A familiar theme in security right now is that the barrier to entry for attackers is at an all-time low. AI tools can spin up websites within minutes that can easily direct data to disposable external data stores and send alerts for new captures — all without code. 

One such case was recently detailed in the latest Cisco Talos Incident Response Quarterly Trends report.

Proof-of-concept code for exploiting new vulnerabilities used to take attackers months to create. Now they take hours.

All of this is very concerning for defenders. Yesterday, my colleague told me about a recent conference Q&A he hosted, where he was asked to provide some hope to those in the room who have faced an overwhelming amount of change in recent months. 

His answer was to focus on the here and now. Focus on what you can control, and what you have influence over. We can’t change what may or may not happen in six months’ time, but we can prioritize what’s important now. 

The other key thing for defenders to bear in mind is that even when attackers move fast, they still don’t behave like your normal users. At the end of the day, you’re still looking for anomalous behavior – whether that behavior is machine- or human-generated.

As we come to the end of our Year in Review content release (if you haven’t seen it yet, we published videos, podcasts, and topic specific blog posts), we’d like to end by summarizing the key priorities for defenders. 

Here are five of them that are worth considering when it comes to spotting malicious, unusual behaviour in your environment.

1. Identity is the main battlefield 

The Year in Review highlights how frequently attackers rely on valid accounts and credential abuse throughout the attack chain. We see this across multiple areas:

• MFA spray attacks targeting IAM platforms directly 
• Device compromise attacks increasing 178% year over year 
• Attackers registering their own devices as trusted multi-factor authentication (MFA) methods
• Ransomware attack chains largely relying on valid accounts, credentialed tools, or both

Network infrastructure is a key part of this. VPNs, Active Directory Controllers (ADCs), and firewalls are being exploited to steal session tokens, bypass MFA, and impersonate users.

However, when attackers successfully authenticate, where they go from there tends not to fall in line with normal user behavior. They start to access new systems outside of their role, move laterally using tools like PsExec, execute commands at unusual times, and overall operate at a scale that normal users don’t.

Therefore, having a baseline understanding of normal user behavior is more important than ever.

Prioritize:

• Treating identity infrastructure as Tier 1 critical assets and apply the strongest monitoring and protection controls to IAM and PAM systems
• Securing MFA device registration workflows with strict verification procedures and limited administrative approval rights
• Hardening authentication systems against automated attacks by enforcing rate limiting, anomaly detection, and strong conditional access policies
• Building baseline detections around what users do, not just how they log in

2. Prioritize the vulnerabilities that have the most exposure

One of the most important callouts in the report is how attackers select targets. The rapid exploitation of vulnerabilities such as React2Shell and ToolShell shows that exploitation can begin immediately after disclosure with readily available proof-of-concepts. Attackers then prioritize what is exposed and reachable. 

Attackers also like to exploit the vulnerabilities that are closest to identity, session handling, and access logic.

At the same time, older vulnerabilities such as Log4Shell remain among the most exploited, over four years after disclosure.

This creates a dual reality where some new vulnerabilities are weaponized instantly, but old, highly-valued vulnerabilities are never fully eliminated.

Prioritize:

• Remediating vulnerabilities based on internet exposure and access impact, not just CVSS scores
• Reducing time-to-patch for externally accessible systems 
• Continuously reassessing what is reachable from the outside

3. Address the long tail of legacy and embedded risk

The Year in Review highlights that nearly 40% of the top 100 most targeted vulnerabilities impact EOL systems, and 32% are over a decade old. Many of these vulnerabilities exist in deeply embedded components such as PHP frameworks, Log4j, and ColdFusion.

These components are often poorly inventoried, difficult to patch, and tightly coupled to business-critical systems.

It’s a frustrating fact that the most persistent risks are often the least visible,
and the hardest to remove. They create long-term blind spots, which are an attacker’s favorite thing to find and exploit.

Prioritize:

• Improving visibility into software dependencies and embedded components 
• Treating development frameworks and libraries as part of your attack surface 
• Establishing clear strategies for isolating or retiring legacy systems

4. Secure the systems that broker trust

Attackers are increasingly targeting systems that provide maximum operational leverage. This includes network management platforms, application delivery controllers (ADCs), and shared software platforms running across multiple devices.

