Sign in Subscribe

Have we lost the fight against cyber criminals?

Sigmund

36 min read
Have we lost the fight against cyber criminals?

A look at the current threat landscape, how AI beats the defenders, and what we can expect from cybercrime actors and nation-state actors in the immediate future

The online world is a tough place, like a battlefield where defenders work hard to protect their stuff from clever and relentless attackers. Reports from top cybersecurity organizations in early 2025 show a worrying trend: hackers are getting quicker and smarter, using advanced tech like AI to reach their goals. Cybercrime is now a big business, and even governments are getting into espionage and disruptive activities more boldly. This piece aims to give a clear look at the current threats, talk about how AI plays both sides in these conflicts, profile the main attackers, and see how the fight is going. The big question is: Are defenders keeping up, or are we losing ground to those lurking in the shadows?

Section 1: The Relentless Storm: Today’s Dominant Cyber Threats

The cyber threat landscape in 2025 is characterized by a complex interplay of evolving tactics, persistent vulnerabilities, and the exploitation of human factors. Several key trends dominate, shaping the challenges faced by organizations globally.

The Compromised Key: Identity as the New Perimeter

A striking trend is the shift towards attacks that bypass traditional malware-centric defenses by exploiting identity. CrowdStrike’s 2025 Global Threat Report highlights that a staggering 79% of attacks aimed at gaining initial access are now malware-free. Instead of breaking down the door with malicious code, attackers are increasingly walking in using legitimate credentials. 

This surge is directly fueled by the proliferation of infostealer malware. This type of malware quietly harvests user data, including corporate login credentials, often from personal or contractor devices that sit outside the organization’s direct security controls. These stolen credentials are then traded on underground markets or used directly by attackers, enabling them to simply log in as seemingly legitimate users. This trend is reflected in Mandiant’s M-Trends 2025 report, which found that stolen credentials rose to become the second most common initial infection vector in 2024, accounting for 16% of investigated intrusions — the first time it has reached this share. Sophos corroborates this, identifying compromised credentials as the number one root cause in 41% of their incident response (IR) and managed detection and response (MDR) cases. The market for this access is booming, with advertisements from access brokers surging 50% year-over-year according to CrowdStrike.

This trend is pretty serious: identity is now the main focus for gaining unauthorized access. When hackers get hold of valid credentials, regular security measures that look for harmful files or programs don’t work as well as a first line of defense anymore. Security plans need to shift towards strong Identity and Access Management (IAM). This means making sure we use tough, phishing-resistant multi-factor authentication (MFA) like FIDO2, applying the least privilege principle, and using ongoing authentication and behavior tracking to spot any misuse of credentials or unusual activity after someone logs in.

Vulnerability Exploitation: The Persistent Gateway

Despite the rise in credential abuse, exploiting software vulnerabilities remains a dominant method for attackers to gain entry. For the fifth consecutive year, Mandiant found exploits to be the most frequent initial infection vector in their investigations, accounting for 33% of intrusions in 2024. While this represents a slight decline from 38% in 2023, Verizon’s 2025 Data Breach Investigations Report (DBIR) conversely reported a sharp 34% increase in vulnerability exploitation as an initial attack vector, reaching 20% of the breaches they analyzed.

A significant focus for attackers is the network edge, targeting vulnerabilities in firewalls, VPN concentrators, and other perimeter devices. These devices are attractive targets because they sit at the boundary between the internal network and the internet. Verizon noted a dramatic rise in zero-day exploits (vulnerabilities exploited before a patch is available) targeting these edge and VPN devices, accounting for 22% of their vulnerability exploitation incidents in 2024, up from just 3% the previous year. Specific examples of heavily exploited platforms in 2024 included Palo Alto Networks PAN-OS, Ivanti Connect Secure VPN, and Fortinet FortiClient EMS.

Compounding the issue is the difficulty organizations face in patching these critical devices. Verizon reported that only about 54% of vulnerabilities in edge and VPN devices were fully remediated throughout the year, with a median remediation time of a lengthy 32 days. Sophos similarly found that unpatched vulnerabilities, some over a year old, played a role in nearly 15% of the malicious intrusions their MDR team tracked in 2024. The US Cybersecurity and Infrastructure Security Agency (CISA) continually updates its Known Exploited Vulnerabilities (KEV) catalog with flaws actively used by attackers, including recent ones in Apple, Microsoft, and critical Industrial Control Systems (ICS) from vendors like Siemens and Schneider Electric, urging organizations to prioritize remediation.

This persistent exploitation highlights systemic weaknesses in vulnerability management — the processes of discovering assets, identifying flaws, prioritizing patching based on risk, and executing remediation quickly and effectively. Edge devices, while critical, are often harder to patch due to operational constraints, leading to extended windows of opportunity for attackers.

A sophisticated evolution in vulnerability exploitation is the “Bring Your Own Vulnerable Driver” (BYOVD) tactic. Attackers introduce a legitimate, often digitally signed, but known-vulnerable driver onto a compromised system. They then exploit the flaw in this trusted driver to gain kernel-level privileges, allowing them to bypass or disable security software like Endpoint Detection and Response (EDR) tools. This defense evasion technique is increasingly used by ransomware groups and nation-state actors. Documented examples involve exploiting drivers from Intel, Paragon Partition Manager, Zemana, Avast, and others. BYOVD demonstrates how attackers leverage vulnerabilities not just for initial access, but also to neutralize defenses once inside the network.

Ransomware & Extortion: Evolving Tactics for Maximum Pressure

Ransomware remains a dominant and highly disruptive threat. It was present in 44% of breaches analyzed in the 2025 Verizon DBIR, marking a 37% increase from the previous year. Sophos found it accounted for over 90% of their IR cases involving mid-sized organizations, and ENISA consistently ranks it as a prime threat. Small and medium-sized businesses (SMBs) are particularly hard-hit, with ransomware featuring in 88% of their breaches according to Verizon DBIR contributors.

However, the tactics are evolving beyond simple data encryption. Attackers increasingly employ multi-extortion strategies, combining encryption with data theft and threats to leak sensitive information, Distributed Denial-of-Service (DDoS) attacks, and even direct harassment of customers or stakeholders. Palo Alto Networks’ Unit 42 observed a significant trend in 2024 where attackers shifted towards deliberate operational disruption and sabotage — destroying systems or locking users out — to maximize pressure and coerce payment, even if victims have backups. Some groups now focus purely on data extortion, stealing sensitive data and threatening to release it without ever deploying ransomware encryption payloads, thereby avoiding detection by tools looking specifically for ransomware activity. Attackers may also exaggerate the data they hold or use fake data samples to pressure victims. Often, the release of such data, or the threat thereof, on well-known cybercrime forums like BreachedForums is used as a tool to increase the pressure on the organizations. 

Looking ahead, Kaspersky predicts the emergence of even more sophisticated techniques, such as “quantum-proof” ransomware employing post-quantum cryptography designed to resist decryption by future quantum computers, and “data poisoning” ransomware that subtly corrupts data within databases, rendering backups untrustworthy even if decryption is possible.

