Q3 Cyber Threat: Akira, Qilin, INC Dominate 65% of Attacks; Infostealers Pivot to Endpoints
In the third quarter of 2025, Beazley Security Labs recorded a sharp surge in the activity of major ransomware groups and the emergence of new delivery mechanisms for infostealers. The primary cybercriminal campaigns centered on exploiting vulnerabilities in widely deployed corporate technologies, as well as abusing VPN services and search engines.
As a result, Akira, Qilin, and INC Ransomware alone accounted for 65% of all investigated attacks, while novel SEO-poisoning schemes and counterfeit tools dramatically lowered the barrier to infecting end users. These trends illustrate how threat actors are becoming more aggressive, operating with greater speed, and increasingly shifting to the direct implantation of malware on workstations, bypassing traditional social-engineering pathways.
From August to September, the number of attacks climbed particularly sharply: nearly half of all recorded incidents occurred within this two-month span. The spike coincided with a large-scale campaign by the Akira group, which aggressively exploited long-known yet still prevalent weaknesses in SonicWall devices. At the same time, SonicWall faced its own severe crisis: a breach of the MySonicWall cloud service resulted in the exposure of configuration data for all customer devices, including VPN setup lists and encrypted administrative credentials. Although no direct link has been established between the two waves of incidents, researchers fear that the stolen configurations may serve as the foundation for new targeted attacks.
Despite a decline in the number of vulnerabilities added to CISA’s Known Exploited Vulnerabilities (KEV) list, adversaries showed no signs of slowing down. On the contrary, they focused on a smaller set of critical flaws and exploited them with maximum aggression. Beazley recorded a 38% increase in its own 0-day alerts compared with the previous quarter.
Among the most prominent incidents were a Microsoft SharePoint 0-day (ToolShell) that allowed cryptographic key extraction and web-shell deployment; a severe flaw in CrushFTP granting attackers full remote access; and numerous campaigns against Cisco ASA and NetScaler in which criminals not only breached devices but installed rootkits as well.
Against this backdrop, the infostealer market within the criminal ecosystem underwent a marked transformation. Following the high-profile international ENDGAME operation that dismantled the infrastructure of Lumma and RedLine, underground demand shifted toward more covert and sophisticated solutions. Rhadamanthys — a multifunctional infostealer equipped with “enterprise-grade” packages, an advanced update system, and refined evasion mechanisms — rose rapidly in popularity. This ascent coincided with a steep decline in trust toward Lumma: its administrators lost control of their Telegram channels, domains were seized, and competitors published a site called “Lumma Rats” containing purported personal data of its operators.
Meanwhile, researchers from Beazley and SentinelLabs uncovered a sprawling international campaign involving PXA Stealer — a Python-based infostealer distributed via carefully disguised documents and abusing DLL side-loading in legitimate Microsoft applications. In a rare twist, the developer inadvertently infected his own machine, giving analysts direct access to his accounts and infrastructure — an exceptional glimpse into the inner workings of cybercriminal tooling.
Experts also highlight a surge in attacks via SEO poisoning and malicious advertising. Fake PDF editors, remote-access utilities, and other “useful programs” were promoted above legitimate search results. Many of these tools carried digital signatures and awaited commands to download malware, enabling them to bypass security controls and fuel widespread infections.
Overall, the third quarter’s dynamics reveal a shift in attacker focus toward the early and middle phases of the intrusion lifecycle — from credential harvesting to gaining footholds within networks. Yet the share of later-stage activities, including data exfiltration and ransomware deployment, also grew slightly. Taken together, these trends underscore the high adaptability of threat actors and the speed with which they recalibrate their methods to exploit new opportunities and emerging vulnerabilities.
Beazley Security Labs’ conclusion for the quarter is unequivocal: cybercriminals are moving faster, exploiting fewer but more critical vulnerabilities, targeting endpoints directly, and rapidly adopting new technologies such as AI-generated obfuscation for malicious files. Organizations are urged to strengthen remote-access defenses, enhance web-traffic monitoring, enforce multifactor authentication, and treat any critically vulnerable, internet-exposed device as potentially compromised.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