These systems are attractive to adversaries because they store credentials, control configurations across large environments, provide visibility into the network, and enable changes at scale.

Unfortunately, these platforms are also traditionally less monitored than endpoints, more complex to patch or upgrade, and have centralized points of failure.

Prioritize:

• Identifying management-plane and control-plane systems that need securing
• Applying enhanced monitoring and access controls to these platforms 
• Limiting administrative access and enforce strong segmentation

5. Keep focusing on patterns, even with increased automation and AI-driven attacks

Yes, automation and AI are changing the threat landscape. As we’ve spoken about, attackers are increasingly able to rapidly identify and exploit vulnerabilities, launch large-scale identity attacks, generate convincing phishing lures that mimic real business workflows, and accelerate parts of the attack lifecycle using AI-assisted tooling.

However, all these things do not remove a key constraint for adversaries: Automated attacks still produce patterns of unusual behavior, and patterns are detectable.

Even highly scalable attacks tend to reuse the same infrastructure, tools, and techniques. They also follow predictable sequences of activity and generate anomalies.

Prioritize:

• Focusing detection efforts on anomalous events (e.g., unusual authentication flows, abnormal system access, anomalous device registration) 
• Reducing alert fatigue by prioritizing a smaller number of meaningful detections over broad, low-confidence alerting 
• Supporting triage and enrichment with automation where possible, alongside human decision-making
• Ensuring teams are equipped to investigate patterns of behavior, not just isolated alerts

Final thoughts

Much of the current concern in and around the security community is the new reality that anyone can create a malicious campaign. The Year in Review doesn’t disagree.

However, Talos data also shows something equally important:

• Attackers still rely on the same vulnerabilities 
• They reuse the same tools and techniques 
• They follow repeatable patterns 
• And, critically, they don’t behave like your users

Even when they successfully authenticate, move laterally, or establish persistence, their activity introduces detectable anomalies.

That’s where the opportunity lies for defenders. 

Read the 2025 Cisco Talos Year in Review

Download now

In this episode, we unpack state-sponsored and phishing trends from the 2025 Talos Year in Review. Amy and Martin Lee explore the alarming rise of internal phishing campaigns that bypass traditional perimeter defenses, including the widespread weaponization of Microsoft 365's Direct Send feature. Beyond simple phishing, we analyze the aggressive, blended operations of state-sponsored actors from China and North Korea who are combining high-level zero-day exploits with sophisticated social engineering. From the "Dear Leader" interview test to the reality of fake developer personas, we break down exactly how these adversaries are infiltrating modern organizations.

View the 2025 Year in Review here.

In 2025, attackers increasingly targeted weaknesses in multi-factor authentication (MFA) workflows, and phishing attacks leveraged valid, compromised credentials to launch lures from trusted accounts. The trends focused entirely on trust, or the lack thereof, in everyday business operations.

Phishing

In 2025, phishing attacks were used for initial access in 40% of incidents, maintaining their prevalence. Attackers ramped up cascaded phishing campaigns, where attackers leveraged the trust of the initial compromised account to create specialized phishing attempts, within the network and out of it, aimed at trusted partners and third parties.

Email composition trends

The content of phishing emails changed somewhat. Transitioning away from spam offers, they took the form of workflow-style emails — IT, travel, and other everyday business tasks that look familiar to employees and executives. Travel and logistics lures in particular surged, while political lures dropped off. Internal expensing and travel emails, even when legitimate, are often repetitive and come from disparate sources with changeable formats or poorly-rendered templates, leading to a lowered guard toward spotting malicious intent. Attackers were likely aiming to steal credentials, payment information, or MFA tokens via fake single sign-on (SSO) pages.

In reviews of thousands of blocked-email keywords, 60% contained subject lines with "request," "invoice," "fwd," "report," and similar. IT-focused phishing keywords turned more technical, to words like "tampering," "domain," "configuration," "token," and others, showing that attackers were making plays toward IT and security workflows.

Attackers also abused Microsoft 365 Direct Send to capitalize on internal email trust. Direct Send is the method by which networked devices like printers and scanners deliver documents to users. The messages appear to be sent and received by the same email address. These internal messages do not receive the same scrutiny that external emails do, from employees or automated email filters. Direct Send allowed attackers to spoof internal email addresses and deliver highly convincing lures from inside the organization, without compromising real accounts, to target key attack services and deliver high-impact damage.

MFA and identity attacks

Identity and access management (IAM) applications have grown popular with organizations hoping to consolidate user privileges. Unfortunately, it has also grown in popularity with attackers. Nearly a third of 2025 MFA spray attacks targeted IAM, turning the tools companies used to maintain access control into a point of failure. Device compromise surged by 178%, largely driven by voice phishing designed to trick administrators into registering malicious devices.

MFA spray and device compromise

MFA attack strategy changed by sector. A successful attack could glean SSO tokens and give adversaries the ability to change user roles and credentials, or even the MFA policies themselves. Attackers increasingly exploited authentication workflows to gain and maintain access.

Spray attacks were deployed against networks with predictable identity behavior, while diverse, unmanaged, or high-turnover device ecosystems proved weaker to device compromise attacks.

Notably, higher education was the most targeted device compromise sector. Several factors could contribute to the trend:

·       Diverse unmanaged device population

·       Poorly patched and managed operating systems

·       Necessarily low new-device verification policies

·       Large, public-facing directories for targeted phishing

Higher education was a very unfavorable target for MFA spray attacks, however. Passwords and MFA are also highly varied and segmented, and most universities have strong login portal policies, enforced lockouts, and login attempt limits.

Guidance for defenders

As always, prioritize based on your own environment.

Organizations should keep in mind that living-off-the-land binaries (LOLBins) and open-source and dual-use tools, which are not inherently malicious, are key to further exploitation. Blocking external IPs from using a feature, enabling Microsoft’s newer “Reject Direct Send” control, tightening SPF/DMARC enforcement, and treating “internal-looking” emails with the same scrutiny as inbound mail are currently the most effective defenses.

Likewise, MFA attack protection should be tailored to the style of environment and sector.

MFA spray attacks work well on stable, scaled identity controls. Counter these attacks with strong lockout policies, good password hygiene, and conditional access.

Device compromise works best on variable networks where devices change over fast and MFA use is spotty. Work on establishing better device hardening and management, session controls, and strict phishing-resistant MFA with enrollment governance. Solutions such as Cisco Duo provide controls for phishing-resistant MFA, device trust, and secure enrollment, helping reduce risk from phishing and identity-based attacks.

This blog only scratched the surface on 2025 threat trends. See the full Year in Review report for a detailed explanation of Microsoft 365 Direct Send and how it was used for attacks, infographic breakdowns of MFA spray vs. device compromise attacks, the full list of targeted tools and sectors by percentage, and more.

Across the Talos 2025 Year in Review, state-sponsored threat activity from China, Russia, North Korea, and Iran all had varying motivations, such as espionage, disruption, financial gain, and geopolitical influence.

But when you look at how these operations actually unfold, similar tactics, techniques, and procedures (TTPs) keep appearing: access through vulnerabilities and identity, and access that remains under the radar for a considerable period of time.

Here are the dominant themes from the state-sponsored section of the Talos Year in Review, available now.

China

China-nexus threat activity stood out this year for both volume and efficiency, with Talos investigations increasing by nearly 75% compared to 2024.

Newly disclosed vulnerabilities were exploited almost immediately (e.g., ToolShell), sometimes before patches were widely available. At the same time, long-standing, unpatched vulnerabilities in networking devices and widely used software continued to provide reliable entry points for these types of adversary.

Once inside, the focus shifts to persistence. Web shells, custom backdoors, tunneling tools, and credential harvesting all support long-term access. 

There’s also more overlap than ever before between state-sponsored and financially motivated activity. It is likely that in some cases, state-sponsored actors conducted operations for personal profit alongside espionage-focused missions, while in others, cybercriminals collected valuable information during an attack that could be sold to espionage-motivated actors for further exploitation, providing them dual revenue streams.

Russia

Russian-linked cyber activity remains closely tied to their geopolitical objectives, particularly the war in Ukraine.