Interestingly, despite the prevalence and evolving pressure tactics, payment trends show some positive signs for defenders. The median ransom payment decreased in 2024 (Verizon reported $115,000, down from $150,000 the prior year ). Furthermore, a growing percentage of victims are refusing to pay — 64% did not pay in Verizon’s 2025 dataset, compared to 50% two years prior. This may indicate improved preparedness, particularly better backup and recovery strategies, more effective negotiation, or perhaps a market saturation effect. The fact that some nations have already or are planning to implement laws prohibiting organizations from paying the ransom might play a role here, too. However, the attackers’ adaptation towards operational disruption and potential data poisoning aims to counteract this by making non-payment increasingly painful. Simultaneously, the Ransomware-as-a-Service (RaaS) model continues to thrive, with kits available for as little as $40, lowering the barrier to entry and potentially increasing the overall volume of attacks, even if individual success rates or payouts fluctuate. Prominent RaaS operations observed in early 2025 included RansomHub (tracked by Unit 42 as Spoiled Scorpius, the most prolific on leak sites Jan-Mar 2025), CL0P, Akira, Qilin, Play, and Medusa.

Supply Chain and Third-Party Risk: The Interconnected Vulnerability

The interconnected nature of modern business creates significant risk through supply chains and third-party relationships. Verizon’s 2025 DBIR found that the percentage of breaches involving a third party doubled from the previous year, reaching 30%. This dramatic increase underscores the substantial threat posed by vulnerabilities within partner ecosystems and software supply chains.

Attack vectors include exploiting flaws in third-party software or cloud services, using compromised credentials for third-party accounts to access a target’s environment, or targeting Managed Service Providers (MSPs) to gain access to their downstream clients. ENISA specifically highlighted supply chain risks, including the use of Commercial Off-the-Shelf (COTS) components, as a key challenge for the burgeoning commercial space sector. Kaspersky pointed to risks stemming from vendors underinvesting in cybersecurity and the inherent complexity of managing long, multi-tiered supply chains, particularly in industrial environments. Attacks targeting widely used open-source software components, like the attempted backdoor in the XZ Utils library in 2024, represent a critical threat with potentially vast impact, and experts predict more such attacks or discoveries of existing ones.

This doubling of third-party breaches shows that it presents a systemic vulnerability. An organization’s security posture is no longer solely determined by its defenses but is intrinsically linked to the security maturity of its vendors, partners, and software suppliers. Attackers recognize this, targeting a single widely used third-party service or software component as an efficient way to compromise potentially thousands of downstream victims, often bypassing the victims’ direct perimeter defenses because the attack originates from a ‘trusted’ source.

Cloud Security Challenges: Complexity Breeds Risk

As organizations accelerate their migration to cloud environments, attackers are adapting their tactics to exploit the unique challenges of securing these complex infrastructures. Cloud environments featured in more Mandiant breach investigations in 2024 than ever before. CrowdStrike reported a 26% year-over-year increase in new or unattributed cloud intrusions, and nearly 29% of incidents handled by Palo Alto Networks Unit 42 involved cloud environments.

Cloud security issues follow some general trends but show up in their unique ways. One major problem is the use of legitimate accounts with stolen or leaked credentials, which made up 35% of cloud incidents in the first half of 2024, according to CrowdStrike. Misconfigurations are also a big target, with attackers going after identity systems like federated identity providers and Single Sign-On (SSO) as they offer wide access. Phishing is another popular way for hackers to break into cloud accounts, accounting for 39% of breaches. Sometimes, these attackers can stay hidden in poorly configured cloud setups for a long time, checking out large networks to find valuable data to steal. One example from Unit 42 saw attackers scanning over 230 million targets for exposed API endpoints after getting into cloud systems.

The increasing frequency of cloud-related breaches highlights the inherent risks associated with managing complex hybrid environments. The difficulty lies in consistently applying correct configurations, managing intricate Identity and Access Management (IAM) policies across on-premises and multiple cloud platforms, and securing integrations. Errors such as misconfigurations, overly permissive access policies, weak or bypassable MFA on privileged cloud accounts, and insecure integrations create exploitable weaknesses that attackers are actively seeking.

The Human Element: An Enduring, Rewarding (for the bad guys) Target

Despite all the technological advancements in both attack and defense, the human element remains a critical factor in a majority of breaches, involved in approximately 60% of incidents according to Verizon’s 2025 DBIR. There is significant overlap between social engineering tactics and credential abuse.

Social engineering techniques continue to be highly effective. Phishing remains a top initial access vector (Mandiant: 14%; Palo Alto Networks: 23%, resurging to the top spot ). Voice phishing (vishing) saw an alarming 442% increase between the first and second halves of 2024, largely fueled by the capabilities of Generative AI (GenAI) for voice cloning (CrowdStrike ). Sophisticated eCrime groups like CURLY SPIDER, CHATTY SPIDER, and PLUMP SPIDER were observed leveraging these advanced social engineering tactics. Other evolving tactics include “quishing” (using malicious QR codes in phishing attacks) and “MFA prompt bombing” (overwhelming users with MFA notifications, hoping for an accidental approval).

Insider threats also still pose a significant challenge. CrowdStrike attributed 304 incidents in 2024 to the North Korean-nexus adversary FAMOUS CHOLLIMA, with 40% of these involving insider threat operations where actors operated under the guise of legitimate employment to gain access. Mandiant and Palo Alto Networks also reported on this trend, with Unit 42 noting that insider threat cases linked to North Korea tripled in 2024. These actors often use fake identities, sometimes enhanced by AI, to secure remote IT or technical roles.

The persistence of these threats underscores that exploiting human psychology — trust, urgency, fear, or simple error — remains a highly effective and evolving attack vector. AI is now amplifying the scale, personalization, and believability of these social engineering attacks. Furthermore, deliberate insider threats, especially those sponsored by nation-states, bypass external defenses entirely, presenting a particularly difficult challenge for detection and prevention.

Speed and Dwell Time: An Increasingly Complex Picture

The speed dynamics of cyberattacks paint a mixed picture. On one hand, attackers are demonstrating remarkable speed after gaining initial access. CrowdStrike reported the average eCrime “breakout time” — the time taken to move laterally from initial compromise to other systems — dropped to just 48 minutes in 2024, with the fastest recorded instance being a mere 51 seconds. Palo Alto Networks observed data exfiltration occurring in under 5 hours in 25% of incidents, and under 1 hour in an alarming 20% of cases. This leaves defenders with vanishingly small windows to detect and respond before significant damage is done.

Conversely, the global median “dwell time” — the total time an attacker remains undetected within a network — actually increased slightly in 2024, rising to 11 days from 10 days in 2023, according to Mandiant. This marked the first increase recorded since M-Trends reporting began in 2010. Dwell time varied significantly depending on the detection source: 10 days when detected internally, a concerning 26 days when notified by an external entity, but only 5 days when the adversary made themselves known (typically through a ransomware deployment). Sophos data adds further nuance, showing significantly shorter dwell times in cases handled by their MDR service (median 1–3 days) compared to traditional IR engagements (median 4–11.5 days).

This apparent paradox — faster attacker actions post-compromise but slightly longer average detection times overall — suggests a complex reality. While some automated or highly skilled attacks achieve objectives rapidly, the increasing prevalence of stealthier techniques (like malware-free intrusions using valid credentials or living-off-the-land tactics) may allow attackers to remain hidden for longer periods in a larger number of incidents, thus pulling up the global median dwell time. The discrepancy between internal, external, and adversary notification times highlights varying detection capabilities among organizations, with internal detection rates remaining low (Mandiant reported only 43% of compromises detected internally ). The significantly shorter dwell times observed in actively monitored environments strongly indicate that proactive threat hunting and continuous monitoring are crucial for reducing detection times against modern, stealthier threats.

