrix released two vulnerabilities for Citrix NetScaler ADC and Netscaler gateway (CVE-2025-5777 and CVE-2025-6543). These vulnerabilities could lead to unauthorized access or stolen sessions.
July 19
A malicious version of the NPM package (eslisnt-config-prettier) was deployed in a phishing campaign.
July 22
A zero-day vulnerability for SharePoint ToolShell was repeatedly identified in Expel’s SOC over the weekend, after the initial vulnerabilities were published in early July.
August 20
Salesloft Drift’s plugin for Salesforce was exploited, allowing an unknown attacker to access sensitive data, passwords, and tokens stored in Salesforce.
August 22
Expel released its findings on a deep investigation into ManualFinder, a trojan malware.
August 26
Attackers leveraged a stolen NPM token to publish malicious versions of nx to the NPM registry.
September 11
Expel released research (in collaboration with certgraveyard.org) on AppSuite and PDF editor campaigns stemming from the BaoLoader developer.
September 15
A self-replicating malware dubbed Shai Hulud, after the worm from the Dune book and movie series, infected the NPM supply chain, impacting hundreds of NPM packages.
September 24
Expel released several IOCs associated with research from Mandiant and SecurityScorecard on ORB networks.
October 4
Oracle patched an E-Business Suite exploitation leveraged by the Clop ransomware gang.
October 8
The day Expel’s SOC saw the most incidents in 2025.
October 8
Expel shared research on a recent ClickFix campaign leveraging cache smuggling.
October 24
Active exploitation of a critical vulnerability in Windows Server Update Service (WSUS) was observed.
October 31
Expel shared research on a current malicious ad campaign delivering malware called OysterLoader, used by the Rhysdia ransomware gang.
November 24
The same attacker responsible for Shai Hulud returns with version 2.0, impacting another large number of NPM packages.
December 3
A critical vulnerability in React2Shell was actively exploited across several major vendors, with an estimated 60,000 vulnerable servers exposed to the public internet.
December 15
MongoDB disclosed a critical vulnerability in the MongoDB server, dubbed by the community as MongoBleed.
December 23
Expel shared end-to-end research on Shai Hulud 2.0, covering identification, remediation, and future implications.
BY THE NUMBERS
What Expel's SOC saw in 2025
Expel analysts have reviewed a full 365 days of incident data spanning 160+ cybersecurity tools and multiple attack surfaces. Here's what this threat intelligence report uncovered:
68.6%
Of incidents were identity attacks, down slightly from 2025.
47.7%
Of identity attacks resulted in successful authentication.
29%
Of all incidents were endpoint attacks–and over half of those were malware.
2.5%
Of all incidents were cloud infrastructure attacks. But don’t be fooled. They’re low volume—high risk.
About this research: Expel analysts reviewed security incidents investigated by Expel’s 24×7 SOC between January 1 and December 31, 2025, across 160+ cybersecurity tools and multiple attack surfaces—including identity, endpoint, cloud, and email environments. Findings represent real-world threat activity observed across Expel’s managed customer base.