Many operations continue to rely on unpatched, older vulnerabilities (especially in networking devices) to gain initial access. These flaws provide a dependable way in for adversaries and support long-term intelligence gathering.

Russia’s offensive cyber activity is highly correlated with developments in the larger geopolitical sphere. For example, the announcement of sanctions intended to apply pressure on Russia by both the U.S. and E.U. often corresponded with our observed levels of Russian cyber activity.

Common malware families like Dark Crystal RAT (DCRAT), Remcos RAT, and Smoke Loader appeared frequently in Talos investigations on operations against Ukraine in 2025. These families aren’t exclusive to Russia-nexus threat actors, but they continue to be effective in environments where patching and visibility are inconsistent, and should therefore be high priority targets for defense and monitoring.

North Korea

North Korea cyber operations leaned heavily into social engineering and insider access in 2025. These operations were both for financial and espionage purposes.

Campaigns like Contagious Interview (orchestrated by Famous Chollima) used fake recruiters from legitimate companies to socially engineering targets to execute code or hand over credentials. From there, actors stole cryptocurrency, exfiltrated data, and established persistent access.

North Korean cyber actors also pulled off the largest cryptocurrency heist in history in 2025, stealing $1.5 billion. Additionally, thousands of IT workers used stolen identities and AI-generated profiles to secure positions at Fortune 500 companies, generating billions in annual revenue for North Korea’s nuclear weapons and ballistic missiles programs.

Iran

Iranian cyber threat activity in 2025 combined visible disruption with long-term access.

Hacktivist operations increased by 60% in response to geopolitical events, particularly the Israel-Hamas conflict. These campaigns, which include distributed denial-of-service (DDoS) attacks, defacements, and other disruptive operations, are often designed to generate attention and shape narratives.

At the same time, more traditional advanced persistent threat (APT) activity focused on persistence. Groups such as ShroudedSnooper targeted sectors like telecommunications, using custom compact backdoors designed to blend into normal traffic and remain undetected. 

ShroudedSnooper is an APT that public reporting widely attributes to Iran’s Ministry of Intelligence and Security (MOIS). It is very likely an initial access group that passes operations off to secondary threat actors for long term espionage or destructive attacks.

For current threat intelligence related to the developing conflict in Iran, follow our coverage on the Talos blog.

Guidance for defenders

Though the state-sponsored activity that we tracked for the Talos Year in Review have different objectives, they still have the same reliance on gaining and maintaining access. The following guidance is recommended for security teams:

• Don’t ignore older systems: Both newly disclosed and long-known vulnerabilities are actively exploited. 
• Prioritize identity security: Credentialed access and social engineering remain reliable entry points. 
• Increase visibility into network and edge infrastructure: These systems are common targets for persistent access.
• Expect activity to follow global events: Sanctions, conflicts, and political developments often correlate with spikes in activity. Follow the Talos blog to keep informed of new state sponsored activity and campaigns.
• Inspect for long-term presence: Many state-sponsored operations are designed to persist stealthily over time, not trigger immediate disruption. 

Read the 2025 Cisco Talos Year in Review

Download now

One of the clearest trends in the 2025 Talos Year in Review is just how quickly vulnerabilities are now being turned into working exploits. What used to take weeks or months is now happening in days, sometimes hours — and in some cases, exploitation is beginning almost immediately after vulnerability details are made public.

The process of exploitation itself is changing. With the increasing availability of proof-of-concept code, automation, and AI-assisted tooling, certain vulnerabilities can very quickly become weaponized, which is what we saw with React2Shell.

At the same time, the data shows that attackers are not just chasing new vulnerabilities. They are consistently targeting what is exposed, accessible, and valuable.

On one end of the spectrum, near-instant exploitation.
On the other, long-standing vulnerabilities that remain unaddressed.

Attackers are using a combination of speed, scale, and accessibility to reduce the window defenders have to respond, while increasing the impact when they can’t.

In the latest episode of the Talos Threat Perspective, we explore what the ‘industrialization of exploitation’ looks like in practice, and what it means for defenders trying to prioritise risk in an increasingly compressed timeline.

▶️ Watch the full episode below.