Table 1: Top Cyber Threats & Key Statistics (2024-Early 2025)

Section 2: Artificial Intelligence: Catalyst for Attack and Defense

Artificial Intelligence stands as the defining technological force multiplier in the contemporary cybersecurity conflict. Its capabilities are being harnessed by both malicious actors seeking to enhance their attacks and defenders aiming to fortify their security postures. This dual-use nature has ignited an AI arms race, fundamentally reshaping the tactics and strategies employed on both sides.

AI as an Offensive Weapon: Amplifying Malice

Attackers are rapidly adopting AI to increase the scale, sophistication, and effectiveness of their operations across multiple domains.

Supercharged Social Engineering: AI has dramatically lowered the barrier to creating highly convincing social engineering attacks.

  • GenAI-Fueled Vishing and Phishing: The most striking example is the 442% surge in voice phishing (vishing) observed by CrowdStrike between the first and second halves of 2024. This increase is directly attributed to the power of GenAI voice cloning tools, which can now mimic a target’s voice with startling accuracy using as little as 15–30 seconds of audio scraped from online sources or recorded calls. ECrime groups like CURLY SPIDER, CHATTY SPIDER, and PLUMP SPIDER were identified leveraging these AI-driven vishing and impersonation tactics to steal credentials and bypass security controls. Similarly, AI is used to craft highly personalized and grammatically perfect phishing emails, eliminating common red flags and making them significantly harder for recipients to detect.
  • Deepfakes for Deception: Beyond phishing, AI-generated deepfakes — realistic manipulations of video and audio — are being weaponized for more elaborate scams, Business Email Compromise (BEC) schemes, extortion, and potentially large-scale disinformation campaigns. High-profile cases have emerged, such as a multinational finance company in Hong Kong losing $25 million after employees were tricked by deepfaked executives in a video conference call, and earlier incidents involving voice clones leading to fraudulent wire transfers. The increasing realism and potential for real-time voice modification pose a significant threat.

Automating and Accelerating Attacks: AI can also be used as a powerful engine for streamlining various stages of the attack lifecycle.

  • Malware Development and Adaptation: AI tools can assist attackers in writing or modifying malware code, potentially enabling the creation of polymorphic strains that change their signatures to evade detection or adaptive malware that adjusts its behavior based on the target environment.
  • Reconnaissance and Vulnerability Discovery: AI can automate the process of scanning networks, identifying potential vulnerabilities, gathering intelligence on targets from vast public datasets, and tailoring attacks based on the findings. This allows attackers to identify exploitable weaknesses more efficiently.
  • Attack Execution Speed: By automating tasks like script generation or lateral movement sequences, AI can significantly accelerate the progression through the attack chain. A controlled experiment by Palo Alto Networks Unit 42 demonstrated that AI assistance could potentially reduce the time from initial compromise to data exfiltration to as little as 25 minutes.

Emerging AI-Specific Threats: As AI becomes more integrated into business operations, the AI systems themselves become targets.

  • AI Model Manipulation: Adversaries can attempt to compromise the integrity of AI models through techniques like data poisoning, where malicious data is injected into the training set to corrupt the model’s outputs or introduce biases. Model evasion involves crafting specific inputs (adversarial examples) designed to trick an AI model into making incorrect classifications, such as labeling malware as benign. Model theft, stealing proprietary AI models, is also a concern.
  • AI System/Agent Hijacking: Attackers may target the AI systems or autonomous AI agents deployed by organizations. This could involve hijacking agents to perform malicious tasks, stealing sensitive data processed by the AI, causing the AI to malfunction, or launching AI-powered DDoS attacks. The rise of agentive AI, capable of autonomous action, creates risks of invisible chains of events and unintended consequences if compromised. Multi-agent systems, or “swarms,” introduce further complexity and potential vulnerabilities.
  • AI Supply Chain Attacks: Compromising foundational Large Language Models (LLMs) or other AI components used as building blocks for enterprise AI applications represents a significant supply chain risk.

The rise of AI is making advanced techniques easier for more people to access. Tools that used to need expert skills and a lot of money are now available to a wider range of users, even those with less experience. This is happening because powerful AI tools are now common and can help with things like writing convincing phishing emails, generating harmful code, or making deepfakes. As a result, there are more attacks, and they might be more effective. On top of that, AI itself is becoming a target. Organizations using AI need to be aware that they can’t just focus on standard IT security anymore. They have to protect the AI models, the data used to train them, and the processes that keep them running. This means adapting to new threats like data poisoning and ways to trick AI models.

AI can be bolstering Defenses: The Counter-Offensive

While attackers leverage AI, defenders are increasingly incorporating it into their security arsenal to combat the rising tide of threats.

  • Enhanced Threat Detection and Prediction: AI and Machine Learning (ML) algorithms excel at analyzing massive volumes of security telemetry (logs, network traffic, endpoint data) far exceeding human capacity. They can identify subtle patterns, anomalies, and correlations indicative of known and, crucially, unknown or novel threats, including sophisticated Advanced Persistent Threats (APTs). AI-powered predictive analytics aim to anticipate future attacks based on emerging trends and historical data. Examples include AI-powered Next-Generation SIEM (NG-SIEM) platforms, comprehensive security platforms, and behavioral analysis systems. I will not be listing products here, they are easy enough to find.
  • Automated Incident Response: AI can automate crucial steps in the incident response process, such as quarantining infected endpoints, blocking malicious IP addresses, updating firewall rules, or even initiating patching processes. This dramatically reduces reaction times, detects threats faster, and alleviates the burden on overloaded security teams.
  • Behavioral Analysis: AI establishes dynamic baselines of normal behavior for users, devices, and network traffic. Deviations from these established norms can be quickly flagged as potentially malicious, aiding in the detection of insider threats, compromised accounts, or novel attack techniques that don’t match known signatures.
  • Vulnerability Management: AI assists in discovering vulnerabilities across the attack surface, assessing their risk based on factors like exploitability and asset criticality, and prioritizing remediation efforts more effectively.
  • AI Companions for Analysts: AI-powered assistants are emerging to help human security analysts by summarizing complex alerts, correlating related events, suggesting investigation paths, and automating repetitive analysis tasks, thereby augmenting human expertise.

The AI Arms Race: Effectiveness and Limitations

The critical question is whether these AI-driven defenses are keeping pace with the rapid advancements in AI-powered attacks. In my humble opinion, like with every emerging technology, the bad guys figured out how to use it to their advantage much faster and much better than the good guys, so far. While AI offers significant defensive advantages, its effectiveness is subject to several inherent limitations and challenges.

