Rapid7 has unveiled its Q3 2025 Threat Landscape Report, highlighting the evolving tactics of threat actors in exploiting vulnerabilities, enhancing ransomware operations, and utilizing artificial intelligence to evade detection. The report bases its findings on data from Rapid7’s Intelligence Hub, AttackerKB, incident response, and managed detection and response (MDR) telemetry, providing a comprehensive view of the shifting threat landscape.
Chief Scientist Raj Samani emphasized the strategic shift in ransomware, stating, "Ransomware has evolved significantly beyond its early days to become a calculated strategy that destabilizes industries."
Samani noted that ransomware groups now function like shadow corporations, integrating infrastructure, tactics, and public relations to rapidly undermine trust.
Critical Vulnerability Exploitation
Despite this decline, attackers continue to target older, unpatched vulnerabilities
The report indicates a 21% reduction in newly exploited vulnerabilities from the second quarter to the third in 2025. Despite this decline, attackers continue to target older, unpatched vulnerabilities, including those over ten years old, highlighting their ongoing threat.
High-profile examples include vulnerabilities in Microsoft SharePoint (CVE-2025-53770) and Cisco ASA/FTD products, emphasizing the narrowing timeframe between the disclosure of a patch and exploitation in real-world attacks.
Christiaan Beek, Rapid7's Senior Director of Threat Intelligence and Analytics, noted the urgency of this issue: "The moment a vulnerability is disclosed, it becomes a bullet in the attacker’s arsenal. Attackers are no longer waiting. Instead, they’re weaponizing vulnerabilities in real time and turning every disclosure into an opportunity for exploitation."
Ransomware Activity Increases
The quarter experienced a rise in ransomware activity, with 88 active groups compared to 65 in Q2 and 76 in Q1, illustrating not only a surge in activity but also the fluid adaptability of these groups. Notable groups, such as Qilin, SafePay, and WorldLeaks have formed alliances targeting sectors like business services, manufacturing, and healthcare.
They are currently experimenting with innovative tactics, including fileless operations and single-extortion data leaks, as well as affiliate service offerings such as ransom negotiation assistance.
Generative AI Advancements
The report addresses how generative artificial intelligence is simplifying the creation of sophisticated phishing campaigns and supporting adaptive malware like LAMEHUG, which can produce new commands as needed. Additionally, nation-state actors from Russia, China, and Iran are refining their strategies, blurring lines between espionage and disruption by focusing on supply chains and identity systems with an emphasis on stealth and persistence.
The findings underscore the need for organizations to remain vigilant and proactive in their cybersecurity measures, adapting to the increasingly sophisticated threats posed by both human and machine-driven adversaries.
From facial recognition to LiDAR, explore the innovations redefining gaming surveillance