Read the 2025 Cisco Talos Year in Review

Download now

Every year, Cisco Talos publishes Year in Review, a comprehensive look at the previous year’s threat landscape. It’s drawn from an enormous volume of telemetry, such as endpoint detections, network traffic, email data, and boots-on-the-ground Cisco Talos Incident Response (Talos IR) engagements. 

As incident responders, we see threats mid-detonation in the wreckage of an Active Directory environment, or in the lateral movement artifacts left behind by an affiliate who got in using nothing more than a valid account. The Year in Review distills those raw observations into structured intelligence, but that intelligence loop works both ways. The same report that our IR casework feeds into is the report that defenders should be feeding back into their own preparation cycles.

IR casework shapes the Year in Review, the Year in Review shapes your readiness 

When Talos IR closes out an engagement with customers, the tactics, techniques, and procedures (TTPs) we observe through forensic work and analysis are catalogued, aggregated, and analyzed alongside broader Cisco telemetry. When we track the emergence of a new exploit like React2Shell redefining attacker speed, or when we see Qilin rise to dominate the ransomware landscape while legacy groups like others maintain rare, sustained momentum, those shifts in the adversary ecosystem become the intelligence that informs what we are on the lookout for during the next investigation. When we observe patterns of behavior, they may form trend lines that span multiple years and reveal how the landscape is evolving. 

For defenders, this means the Year in Review is not a theoretical document. It is a distillation of what actually happened to organizations we respond to, investigated by the people who were in the room when things broke down. Here are some suggestions on how to operationalize these findings.

Turning findings into tabletop scenarios 

One of the most immediate and practical applications of Year in Review is raw material for tabletop exercises. The report hands you the adversary playbook. For example, the 2024 Year in Review highlighted that identity-based attacks accounted for 60% of all Talos IR cases, with Active Directory being the focal point in 44% of those incidents. Attackers were not breaking down doors with zero-days; rather, they were walking through the front door with stolen credentials, often bypassing multi-factor authentication (MFA) through push fatigue, misconfigured policies, or the simple fact that MFA was never fully enrolled in the first place for some accounts.  

The 2025 Year in Review reinforces and deepens this picture. Attacks against MFA evolved significantly, with MFA spray attacks doubling down on identity and access management (IAM) infrastructure while expanding efforts against high-value privileged accounts. Device compromise attacks saw a significant rise in activity, showing that actors increasingly value reliable, repeatable access methods over one-off exploitation. These are adversary preferences that should directly shape your exercise scenariosand cybersecurity preparedness. 

That is a ready-made tabletop scenario. Work with your team on this exact entry scenario and walk through it just as adversary would. An adversary authenticates to your VPN. MFA fires, but the user approves the push because they were already expecting a login prompt. The attacker is now inside your perimeter with legitimate access. What does your detection look like? How quickly do your analysts identify the anomaly? Who makes the call to force a password reset and revoke sessions? These are some good questions to cover in this scenario. The 2025 Year in Review found that actors tailor their MFA attack style depending on the sector, and that manufacturing was the most impacted sector for ransomware in 2025, underscoring persistent risk to repeatedly targeted industries. If you operate in manufacturing, health care, or another sector that has appeared consistently in ransomware targeting data, your tabletop should reflect the specific TTPs directed at your vertical — not a generic ransomware exercise. These are just some ideas to get started on scenarios.

Validate your detections against real-world tradecraft 

Beyond tabletops, the Year in Review provides a prioritized list of what to test your detections against. Year after year, Talos IR engagements reveal a consistent core of adversary tradecraft that organizations are still struggling to detect. Tools like PowerShell and Mimikatz appear in a significant portion of engagements. Remote services such as RDP and SSH continue to be abused for lateral movement. Ransomware operators are increasingly disabling security solutions before deploying payloads, and in 2024, they succeeded in doing so at an alarming rate. 

The 2025 Year in Review adds critical nuance to detection priorities through its vulnerability analysis. The top 10 most targeted vulnerabilities tell a story about what attackers reach for. React2Shell redefined attacker speed and targeting, compressing the window between disclosure and exploitation. ToolShell's quick rise to the top five highlighted the sheer volume and impact of attacks exploiting development tool vulnerabilities. 