  • Data Dependency and Quality: AI models are only as good as the data they are trained on. Biased, incomplete, or low-quality training data can lead to inaccurate or unreliable models. Furthermore, attackers can actively target the training data itself through data poisoning techniques to undermine the AI’s integrity.
  • Adversarial Attacks (Evasion): AI models, particularly those used for detection, are susceptible to adversarial examples — inputs carefully crafted by attackers to be misclassified. An attacker might slightly modify malware so that an AI detection engine incorrectly labels it as benign, allowing it to bypass defenses.
  • False Positives and False Negatives: This remains a fundamental challenge for any detection system, including AI-based ones. A high rate of false positives (benign activity flagged as malicious) can overwhelm security teams with noise, leading to alert fatigue and potentially causing legitimate threats to be missed. On the other hand, false negatives (actual threats missed by the AI) represent critical detection failures. Tuning AI models involves a trade-off between sensitivity (catching more threats, potentially increasing false positives) and specificity (reducing false positives, potentially increasing false negatives). Research indicates variability and potential unreliability in AI detectors for specific tasks like identifying AI-generated text or deepfakes, and improper configuration of AI tools is a significant concern, leading to missed threats (false negatives). Transparency regarding these rates is debated among vendors.
  • Skills Gap: A significant barrier to effective AI deployment in cybersecurity is the shortage of professionals with the necessary skills to develop, implement, manage, tune, and interpret the outputs of these sophisticated tools. Often, cybersecurity teams are excluded from the initial AI implementation process within organizations, leading to potential security oversights.
  • Cost and Complexity: Implementing and maintaining advanced AI security platforms can be costly, requiring significant investment in technology, data infrastructure, and specialized personnel. Integrating AI tools into existing, often complex and siloed, security stacks presents further challenges.
  • Explainability and Trust: The “black box” nature of some complex AI models makes it difficult to understand precisely why they arrive at a particular decision (e.g., flagging an activity as malicious). This lack of transparency can hinder trust, complicate incident investigations, and make it harder to refine the models.

AI is undeniably a powerful defensive tool, but it is not a silver bullet. Its effectiveness is constrained by data quality, vulnerability to adversarial manipulation, the inherent trade-offs in detection accuracy (false positives vs. negatives), and the critical need for skilled human oversight and integration. Relying solely on AI without addressing these limitations creates a dangerous false sense of security. The dual use of AI by both attackers and defenders fuels a continuous, accelerating cycle of innovation. As defenders deploy more sophisticated AI-based detection mechanisms, attackers leverage AI to create stealthier, more evasive attacks or to directly target the defensive AI systems. This necessitates constant adaptation, research, and investment from the defense community to stay ahead, or at least keep pace, in this rapidly evolving arms race.

Table 2: AI in Attack vs. AI in Defense

AI in Attack vs. AI in Defense

Section 3: Know Your Enemy: Profiling Today’s Adversaries

Understanding the threat landscape requires not only knowing what attacks are occurring but also who is perpetrating them and why. Adversary motivations, capabilities, and preferred Tactics, Techniques, and Procedures (TTPs) differ significantly, necessitating tailored defensive strategies. The primary actors can be broadly categorized into financially motivated cybercriminals and nation-state actors, though the lines between them are increasingly blurring.

The Business of Cybercrime: Financially Motivated Actors

Cybercriminals looking to make money are the biggest players in the world of online threats, according to threat intelligence firms. Mandiant found that 55% of the groups they tracked in 2024 were motivated by profit, which is up from 52% in 2023 and 48% in 2022. Verizon also pointed out that financial reasons drive about 90% of attacks on healthcare. Their main aim? To make money through illegal activities. 

What motivates them, and how do they operate? These criminals engage in various schemes, mainly focusing on ransomware attacks, data extortion, and Business Email Compromise (BEC) scams that result in fake wire transfers. They also steal and sell valuable information, like login details and financial data. Their methods show that they treat this like a well-organized business.

  • Ransomware-as-a-Service (RaaS): This dominant operational model allows ransomware developers to lease their malware and infrastructure to affiliates, who carry out the attacks and share a percentage of the profits. This lowers the technical barrier to entry, significantly increasing the number of actors capable of launching sophisticated ransomware campaigns. Groups operating prominent RaaS platforms in early 2025 included RansomHub (Spoiled Scorpius), the disrupted but still present LockBit, Clop, and Akira.
  • Credential Harvesting: Reflecting the value of identity compromise, these groups heavily rely on infostealer malware distributed via various means and large-scale phishing campaigns to acquire user credentials.
  • Exploiting Vulnerabilities: Cybercriminals actively scan for and exploit known vulnerabilities, particularly easily accessible ones on internet-facing systems like edge devices and VPNs, as these provide direct entry points.
  • Living-off-the-Land Binaries (LOLBins): To evade detection by security tools, attackers frequently abuse legitimate system utilities and software already present on the target system (LOLBins) to perform malicious actions like reconnaissance, lateral movement, or data exfiltration. Abuse of Remote Desktop Protocol (RDP) for access and movement remains extremely common, featuring in 84% of Sophos MDR/IR cases.
  • Defense Evasion: Recognizing the prevalence of EDR and antivirus solutions, cybercriminals employ techniques to disable or bypass them. This includes using dedicated “EDR killer” tools, often leveraging the BYOVD tactic to gain kernel-level privileges needed to terminate security processes.
  • AI Adoption: Financially motivated actors are embracing AI primarily to enhance the effectiveness and scale of their social engineering attacks, particularly through AI-powered vishing and phishing campaigns.

Impact and Ecosystem: Cybercrime has a big impact, causing major financial losses. For example, Verizon found that the average ransom payment is around $115,000. Small and medium-sized businesses often feel this pressure more because they usually have fewer resources to protect themselves and recover from attacks. This whole cybercrime scene is pretty organized, featuring different players like initial access brokers who sell entry into networks, ransomware-as-a-service providers who set up the tools for attacks, and those who carry out the attacks and launder the stolen money. CrowdStrike keeps an eye on how this ecosystem is doing with its eCrime Index.

This setup shows that cybercrime is becoming more professional. It’s like a real industry with specific roles and ways of working that make it run smoothly. Each part of the operation focuses on different skills, whether it’s getting into systems, carrying out the extortion, or hiding the money, which makes these criminal rings stronger and harder to break up.

The Shadow War: Nation-State Actors

Operating with different motivations and often nearly unlimited resources, nation-state actors have a very different motivation, among them are to achieve geopolitical, economic, or military objectives. Their primary drivers include:

  • Espionage: Stealing sensitive government, military, or corporate data for intelligence gathering or economic advantage. Verizon noted a significant surge in espionage-motivated breaches in the Manufacturing and Healthcare sectors in 2024.
  • Critical Infrastructure Targeting: Gaining access to and potentially disrupting critical infrastructure networks (energy, water, finance, communications) to exert pressure, signal capability, or prepare for future conflict. CISA regularly issues advisories on threats to Industrial Control Systems (ICS).
  • Information Operations / Influence Campaigns: Using cyber means to spread disinformation, manipulate public opinion, or interfere in political processes.
  • Intellectual Property Theft: Stealing valuable trade secrets, research data, and technological blueprints to benefit national industries.
  • Sanctions Evasion / Revenue Generation: Particularly relevant for regimes under heavy international sanctions, like North Korea, which use cybercrime (e.g., cryptocurrency theft, ransomware partnerships) to generate illicit revenue.

