As we approach the midpoint of the year, the cybersecurity landscape continues to evolve at a rapid pace. Emerging threats, fueled by advancements in AI, increased geopolitical tensions, and the growing complexity of digital infrastructure, have already shaped the first half of the year. From sophisticated ransomware campaigns to supply chain attacks and the rise of deepfake-enabled social engineering, the cyber threat landscape is becoming more complex and fast paced, posing new challenges to defend against these threats. Identity-based attacks have also become a huge focus, playing a central role in a lot of recent cyber activities. This unprecedented threat environment makes having a security-first focused mindset more critical than ever.
Here at LastPass, one of our key priorities is to stay ahead of evolving threats and tactics used by malicious actors to keep our customers and organization secure. We wanted to share some insights from our look back at the year so far and our predictions for the rest of the year ahead and beyond.
The use of AI and adjacent technologies will continue to evolve, with LLMs and deepfakes combining in order to power fraud and ATO attacks.
While AI generated a lot of buzz last year alongside fears it would revolutionize cybersecurity as we know it, this technology has instead played more of an evolutionary role to date. Much of its use by threat actors has focused on enabling operations to be more effective, rather than developing novel capabilities.
Regarding nation-state threats, Russia, China, North Korea and Iran-backed hackers are reportedly leveraging generative AI to support campaigns rather than using these tools to develop novel attack or abuse techniques. Google reported government-backed actors attempted to misuse Gemini for various malicious activities including researching vulnerabilities, developing malware (including ransomware and DDoS tools), crafting phishing campaigns, and conducting reconnaissance on target organizations.
Commenting on cybercrime threats, Alex Cox, LastPass' director of information security, pointed out to ZDNet that, "the cybercrime adversary community is opportunistic and entrepreneurial, and they have been quick to adopt and deploy new technologies.” The widespread availability of AI tools will lower the bar to enable less sophisticated actors’ attacks and others to increase their effectiveness. This technology boon has already allowed hackers to operate at scale with fewer resources, realizing productivity gains over novel techniques. Criminals exploit generative AI to commit fraud on a larger scale which increases the believability of their schemes. In December, the FBI warned that generative AI reduces the time and effort criminals must expend to deceive their targets.
We expect to see cyberattacks integrating AI with large language models (LLMs) and deepfakes, which will increase their potential severity, scale, and impact. I recently told Techopedia that “AI, including [LLMs] and deepfake technologies, will become central in enabling more convincing social engineering, fraudulent schemes, and account takeover attacks, intensifying the need for advanced identity verification and fraud detection.” Previously, cybercriminals have used AI-generated deepfake audio and video to trick employees into transferring funds or providing sensitive information. For instance, phishers targeted digital creators with a deepfake video of YouTube CEO Neal Mohan to try to install malware and steal credentials. We could plausibly see a scenario over the next several months that goes a step further, combining these elements together to conduct a more sophisticated attack. Take voice verification for instance, which is commonly used in the financial sector to verify customer identities. A threat actor could theoretically take voice samples of an individual—which are easily accessible thanks to social media—to create a deepfake, then phone into a call center and use an audio deepfake to operate in real time, powered by an LLM trained on stolen credentials and biographical/personal information to respond to challenge questions based on that stolen data in real time. Lag times in responses is still the biggest challenge to conduct these attacks, but that’s getting shorter and shorter.
Infostealers are continuing to rise in prominence and constantly evolving to counteract defenses.
In large part fueled by infostealers, leaked credentials are increasingly prevalent and represent entry points for attackers, enabling them to exfiltrate data, move laterally to sensitive systems, and much more. Over the last few years, infostealers have grown significantly with a 31% year-on-year increase in infostealer incidents last year. Threat actors are particularly focused on infostealers because the stolen data can enable a wide range of other malicious activities. Take credentials, for instance. Credentials, particularly usernames and passwords, are among the most sought-after assets because they serve as the gateway to a person’s or organization’s sensitive data. Valid credential abuse has seen a significant uptick, with compromised credentials becoming the most common initial access vector last year ahead of phishing. To illustrate the scope of how prevalent and dangerous infostealers have become, 2.1 billion (75%) out of the 3.2 billion credentials stolen in 2024 were compromised by infostealer attacks. Attackers leveraging AI, automation, and developing sophisticated tools will likely further scale these attacks.