For defenders, this is a checklist. Can your endpoint detection and response (EDR) detect and alert on the disabling of its own agent? Do you have detections for credential dumping from LSASS or web shell deployment? What about a scenario where direct exploitation takes place, but no web shell is deployed? Are you monitoring for anomalous Remote Desktop Protocol (RDP) sessions originating from unexpected source hosts? The Year in Review tells you what the adversary is actually doing, not what they might hypothetically do. That distinction is critical when you are prioritizing detection engineering across your organization. 

Map these findings to the MITRE ATT&CK framework, which the Talos Quarterly IR Trend Reports and the Year in Review already reference, and you have a structured way to assess your coverage gaps. If valid account abuse is the dominant initial access technique and your detections are heavily weighted toward exploit-based intrusions, you have a mismatch between your defensive posture and the actual threat landscape.

Stress-test your IR plan, not just your tooling 

The Year in Review also reveals patterns in where organizations struggle that go beyond technology. Across multiple years of IR engagements, common security weaknesses keep surfacing: incomplete asset inventories, inconsistent logging, missing or misconfigured MFA, inadequate network segmentation, and unpatched or end-of-life network devices that remain exposed. The 2024 report noted that some of the most targeted network vulnerabilities affected end-of-life devices with no available patches, yet those devices remained in production environments. The 2025 data reinforce this with even sharper clarity:  Legacy systems remain highly vulnerable to attack, CVE age distribution data highlights systemic patch delays, and a small number of vulnerabilities in network infrastructure continue to drive outsized risk. 

Two additional areas from the 2025 report deserve attention in your planning cycle. First, phishing continues to evolve. Phishing plays a key role in both initial access and post-compromise activity, with business email compromise-style and workflow-based lures remaining the primary theme. Travel and logistics lures surged, while political lures dropped off and IT-themed lures became more prominent. These shifts matter for security awareness training; if your phishing simulations are still heavily weighted toward current-events lures, they may not reflect what your users are encountering. 

Second, the AI threat landscape warrants monitoring. The 2025 observations include dedicated coverage of how AI is shaping the threat environment. While the full scope of AI-enabled threats is still emerging, defenders should consider how AI may be lowering the barrier for adversaries in areas like phishing content generation, vulnerability discovery, and social engineering at scale. Your IR plans should be tested, validated, and updated to handle the new security regime we find ourselves in. 

Build a year-round preparation cadence 

Rather than treating the Year in Review as a one-time read, consider building a recurring preparation cycle around it. When the report drops, review the top-level findings with your security leadership and identify the three or four trends most relevant to your environment. In the quieter early months, run a tabletop exercise built around the most applicable scenario. Through the middle of the year, use Quarterly IR Trend Report data to adjust detection priorities and validate coverage. Before year-end, when threat activity tends to intensify, conduct a focused review of your IR plan. 

Join Amy and Pierre Cadieux as they unpack the ransomware and vulnerability trends that defined 2025. From the persistent ransomware threats targeting the manufacturing sector to the rise of stealthy living-off-the-land tactics, we break down what these shifts mean for your defense strategy.

Why are attackers are increasingly targeting your management infrastructure? How do you spot the difference between a system admin and a threat actor? Tune in to hear Talos' insights on how to move beyond reacting to threats and start building a more resilient, proactive security posture for the year ahead.

View the 2025 Year in Review here.

Speed and age shouldn’t be allowed to pair up, but that is the theme of the Talos 2025 Year in Review vulnerability findings.

The year was characterized by an unending beat-down on infrastructure that relied on older enmeshed dependencies (e.g., Log4j and PHPUnit), while React2Shell rocketed to the highest percentage of attacks for the entire year within the last three weeks of 2025. Agentic AI's capacity for building and deploying new proofs-of-concepts and exploit kits lowered attacker time-to-exploit, and the landscape shifted for defenders. 