Key Players and Activities (Early 2025):

  • China-Nexus Actors: Observed significantly escalating their cyber operations, with CrowdStrike reporting a 150% increase in activity across various sectors. Targeted industries include financial services, media, manufacturing, industrial sectors, government, and high technology. These actors are known for sophisticated TTPs, including the use of custom malware ecosystems, exploitation of zero-day vulnerabilities (especially in edge devices), and leveraging large proxy networks to obscure their origins.
  • DPRK-Nexus Actors (e.g., FAMOUS CHOLLIMA, Jumpy Pisces, Moonstone Sleet): Gained notoriety for their bold insider threat campaigns, infiltrating organizations by having operatives pose as remote IT workers or contractors. They are also said to be heavily involved in cryptocurrency theft and have increasingly been observed collaborating with or using ransomware infrastructure, potentially as affiliates or initial access brokers. A recent heist that was attributed to DPRK actors was the 1.5 billion USD Bybit hack.
  • Russia-Nexus Actors (e.g., APT28, APT44): Continue to engage in persistent cyber espionage campaigns, often exploiting known vulnerabilities in widely used software and network infrastructure. With the war in Ukraine nowhere near ending, these are groups to watch as Putin prepares the next stages of his campaigns.
  • Iran-Nexus Actors: Reported to be ramping up cyber operations in 2024, with a notable focus on targeting Israeli entities using a variety of methods aimed at improving intrusion success rates. Another one to watch out for, given the current geopolitical situation. 

TTPs and Convergence: Nation-state TTPs often overlap with cybercrime but typically demonstrate higher levels of sophistication, persistence, and resource investment. Common techniques include exploiting zero-day vulnerabilities, developing and deploying custom malware implants and toolsets, conducting highly targeted social engineering campaigns, executing complex supply chain attacks, targeting OT/ICS environments, compromising IoT devices, and leveraging advanced techniques like AI-powered tools, deepfakes, and BYOVD.

A significant trend is the convergence between nation-state activities and traditional cybercrime. State actors are increasingly using ransomware, either directly or through partnerships with criminal groups, potentially for plausible deniability, disruption, or revenue generation (as seen with DPRK actors ). They may also adopt TTPs commonly associated with eCrime, making attribution more challenging.

Recently, there’s been a noticeable increase in the amount and boldness of hacking activities from different countries. Reports from CrowdStrike show a sharp rise in operations linked to China, while North Korea has been getting pretty daring with its insider threats. This might mean that these countries are changing how they think about risks. Because of this, the sectors being targeted need to be more alert. It’s also getting tricky because nation-state goals are mixing with cybercrime methods. When tactics overlap, it can be hard for teams responding to incidents to figure out what kind of attack it is and what the attackers want. For example, a ransomware attack that looks like it’s just about making money might be part of a state-led effort for spying or causing disruption. This confusion can lead to underestimating how persistent and resourceful these attackers are. It gives them an advantage while making it tougher for defenses and diplomatic responses.

Table 3: Adversary Profile Comparison (Cybercrime vs. Nation-State)

Table 3: Adversary Profile Comparison (Cybercrime vs. Nation-State)

Section 4: Taking Stock: Are Defenders Losing the Battle?

Looking at the trends in threats, how AI plays its part, and what adversaries are doing helps us understand the current state of power in cyberspace. The question “Have we lost the fight against cyber criminals?” can’t just be answered with a yes or no. When we look at the situation, we see that there are strong points on both sides, showing that we’re dealing with tough challenges but also finding ways to adapt.

Arguments for “Losing Ground”

Many signs show that defenders are having a tough time keeping up with the changing threat environment:

Attacker Agility and Speed: Adversaries demonstrate remarkable speed, with eCrime breakout times measured in minutes or even seconds, and data exfiltration often completed within hours of compromise. They adapt their tactics rapidly, shifting from pure encryption to multi-extortion and disruption, and quickly weaponize new vulnerabilities and technologies like AI.

  • AI Weaponization Advantage: There are a few reasons why it seems like defenders are having a tough time keeping up with today’s threats. For one, AI is giving attackers an edge, making their phishing and vishing scams more convincing and harder to spot. Sure, defensive AI is getting better too, but it looks like the attackers are moving faster and taking advantage of the weaknesses in security measures.
  • Attacker Agility and Speed: Adversaries move fast nowadays, often breaking into systems in just minutes or even seconds, and stealing data within hours after a breach. They quickly change their methods, moving from just encrypting files to using multiple ways to extort and disrupt, and they’re quick to take advantage of new tech and weaknesses like AI.
  • Persistent Defensive Weaknesses: A large proportion of successful attacks continue to exploit fundamental security failures:
  • Basic Hygiene Gaps: Unpatched systems, especially on the network edge, remain prime targets. Weak or stolen credentials fuel the majority of malware-free intrusions. Misconfigurations in cloud and on-premises systems are routinely exploited. Worryingly, the lack of MFA remains a common finding in breaches.
  • The Human Factor: Social engineering continues to be highly effective, now amplified by AI’s ability to personalize and mimic. Insider threats, whether malicious or unintentional, remain difficult to detect and prevent.
  • Visibility and Complexity Hurdles: Security teams often struggle with visibility across complex, hybrid environments. Siloed security tools prevent effective correlation and detection, even when attack evidence exists in logs. Gaps in monitoring cloud assets and shadow IT allow attackers to move laterally undetected. The inherent complexity of modern IT, cloud, and OT environments creates blind spots.
  • Supply Chain Blind Spots: The doubling of third-party breaches highlights the immense challenge of managing risk across extensive and often opaque supply chains.
  • Detection Deficits: The slight increase in global median dwell time, despite faster attacker actions post-compromise, suggests that stealthier attacks are succeeding for longer periods before being found. The low rate of internal detection (Mandiant: 43% ) indicates that many organizations lack effective monitoring and threat hunting capabilities.
  • Escalating Nation-State Threats: The observed increase in activity and boldness from sophisticated nation-state actors like those linked to China and North Korea presents a formidable challenge that many organizations are ill-equipped to handle.

Arguments for “Holding the Line / Adapting”

Despite the significant challenges, there are also signs of defensive adaptation and resilience:

  • Defensive Innovation: AI is a great help for defenders. It helps spot threats, automates responses, predicts issues, and makes behavioral analysis better. Using services like Managed Detection and Response (MDR) can speed up detection compared to old-school methods. We’re also seeing more unified security platforms coming out to tackle the problem of too many tools and to give a clearer view.
  • Improved Resilience Tactics: The trend of more organizations refusing to pay ransoms suggests improvements in backup strategies, incident response planning, and potentially a greater acceptance of calculated risk.
  • Increased Awareness and Collaboration: There is growing global awareness of cyber threats, driven by regular reporting from vendors, government agencies like CISA and ENISA, and increased media coverage. Information sharing initiatives aim to disseminate threat intelligence more rapidly. Organizations continue to invest in security awareness training, although its effectiveness varies.
  • Regulatory Pressure: Stricter cybersecurity regulations, such as the NIS2 Directive and the Digital Operational Resilience Act (DORA) in Europe, are compelling organizations, particularly in critical sectors, to improve their security hygiene, risk management, and reporting practices.

Synthesis: A Difficult, Asymmetric Struggle

The evidence doesn’t clearly say that the fight is over, but it does show that defenders are facing a tough battle where attackers often take charge. The speed, adaptability, and tech advantages — especially with AI — that these attackers have usually outstrip what many organizations can do to defend themselves. 