Infostealers have been a key factor in some of the largest breaches recently. For instance, the attack targeting multi-cloud data warehousing platform Snowflake in May 2024 using exposed Snowflake credentials led to the exposure of data and impacted roughly 165 companies (though the number of companies extorted is far fewer). Affected companies are continuing to come out several months after the initial attack. Starting in March this year, Hellcat ransomware gang breached multiple organizations using Jira credentials stolen from infostealer logs, leaking sensitive data. These incidents show that the risk of unmonitored credentials has never been greater.
While phishing remains the primary delivery mechanism for infostealers often disguised as legitimate attachments, we’re also seeing a general shift to more browser-based cyberthreats, including infostealer malware. Hellcat-affiliated hackers introduced a stealthier alternative to server-side stealers, which eliminates massive exfiltration locally. This tactic is likely to catch on with other hackers to incorporate that into their wheelhouse. Doing so enables hackers to bypass traditional email filters and security controls and deliver malware directly on browsers.
Infostealers are quick to counteract defenses and adapt to remain effective. According to Spycloud’s 2024 Malware and Ransomware Defense Report, at least 54% of devices infected with infostealer malware had an antivirus or endpoint detection and response (EDR) solution installed at the time of infection. Many are frequently updated with new obfuscation capabilities to evade detection, and some hackers incorporate social engineering tactics to get around traditional security measures. Notably, the use of infostealers like AgentTesla, FormBook, and Strela Stealer has not only increased in frequency but also in the sophistication of the delivery methods. We expect this trend will continue as hackers hone their tactics to become more efficient and effective.
Compromised identities in hybrid on-premises (on-prem) and cloud environments will pose significant threats.
Identity-based attacks are among the most effective ways hackers can gain initial access. Hybrid environments combine on-prem and cloud resources, creating a larger attack surface. In hybrid environments, a compromised identity on either the on-prem or cloud side can lead to significant security risks. Attackers can leverage compromised credentials to escalate their privileges, perform lateral movement, and potentially compromise the entire infrastructure. As companies continue to shift to hybrid IT environments, threat actors will follow the trend and take advantage of their security shortcomings.
Credential mismanagement was the top initial access vector for cloud environment attacks during the first half of 2024, a Google Cloud report found. Compromising valid accounts has become the most common method for initial access to cloud environments, accounting for 35% of cloud incidents in the first half of 2024. A key access vector involves the use of infostealers. In 2024, threat actors updated Stealc and Vidar malware to specifically target cloud account credentials. Accidental credential leakage remains another common method to gain unauthorized access to cloud environments. One scenario involves finding leaked cloud authentication tokens from publicly exposed code repositories like GitHub when hardcoded credentials are included in application code, then using automated tools to scan and get unauthorized access to cloud systems.
Two of the most prolific cybercriminal groups, BlackBasta and Scattered Spider, have targeted hybrid environments. Leaked internal chats from the BlackBasta ransomware group in February revealed the group operates as a Ransomware-as-a-Service (RaaS) with general, repeatable techniques for primarily targeting hybrid environments. Black Basta exploits hybrid access vectors and pivots laterally between cloud and on-prem using compromised credentials. Scattered Spider, on the other hand, primarily targets cloud environments but has also demonstrated an ability to pivot into hybrid infrastructure.
Ransomware will continue the shift to prioritization of data exfiltration over data encryption.
