Ontinue has published its 2H 2025 Threat Intelligence Report, highlighting a major change in how cybercriminals infiltrate organizations. It shows attackers are increasingly using stolen credentials, identity misuse, and trusted integrations instead of traditional malware-based methods.
Drawing on investigations conducted by Ontinue’s Advanced Threat Operations (ATO) team and telemetry from the Ontinue ION MXDR platform, the 2H 2025 Threat Intelligence report highlights how identity compromise has become the most common pathway into cloud environments.
“Attackers aren’t trying to break through defenses anymore, they’re logging in with stolen credentials,” said Balazs Greksza, Director of Advanced Threat Operations at Ontinue. “Infostealers are feeding a growing underground market for corporate access. Once attackers obtain valid identities, they can bypass traditional security controls and move through environments as legitimate users, often without triggering the alarms organizations rely on.”
Identity Attacks and Credential Theft on the Rise
The report documents how identity-based attacks – including adversary-in-the-middle (AiTM) phishing, password spraying, and service principal credential exposure – now dominate security investigations. Rather than exploiting software vulnerabilities, attackers increasingly rely on compromised credentials to gain direct access to cloud environments.
Infostealer malware plays a central role in fueling this trend. Malware families such as LummaC2 harvest browser passwords, session cookies, and authentication tokens from infected systems. These stolen credentials are then packaged into “logs” and sold through underground marketplaces, allowing other threat actors to purchase ready-made access to corporate environments.
The report notes that listings of stolen credentials linked to LummaC2 increased by 72% on underground marketplaces, reflecting the rapid expansion of this credential theft ecosystem. Stolen corporate access can command thousands of dollars per account, making credential theft one of the most profitable entry points in the modern cybercrime economy.
Ransomware Remains a Major Threat
Despite a modest decline in traceable ransomware payments, falling from $892 million in 2024 to $820 million in 2025, the number of attacks continues to increase. The report cites more than 7,000 ransomware incidents reported globally in 2025, with over 120 active ransomware groups operating across industries.
Modern ransomware campaigns increasingly combine multiple forms of pressure, including data theft, operational disruption, distributed denial-of-service (DDoS) attacks, and direct intimidation of victims’ employees or customers, tactics often described as double, triple, or even quadruple extortion.
Emerging Use of Generative AI in Malware Development
The report also highlights early signs that threat actors are beginning to use generative AI to accelerate the development of malicious tools. Analysis of several recovered webshells and commodity malware samples revealed coding patterns consistent with LLM-assisted development, including verbose explanatory comments, duplicated functions generated through iterative prompting, and visually polished interfaces paired with insecure implementations.
While adversarial AI remains an emerging capability rather than a dominant attack vector, Ontinue researchers note that generative AI may significantly lower the technical barrier for developing functional malware and attack infrastructure.
Supply Chain and SaaS Attacks Expand
Growing risks associated with software supply chains and cloud integrations are also on the rise. Threat actors are increasingly targeting development pipelines, SaaS platforms, and third-party service providers to gain indirect access to corporate environments.
These attacks can spread rapidly across trusted ecosystems, enabling adversaries to compromise multiple organizations simultaneously.
Record-Breaking Infrastructure Attacks
In addition to identity-driven attacks, the report documents a dramatic increase in infrastructure-scale threats. Distributed denial-of-service campaigns reached a peak of 31.4 Tbps, powered by botnets leveraging more than 500,000 compromised systems.
These attacks demonstrate the growing scale and automation capabilities available to modern threat actors.
Key Findings
- Identity-based attacks are now a leading entry point for cyber intrusions
- Infostealers are fueling a global credential-theft economy
- Over 7,000 ransomware incidents were reported globally in 2025
- 129 ransomware groups were active during the year
- Global ransomware payments reached $820M in 2025
- Early evidence of LLM-assisted malware development observed in commodity attack tooling
- DDoS attacks peaked at 31.4 Tbps
“The reality organizations face today is that attackers are moving faster, leveraging stolen identities and automation to bypass traditional defenses,” said Craig Jones, Chief Security Officer at Ontinue. “Cyber resilience is no longer just about preventing breaches, it’s about proactive risk reduction, environment hardening, by detecting threats quickly, responding decisively, and maintaining operational continuity when incidents occur. Partnering with the right managed security provider allows organizations to combine advanced technology, real-time threat intelligence, and experienced analysts to stay ahead of attackers and strengthen their ability to withstand and recover from modern cyber threats.”
Download the full 2H 2025 Threat Intelligence Report here.
Related News:
