EXPEL BLOG

Are attackers retooling?

alt=""

Data & research · 3 MIN READ · JAMES SHANK AND BEN NAHORNEY · JUN 11, 2025 · TAGS: AI & automation / Vulnerability management

TL;DR

  • Vulnerability exploitation as an initial access vector is up 34% year-over-year, according to Verizon’s 2025 DBIR report.
  • Attackers might be shifting to more disposable infrastructure versus permanent/long-standing infrastructure.
  • Defenders should prioritize vulnerability management, inventory management, and monitoring of anomalies on endpoints.

 

A big part of a successful defense is turning it into a team sport. That means connecting to defenders across companies and across the globe. Build up a personal network so you have a place to have conversations about what people are seeing and what’s changing. Recently, one of those conversations centered around possible shifts in adversary behavior.

Ben Nahorney: Can I ask you a quick question? James Shank: Of course? What's up?

What ensued was a short conversation. Broadly speaking, the topic was the current threat landscape.

Ben Nahorney: Are the adversaries retooling?

As defenders, we always want to anticipate and understand the shifting landscape of adversary actions. This helps us align our strategy with the motion of the criminal underground and counter their attack techniques with pre-positioned defensive responses. Reacting to these trends becomes important to staying in front of attacks.

We chatted for a few minutes and then the research began. This meant diving into OSINT sources on trends in the industry, 2025 DBIR report, Mandiant Trends Report, IBM X-Force, Expel’s Quarterly Threat Report, and reading or re-reading about 20 or so threat bulletins on exploits from the past quarter.

James Shank: Okay, initial read: There will be a continuing trend of increasing vulnerability exploitation attacks in the near term.

All of these reports show some similar trends—vulnerability exploitation is growing quickly (34% year-over-year, according to the 2025 DBIR report). Email-borne threats are still prominent, but not  leading the pack like they were a few years back. Account compromise is still very present too, but some reports show these threat vectors (vulnerability exploitation, email-borne threats, and account compromise) coming in equally, and that’s a new thing.

James Shank: The sustained takedown activities have changed some things about the underground supply chains.

Takedowns aren’t new, but it’s possible the underground market has hit a point now where their own supply chain instability has changed the dynamics of the underground market itself. Are the adversaries adapting to a new reality of their infrastructure being a constant target for law enforcement activity? That would explain the trends in adversary tactic trend changes.

A move to favor vulnerability exploitation allows attackers to use more disposable infrastructure, and limits adversaries’ needs for stable infrastructure. The defender community and law enforcement have built up the muscle for how to take down malicious infrastructure. It’s not always fast, and sometimes it isn’t successful, but these defender capabilities are in a much better place today than a handful of years ago. Adversaries changing to more disposable infrastructure removes an obvious target for takedowns and is a sensible hedge against law enforcement disruption.

James Shank: Vulnerability exploitation, supply chain attacks, "drive by" techniques, and tricking users into action are all reported to be trending upwards.

Are the adversaries retooling? At the moment, it appears they’re in a phase of ramping up their newest pivot towards vulnerability exploitation. Retooling takes some time and resources, which pulls time and resources away from the adversaries’ main objectives. Do adversaries see a need to retool right now? It’s not clear—yet—that the need exists.

Of course, the criminal underground has many different adversaries, skillsets, and techniques. The broad trends don’t represent the totality of ‌adversaries’ toolsets, but the trends do help us understand where to invest time and resources. What do you do when things look like the actors are ramping up with their existing capabilities?

A Slack message.

We will continue to see methods for tricking users evolve as well, such as ClickFix and overdue toll SMS fraud, which are already prominent and highly successful. This is a problem that demands an evolution of security controls. These user-interaction attacks are increasing as AI adoption by adversaries allows innovation for new ways to trick people. 

The shift to less infrastructure-dependent attacks is also likely to continue. The net effect of making coordinated takedowns less efficient is worth it in the end. These trends can be read as a success indicator of ‌takedown efforts. Adversaries changing techniques due to defender tooling or law enforcement action is part of the regular business cycle in the underground.

Ben Nahorney: Can we boil it down to a few things defenders can do?

Here’s how defenders can fight back: 

  • First and foremost, defenders should focus on ‌fundamentals. In particular, prioritize vulnerability management and patch quickly. (Expel can help you understand your patching priorities.) 
  • Keep your inventory up-to-date. Understand what you’re running and where you’re running it. If you don’t, the adversaries will take inventory for you, and they won’t share their results. 
  • Be sure to keep tabs on behavioral anomalies on your endpoints. These behavioral indicators are helpful for spotting successful post-exploit activities—even when actors use zero-day vulnerabilities to gain initial access.
  • And for bonus points, don’t forget about Identity security. Identity attacks have ranked in the top three for initial vectors for several years now. If this is still a problem for you, make sure you address that too.

Blog home