Top takeaways from the 2025 Cyber Threat Report

The 2025 Cyber Threat Report offers an in-depth exploration of the nasty tactics, trends, and techniques reshaping cybersecurity today. Download the new report today >

In this newsletter, we highlight key findings from the past year, offering a snapshot of the malicious strategies our analysts uncovered. Whether you’re an IT professional, cybersecurity practitioner, or business owner, these insights can provide actionable guidance to help you stay one step ahead of ever-evolving cyber threats.

Proliferating RATs, Evolving Ransomware, and Other Findings

Throughout 2024, Huntress' threat analysts looked at data from thousands of organizations and millions of endpoints, revealing the key trends that show how adaptable and relentless today’s malicious hackers are.

• Remote access trojans (RATs) are more popular: Over 75% of remote access incidents utilized RATs such as AsyncRAT and Jupyter. These tools are becoming more sophisticated, making multilayered defenses like endpoint detection and response (EDR) essential.
• Remote monitoring and management (RMM) tools are being exploited. Attackers are weaponizing legitimate software like TeamViewer and LogMeIn to facilitate lateral movement and maintain long-term access to systems. For environments that use RMM tools, we highly suggest increasing vigilance, enhancing access controls, and closely monitoring your tools. 
• “Living off the land” techniques are on the rise: Threat actors are doubling down on using legitimate tools like Sysinternals Suite and LOLBins to evade detection. Organizations must remove unnecessary software and enforce strict execution policies to mitigate this threat.
• Phishing tactics are becoming more advanced: From QR code phishing to brand impersonation, threat actors are deploying clever methods to outsmart traditional email security. Improving security awareness training and implementing layered defenses are more essential than ever to counter these sophisticated techniques.
• Ransomware strategies are evolving: Attacks are shifting from traditional encryption to data theft and extortion. Groups like RansomHub and Akira now incentivize stolen data with big rewards, making these tactics quite lucrative. The future may see ransomware operators leaning even more into extortion (or double extortion) strategies—a trend driven by the efficacy of EDR solutions and mounting pressure from government takedown efforts.

Ransomware groups weren’t the only thing that changed in 2024—their tactics did too 👇

In 71% of the ransomware incidents we saw last year, data exfiltration was the top action taken before dropping any malware. 

For example, check out this incident featuring the BianLian ransomware group:

✅ They dropped a backdoor, then dug through the Domain Admins, Exchange Servers, and Sharepoint-admins groups

✅ We hunted down their method of attempted data exfiltration

✅ Our SOC helped the affected org remove any persistence mechanisms, and advised they disable the compromised user account

How these trends took shape in 2024

The findings from our 2025 Cyber Threat Report are grounded in real-world data with a comprehensive view of how malicious hackers operate today. Our threat analysts observed patterns across industries like healthcare, education, government, and manufacturing, and these growing trends stood out:

1. Infostealers are gaining momentum: Nearly 24% of incidents involved infostealers designed to extract sensitive credentials, financial data, and other private information.
2. Malicious scripts are surging: Scripts made up 22% of detected attacks, using PowerShell, VBScript, and JavaScript to perform stealthy, efficient attacks.
3. Ransomware is fragmenting: Despite takedowns of large groups like Hive and LockBit, smaller, flexible affiliates have risen to fill the gap. Unfortunately, this led to more unpredictable, widespread attacks.

Why these findings matter

Understanding the tactics outlined in this report is the first essential step to proactively protecting your business. By educating your teams, using multiple layers of security, and staying informed about emerging risks, you and your organization will be ready to take on any challenges that come your way.

The insights from our 2025 Cyber Threat Report spotlight the critical need to stay ahead of malicious threat actors. With tools like RMM software and phishing techniques becoming more advanced, protecting data, systems, and users is an ongoing battle—but one you can win. 

While there’s no one-size-fits-all solution, embracing layered defenses, removing unnecessary vulnerabilities, and training your team to spot threats are actionable steps everyone should take right now. 

Phishing tactics have gotten creative—and kinda scary 👇

It’s no longer just clicking on sketchy links you need to be aware of. In 2024:

🐟 29% of phishing attacks involved e-signature impersonation tactics

🐠 24% of phishing attacks involved malicious image-based content

🐡 8% of phishing attacks involved embedding malicious QR codes

In this example, we neutralized a malicious PDF promising a user details on a “salary bonus scheme”—but only if they scanned the QR code. 

Except on the other end of that QR code, they wouldn’t find any bonus, just an attempt to phish their credentials. But our SOC shut it down before that could happen 💪

Download the entire 2025 Cyber Threat Report to gain a deeper understanding of these trends and learn more strategies for keeping your organization safe.

Thank you for reading The Huntress Newsletter. What do you think will be the biggest trend in cybersecurity in 2025? Drop us a note in the comments.

If you're a fan, please subscribe and share with someone in your network who may be interested in seeing the real-world threats affecting businesses of all sizes.