Ransomware and extortionware aren’t going anywhere anytime soon and will remain one of the most disruptive forms of cybercrime. New research found ransomware now plays a role in nearly half (44%) of all breaches. Ransomware attacks continued to escalate so far this year, with a 126% increase in Q1 2025 compared to Q1 2024, totaling 2,289 reported incidents. North America accounted for most ransomware attacks (62%), followed by Europe (21%). This activity has been partially driven by infostealers, which steal data like session cookies and credentials, which hackers use to then launch attacks. Hackers also focus on theft of credentials and information that would be useful for performing further reconnaissance on compromised networks in many of these attacks. To stay protected, organizations need to focus on securing identities. That means knowing what information has already been stolen, quickly changing any compromised passwords, and ending any active sessions that may have been hijacked.
Additionally, the continued shift from data encryption to data exfiltration—allowing threat actors to smash and grab data, then hold it for ransom or sell it to other criminals without having to deploy malware to encrypt systems—remains highly effective. This has allowed hackers to increase the speed of attacks once they get their foot in the door. Attacks have become less about locking out access and more about paying to protect data from being publicly released.
Exploited vulnerabilities remained the most common root cause of ransomware attacks. According to Sophos, nearly one-third of ransomware attacks start with unpatched vulnerabilities. Ransomware attacks caused by unpatched vulnerabilities also had more severe consequences, including higher ransom demands and longer recovery times. Additionally, social engineering, third-party access, and stolen cookies that enabled session hijacking ranked as some of the most common entry points for ransomware attacks.
The RansomHub attack on American Standard, a major manufacturer, shows that ransomware-as-a-service (RaaS) continues to be a trend in 2025 and makes it easy for cybercriminals to launch attacks. We may start to see more of a shift away from RaaS, which requires cybercriminals trust another criminal, to more AI-focused services to conduct target research, pull off more convincing social engineering, bypass security measures, write/modify code, and more. AI-powered ransomware using machine learning algorithms to automate and improve each stage of these attacks will pose a graver threat to organizations and individuals.
Ransomware and extortionware will remain pervasive threats throughout 2025 and beyond.
Continued growth and privatization of zero-day market and increased speed of exploitation.
Adversaries are exploiting vulnerabilities to gain initial access to systems, trying to get in as quietly and efficiently as possible, while initial access brokers and automation makes hackers more efficient at doing so. Last year saw a 34% increase in attackers exploiting vulnerabilities to gain initial access and cause security breaches. This trend is largely attributed to the widespread impact of zero-day vulnerabilities like the file transfer service MOVEit. Even though the MoveIT vulnerability was discovered in mid-2023, the fallout continued to play out last year when in November, Nam3L3ss leaked 25 datasets of companies, including Amazon, HSBC, Fidelity, US bank, McDonalds, and more. Notably, other file transfer services continue to be exploited for mass exfiltration, like Cleo and CrushFTP. According to Mandiant, the most frequently exploited vulnerabilities affected security devices, which are typically located at the edge of the network. Palo Alto’s PAN-OS GlobalProtect (CVE-2024-3400), Ivanti’s Connect Secure VPN (CVE-2023-46805) & Policy Secure (CVE-2024-21887), and Fortinet’s FortiClient EMS (CVE-2023-48788) were the leading exploits for initial access. Three of the four were first exploited as zero-days. Threat actors will continue to search for high impact vulnerabilities that could have widespread impacts.
Hackers are also quick to exploit zero-days once disclosed. Threat actors are targeting vulnerabilities quickly, as soon as they are publicly disclosed and oftentimes even before. In 2024, 23.6% of known exploited vulnerabilities were exploited on or before the day their CVEs were publicly disclosed. According to Cloudflare, a newly disclosed vulnerability has come under attack as fast as 22 minutes after a proof of concept (POC) was disclosed. Scanning activity has largely contributed to this increase in attempts to automate exploits. Recently, the SAP NetWeaver zero-day (CVE-2025-31324) was widely exploited in April after a suspected initial access broker (IAB) likely deployed backdoors that were sold to ransomware groups.