While some steps are being taken in defense, they often seem to be more of a reaction than a proactive stance. Success hinges on taking strong security measures, having good operational practices like around-the-clock monitoring and threat hunting, and sticking to basic security tasks — things that not everyone manages to do. The ongoing exploitation of simple issues like outdated software and stolen credentials shows a big gap between what’s known as best practice and what’s happening out there. This gap could be due to things like a lack of resources, tech issues, complex organizations, or just not prioritizing security. 

This situation creates a worrying imbalance. Big companies with dedicated security teams, big budgets, and access to advanced tools can often improve how quickly they detect and respond to threats. On the other hand, small businesses and organizations with weaker security often don’t have these resources, leaving them at greater risk from widespread attacks like ransomware. Attackers are quick to take advantage of this, making it tough for many to keep up. 

In the end, it’s not just a single lost fight but a constant battle happening on various levels. Defenders aren’t always losing, but the sheer number, speed, and complexity of attacks, along with ongoing weaknesses in basic defenses at many organizations, often give attackers an edge. Being complacent isn’t an option; staying alert, adapting, and putting in the right resources are necessary just to maintain a defense.

Section 5: Peering into the Fog: The Cyber Threat Horizon (Next 1–3 Years)

Figuring out what the future of cybersecurity looks like is tough because tech changes so fast and hackers keep getting smarter. But by looking at where things are heading now and what experts think, we can get a pretty good idea of what threats might come up in the next year or two.

AI’s Continued Evolution in Attacks

AI is expected to become even more deeply integrated into attack methodologies:

  • More Autonomous AI Systems: The trend may shift from AI assisting human attackers to AI agents capable of executing certain attack phases more autonomously. The development of AI agents and multi-agent systems (“swarms”) could automate complex tasks but also introduce novel attack vectors and vulnerabilities related to agent control, communication, and data access.
  • Hyper-Realistic Deepfakes: Deepfake technology will likely continue to improve in realism and accessibility, potentially enabling real-time voice and video manipulation during interactions. This will fuel more sophisticated and harder-to-detect fraud, impersonation schemes, BEC attacks, extortion, and disinformation campaigns.
  • Maturation of AI Model Attacks: As businesses integrate AI more deeply into critical processes, attacks targeting the AI models themselves, such as data poisoning, model evasion, and potentially model theft or ransom, are likely to become more prevalent and impactful.
  • Quantum-Proof Ransomware: While still nascent, the development of ransomware incorporating post-quantum cryptographic algorithms is anticipated. As quantum computing capabilities advance, such ransomware could pose an insurmountable decryption challenge for victims relying on current cryptographic standards.

New Vulnerabilities and Expanding Attack Surfaces

The digital footprint continues to expand, creating new opportunities for attackers:

  • Emerging Technologies: There’s a growing concern about the security of Internet of Things (IoT) devices since many of them have weak security and depend on old servers or outdated software. Operational Technology (OT) and Industrial Control Systems (ICS) are still key targets, especially with the blending of IT and OT and the use of new tech like AI in factories. Attackers are likely to keep their eyes on cloud services, serverless computing, and APIs. ENISA pointed out that commercial satellite systems and space assets are becoming a new area that needs more security attention. Also, Web3 technologies, like cryptocurrencies and blockchains, will continue to attract thieves and be used for money laundering.
  • AI Systems as Targets: The AI models, platforms, and data pipelines underpinning AI applications will become direct targets for espionage, disruption, or manipulation. We have recently started to see this more, and a good example is the exposed DeepSeek Database Leaking Sensitive Information, Including Chat History.
  • Legacy System Risks: Despite the focus on new technologies, outdated systems (e.g., older telecom equipment, legacy ICS components) will remain vulnerable due to a lack of security updates and inherent design weaknesses. The increasing use of Linux in OT environments may also introduce new challenges due to potentially less mature security solutions and fewer skilled Linux security professionals in that domain.

Shifts in Adversary Strategies

Adversary behavior is also expected to evolve:

  • Actor Convergence: The blurring lines between cybercrime and nation-state activity will likely continue, with states adopting criminal TTPs and potentially collaborating with or co-opting criminal groups. Alliances between hacktivist groups might also increase in scale and coordination.
  • Focus on Disruption: Attacks aimed purely at causing operational disruption or sabotage, potentially driven by geopolitical motives or as an evolution of extortion tactics, may increase.
  • Supply Chain Emphasis: Targeting software supply chains, including open-source projects and third-party vendors, will remain a key strategy due to the potential for widespread impact.
  • Exploitation of Geopolitical Tensions: International conflicts, sanctions, and technology access restrictions may drive increased state-sponsored intellectual property theft and encourage the use of cracked or untrustworthy software, particularly in sensitive OT environments, creating additional security risks.

The forecasted threats we’re seeing, like advanced AI and quantum computing challenges, are way more complex than many of the threats we face today. This shows that organizations need to start moving towards security systems that are not just reactive but also proactive and resilient. Waiting until after an attack happens to respond won’t cut it anymore, especially with risks that can get around our current defenses or make recovery tough, like quantum-proof ransomware. It’s clear that we need to invest in technologies that can stand up to future challenges, such as post-quantum cryptography and strong AI security frameworks, along with adaptable AI defense systems.

The growing risks are reaching beyond just IT networks to include things like operational technology, IoT, space systems, AI setups, and the cloud. This means we need a complete security plan that looks at everything together, not just in separate parts. We should take a broad view that tackles the whole digital landscape and includes a good look at the software and hardware supply chain. The idea that you can stay safe by keeping things secret, especially for operational tech, just doesn’t work anymore.

Section 6: Conclusion: Charting a Course for Resilience

The cyber threat scene in 2025 is tough. Both criminals and state-backed hackers are getting faster and smarter. They’re still using common tactics like stealing logins and taking advantage of weak spots, especially at the network’s edge. Plus, the quick rise of Artificial Intelligence is making old threats like social engineering even worse and bringing new ways to attack. AI tools are becoming a new target as well. Cybercrime has turned into a big business model now, with services like Ransomware as a Service (RaaS) popping up. Nation-state hackers are stepping up their spying and disruptive actions, and it’s getting harder to tell these groups apart.

Looking forward, the threats are likely to get more complicated. We might see AI being used in attacks, really convincing deepfakes, and quantum computing shaking up encryption. There’s also the risk of attacks aimed at messing with AI models. Plus, the risk area is getting bigger, including things like operational technology, the Internet of Things, cloud services, and even space assets.

Looking at the main question — have we lost this battle? — it seems a bit too clear-cut to say we’ve totally lost. Still, defenders definitely have a tough road ahead because attackers are quick and there are gaps in defense. Many organizations are having a hard time just putting basic security measures in place, which makes it easier for attackers. Even though defensive tech like AI is getting better, it’s not a complete fix and comes with its own issues, like not having enough skilled workers. To keep up, we need to keep adapting, investing, and really focus on being proactive in our defense.

To get through this tough environment and stay strong, companies need to focus on a few important areas:

Master the Fundamentals: Keep your security basics in check. That means making sure you’re on top of software updates, especially for systems that connect to the internet. Use strong multi-factor authentication whenever you can, set up secure settings, and stick to the principle of least privilege for user access. Also, try to segment your network to reduce the chances of problems spreading. Don’t forget to handle outdated systems and software — they can and will drag you down.

  1. Adopt Identity-Centric Security: Recognize that identity is the new perimeter. Accept it as a fact. Implement comprehensive IAM strategies, that is not only a tool, but a very important process, continuously monitor for credential abuse and anomalous logins, explore passwordless solutions like passkeys , and invest in Identity Threat Detection and Response (ITDR) capabilities.
  2. Embrace Proactive Security: Move away from a purely reactive posture. Implement continuous monitoring and proactive threat hunting, either in-house or through MDR / MSSP services. Leverage threat intelligence and resources like CISA’s KEV catalog to prioritize vulnerability management. Adopt a Zero Trust architecture, I know, Zero Trust is an overused word, but the concept is not a bad one, assuming breach and verifying continuously.
  3. Leverage AI Defenses Wisely: Use AI and ML tools smartly to improve threat detection, speed up responses, and get better predictions. Just be sure to check what vendors say, know their limits (like false positives and negatives), make sure everything is set up right, keep some human checks in place, and train your security teams to handle these tools well.
  4. Secure the Entire Supply Chain: Implement rigorous Third-Party Risk Management (TPRM) programs. Vet vendors thoroughly, demand security assurances, continuously monitor the security posture of critical suppliers, and implement controls for securing open-source software components.
  5. Enhance Cloud Security Posture: Focus on preventing cloud misconfigurations through robust Cloud Security Posture Management (CSPM). Strengthen cloud IAM practices, ensure adequate logging and monitoring across hybrid environments, and secure cloud-native applications and APIs.
  6. Strengthen the Human Firewall: Invest in ongoing, engaging security awareness training that addresses modern threats, including sophisticated phishing, AI-powered vishing, deepfakes, and social engineering tactics. Foster a strong, organization-wide security culture where employees feel empowered to report suspicious activity.
  7. Prepare for Future Threats: Stay informed about the evolving threat landscape, including the potential impacts of quantum computing on cryptography and the security implications of advanced AI. Begin strategic planning for future security paradigms, such as migrating to post-quantum cryptography.

Fighting against cyber threats is an ongoing job that needs dedication, smart thinking, and flexibility. The risks are increasing, but taking a smart, layered approach to cybersecurity is the best way to stay strong in this more risky digital age.

I want to share the sources, or the majority thereof, that I referred to throughout this article. In many cases, i already included the links in the text above, but I found it a good idea to provide a summary again:

CrowdStrike 2025 Global Threat Report (Press Release): [https://www.crowdstrike.com/en-us/press-releases/crowdstrike-releases-2025-global-threat-report/](https://www.crowdstrike.com/en-us/press-releases/crowdstrike-releases-2025-global-threat-report/)
Palo Alto Networks Unit 42 2025 Incident Response Report: [https://www.paloaltonetworks.com/resources/research/unit-42-incident-response-report](https://www.paloaltonetworks.com/resources/research/unit-42-incident-response-report)
Palo Alto Networks Unit 42 2025 Ransomware/Extortion Trends: [https://unit42.paloaltonetworks.com/2025-ransomware-extortion-trends/](https://unit42.paloaltonetworks.com/2025-ransomware-extortion-trends/)
Mandiant M-Trends 2025 (Blog Summary): [https://cloud.google.com/blog/topics/threat-intelligence/m-trends-2025](https://cloud.google.com/blog/topics/threat-intelligence/m-trends-2025)
Verizon 2025 DBIR (News Release): [https://www.verizon.com/about/news/2025-data-breach-investigations-report](https://www.verizon.com/about/news/2025-data-breach-investigations-report)
Sophos Active Adversary Report 2025: [https://news.sophos.com/en-us/2025/04/02/2025-sophos-active-adversary-report/](https://news.sophos.com/en-us/2025/04/02/2025-sophos-active-adversary-report/)
Sophos Annual Threat Report 2025: [https://news.sophos.com/en-us/2025/04/16/the-sophos-annual-threat-report-cybercrime-on-main-street-2025/](https://news.sophos.com/en-us/2025/04/16/the-sophos-annual-threat-report-cybercrime-on-main-street-2025/)
ENISA Threat Landscape Overview: [https://www.enisa.europa.eu/topics/cyber-threats/threat-landscape](https://www.enisa.europa.eu/topics/cyber-threats/threat-landscape)
ENISA Space Threat Landscape 2025: [https://www.enisa.europa.eu/publications/enisa-space-threat-landscape-2025](https://www.enisa.europa.eu/publications/enisa-space-threat-landscape-2025)
CISA Cyber Threats and Advisories: [https://www.cisa.gov/topics/cyber-threats-and-advisories](https://www.cisa.gov/topics/cyber-threats-and-advisories)
Kaspersky Security Bulletin Predictions 2025 (SecuritySA): [http://www.securitysa.com/24093r](http://www.securitysa.com/24093r)
Kaspersky Security Bulletin Predictions 2025 (Press Release): [https://www.kaspersky.com/about/press-releases/kaspersky-predicts-quantum-proof-ransomware-and-advancements-in-mobile-financial-cyberthreats-in-2025](https://www.kaspersky.com/about/press-releases/kaspersky-predicts-quantum-proof-ransomware-and-advancements-in-mobile-financial-cyberthreats-in-2025)
Kaspersky ICS CERT Predictions 2025: [https://ics-cert.kaspersky.com/publications/reports/2025/01/29/threat-predictions-for-industrial-enterprises-2025/](https://ics-cert.kaspersky.com/publications/reports/2025/01/29/threat-predictions-for-industrial-enterprises-2025/)
Trend Micro Security Predictions for 2025: [https://www.trendmicro.com/vinfo/us/security/research-and-analysis/predictions/the-artificial-future-trend-micro-security-predictions-for-2025](https://www.trendmicro.com/vinfo/us/security/research-and-analysis/predictions/the-artificial-future-trend-micro-security-predictions-for-2025)
Trend Micro Cyber Risk Report 2025: [https://www.trendmicro.com/vinfo/us/security/news/threat-landscape/trend-2025-cyber-risk-report](https://www.trendmicro.com/vinfo/us/security/news/threat-landscape/trend-2025-cyber-risk-report)
CrowdStrike BYOVD Analysis (SCATTERED SPIDER): [https://www.crowdstrike.com/en-us/blog/scattered-spider-attempts-to-avoid-detection-with-bring-your-own-vulnerable-driver-tactic/](https://www.crowdstrike.com/en-us/blog/scattered-spider-attempts-to-avoid-detection-with-bring-your-own-vulnerable-driver-tactic/)
CrowdStrike BYOVD Analysis (Real-World Intrusion): [https://www.crowdstrike.com/en-us/blog/falcon-prevents-vulnerable-driver-attacks-real-world-intrusion/](https://www.crowdstrike.com/en-us/blog/falcon-prevents-vulnerable-driver-attacks-real-world-intrusion/)
ESET BYOVD Analysis: [https://www.eset.com/us/about/newsroom/corporate-blog/edr-killers-get-popular-here-is-how-to-stop-them/](https://www.eset.com/us/about/newsroom/corporate-blog/edr-killers-get-popular-here-is-how-to-stop-them/)
Cybersecurity Dive BYOVD Analysis (Microsoft Signed Driver): [https://www.cybersecuritydive.com/news/microsoft-signed-driver-used-in-ransomware-attacks/741372/](https://www.cybersecuritydive.com/news/microsoft-signed-driver-used-in-ransomware-attacks/741372/)
ConnectWise Common Threats (BYOVD): [https://www.connectwise.com/blog/cybersecurity/common-threats-and-attacks](https://www.connectwise.com/blog/cybersecurity/common-threats-and-attacks)
Reality Defender Deepfake Analysis (Hong Kong Scam): [https://www.realitydefender.com/insights/millions-lost-in-hong-kong-crypto-scam](https://www.realitydefender.com/insights/millions-lost-in-hong-kong-crypto-scam)
Reality Defender Deepfake Analysis (Financial Sector): [https://www.realitydefender.com/blog/deepfake-voice-phishing-vishing-in-the-financial-sector](https://www.realitydefender.com/blog/deepfake-voice-phishing-vishing-in-the-financial-sector)
Keepnet Labs Vishing Statistics: [https://keepnetlabs.com/blog/rise-of-voice-phishing-a-deep-dive-into-vishing-statistics-in-2023](https://keepnetlabs.com/blog/rise-of-voice-phishing-a-deep-dive-into-vishing-statistics-in-2023)
Keepnet Labs Vishing Threat 2025: [https://keepnetlabs.com/blog/why-vishing-is-a-big-cyber-threat-in-2025-a-continuous-cyber-threat-for-organizations-of-any-size](https://keepnetlabs.com/blog/why-vishing-is-a-big-cyber-threat-in-2025-a-continuous-cyber-threat-for-organizations-of-any-size)
Google Cloud AI Voice Spoofing: [https://cloud.google.com/blog/topics/threat-intelligence/ai-powered-voice-spoofing-vishing-attacks](https://cloud.google.com/blog/topics/threat-intelligence/ai-powered-voice-spoofing-vishing-attacks)
Cyber Defense Magazine AI Vishing: [https://www.cyberdefensemagazine.com/ai-powered-vishing/](https://www.cyberdefensemagazine.com/ai-powered-vishing/)
Red Goat Voice Cloning Heist: [https://red-goat.com/voice-cloning-heist/](https://red-goat.com/voice-cloning-heist/)
USD Law Library AI Detector Analysis: [https://lawlibguides.sandiego.edu/c.php?g=1443311&p=10721367](https://lawlibguides.sandiego.edu/c.php?g=1443311&p=10721367)
Nieman Lab AI Fake News Detection: [https://www.niemanlab.org/2025/04/fake-news-detection-ai-is-more-likely-to-fail-in-the-global-south-new-study-shows/](https://www.niemanlab.org/2025/04/fake-news-detection-ai-is-more-likely-to-fail-in-the-global-south-new-study-shows/)
Physiology Journal AI Detector Analysis: [https://journals.physiology.org/doi/10.1152/advan.00235.2024](https://journals.physiology.org/doi/10.1152/advan.00235.2024)
Trade Press Services AI Detector Analysis: [https://www.tradepressservices.com/ai-detectors/](https://www.tradepressservices.com/ai-detectors/)
Security Boulevard AI Bot Protection Analysis: [https://securityboulevard.com/2025/04/no-hidden-trade-offs-why-measuring-false-positives-negatives-is-the-only-way-to-assess-ai-bot-protection/](https://securityboulevard.com/2025/04/no-hidden-trade-offs-why-measuring-false-positives-negatives-is-the-only-way-to-assess-ai-bot-protection/)
CRA CBIR AI in Cybersecurity: [https://www.cyberriskalliance.com/press-release/cra-cbir-september-2024-ai](https://www.cyberriskalliance.com/press-release/cra-cbir-september-2024-ai)
Darktrace AI Cybersecurity Predictions 2025: [https://darktrace.com/blog/ai-and-cybersecurity-predictions-for-2025](https://darktrace.com/blog/ai-and-cybersecurity-predictions-for-2025)
Darktrace AI Cyber Threats Survey: [https://darktrace.com/blog/survey-findings-ai-cyber-threats-are-a-reality-the-people-are-acting-now](https://darktrace.com/blog/survey-findings-ai-cyber-threats-are-a-reality-the-people-are-acting-now)
GCPR AI & Cybersecurity Trends: [https://www.gcpr.net/blog/trends-challenges-experts-ai-and-cybersecurity-influential-factors/](https://www.gcpr.net/blog/trends-challenges-experts-ai-and-cybersecurity-influential-factors/)
ISACA Securing AI: [https://www.isaca.org/resources/news-and-trends/newsletters/atisaca/2025/volume-1/securing-artificial-intelligence-opportunities-and-challenges](https://www.isaca.org/resources/news-and-trends/newsletters/atisaca/2025/volume-1/securing-artificial-intelligence-opportunities-and-challenges)
AI Security Pro AI Security Frameworks: [https://www.aisecurity.pro/a-comprehensive-survey-of-ai-security-frameworks-navigating-the-complex-landscape-of-ai-cybersecurity/](https://www.aisecurity.pro/a-comprehensive-survey-of-ai-security-frameworks-navigating-the-complex-landscape-of-ai-cybersecurity/)
360 Advanced Dark Side of AI: [https://360advanced.com/the-dark-side-of-ai-new-cybersecurity-challenges-for-organizations/](https://360advanced.com/the-dark-side-of-ai-new-cybersecurity-challenges-for-organizations/)
Forbes AI Impact on Cybersecurity Predictions: [https://www.forbes.com/councils/forbestechcouncil/2025/01/06/2025-predictions-the-impact-of-ai-on-cybersecurity/](https://www.forbes.com/councils/forbestechcouncil/2025/01/06/2025-predictions-the-impact-of-ai-on-cybersecurity/)
Optiv AI Trends in Cybersecurity: [https://www.optiv.com/insights/discover/blog/ai-trends-in-cybersecurity](https://www.optiv.com/insights/discover/blog/ai-trends-in-cybersecurity)
BitLyft AI/ML Trends in Cybersecurity: [https://www.bitlyft.com/resources/future-trends-in-ai-and-machine-learning-for-cybersecurity](https://www.bitlyft.com/resources/future-trends-in-ai-and-machine-learning-for-cybersecurity)
Cloud Security Alliance AI in Cybersecurity: [https://cloudsecurityalliance.org/blog/2025/03/14/a-i-in-cybersecurity-revolutionizing-threat-detection-and-response](https://cloudsecurityalliance.org/blog/2025/03/14/a-i-in-cybersecurity-revolutionizing-threat-detection-and-response)
Takepoint Research AI in Industrial Cybersecurity: [https://industrialcyber.co/ai/takepoint-research-80-of-cybersecurity-professionals-favor-ai-benefits-over-evolving-risks/](https://industrialcyber.co/ai/takepoint-research-80-of-cybersecurity-professionals-favor-ai-benefits-over-evolving-risks/)
Capitol Tech U AI-Driven Cybersecurity Trends: [https://www.captechu.edu/blog/ai-driven-cybersecurity-trends-2025](https://www.captechu.edu/blog/ai-driven-cybersecurity-trends-2025)

And as usual:

Sign up for more like this.

Enter your email
Subscribe