“The speed at which these CVEs climbed into the top tier reflects a larger systemic challenge: Newly disclosed vulnerabilities in widely deployed software can generate significant, organization-wide impact long before typical patch cycles catch up, leaving defenders with small reaction windows and escalating consequences for even short-lived exposure.” – 2025 Talos Year in Review

Top-targeted infrastructure 

Outdated infrastructure continues to expand the attack surface. Components like PHPUnit, ColdFusion, and Log4j are often embedded within applications, tightly coupled to legacy applications. Technologies age quickly, and companies are under pressure to adopt first, ask questions later. Low-use systems in a network can fossilize, unnoticed and unpatched. Others become mainstays that often cannot be swapped out or even patched without destabilizing an organization.  

Attackers prioritized software and firmware inside network appliances, identity-adjacent systems, and widely deployed open-source components: 

• Remote code execution (RCE) flaws, which enable access without requiring user interaction, avoiding a need for social engineering  
• Legacy systems and widely used components 
• Perimeter devices, especially without endpoint detection and response (EDR) 

The theme was identity, identity, identity. Controlling identity meant controlling access, so attackers focused on components that authenticate users, enforce access decisions, and broker trust between systems. A small number of vulnerabilities targeting these vectors drove outsized risk. This can invalidate multi-factor authentication (MFA) checks and bypass segmentation. 

Defender recommendations 

Attacker prioritization is now guided less by vulnerability age or maturity and more by exposure, exploitability, and proximity to trust, reshaping how organizations must think about risk in modern environments. 

Attackers exploit patching gaps and policy weaknesses in vendor lifecycles. Organizations should evaluate their identity-centric network components and management platforms and prioritize patching of network devices accordingly. 

For a more in-depth analysis of these trends, as well as how company size impacted CVE targeting trends, why the management plane matters, and the shortening window defenders have for putting defenses in place, see the 2025 Year in Review report.

In this episode of the Talos Threat Perspective, we explore how identity is being used to gain, extend, and maintain access inside environments. 

Drawing on insights from the 2025 Talos Year in Review, we break down how attackers are: 

·       Targeting identity systems and MFA workflows 

·       Establishing persistent, high-trust access 

·       Using internal phishing to move laterally 

·       Could potentially exploit over-permissioned AI agents and identity-linked access 

·       Blending into normal user behaviour 

This episode focuses on how identity enables attackers to scale their operations, and what that means for defenders trying to detect and contain them. 

Read the 2025 Cisco Talos Year in Review

Download now

Every year, the Cisco Talos Year in Review captures the patterns shaping the threat landscape. The 2025 report paints a clear picture: Attackers are moving faster than ever, while using identity-related attacks as the primary battleground.  

To unpack the biggest takeaways and what they mean for security teams, we brought together Christopher Marshall, VP of Cisco Talos, and Peter Bailey, SVP and GM of Cisco Security. 

Here’s their conversation. 

Old vulnerabilities, new speed 

Marshall:
 One of the clearest trends in this year’s data is the contrast in how vulnerabilities are being exploited. We saw React2Shell disclosed in December and within weeks it became the most targeted vulnerability we tracked. 

At the same time, a 12-year-old vulnerability still appeared in the top 10 most exploited list. So we’re seeing very rapid weaponization (likely fuelled by AI given the compressed timeline from initial proof of concept to large-scale exploitation, across multiple languages and platforms) alongside continued success with legacy flaws.  

Bailey:
 There’s always a lot of focus on the latest zero-day, and rightly so. The industrialization of vulnerability exploitation is extremely concerning. But at the same time, many attacks are still leveraging vulnerabilities that have been around for years.

Organizations are dealing with complexity. Large environments. Long device lifecycles. Change management processes that take time. But attackers don’t care about those constraints. They actually count on them. 

This is where we need to repeat that the fundamentals still matter. Patch management, asset visibility, lifecycle discipline... We still have work to do there as an industry.  

Marshall:
 And then you have 40% of the top 100 exploited vulnerabilities being effective because organizations were running end-of-life devices. That’s a measurable problem. When infrastructure is no longer supported, attackers know it. They scan for it, and then they target it. Technical debt becomes operational risk.  

Bailey:
 Absolutely. In most cases, it’s not that customers don’t want to patch. It’s that their critical networking infrastructure has been stable for years, and taking it offline can disrupt the business. 

As an industry, we need to reduce that friction. Cisco is a big part of that, with built-in protections in our networking equipment that can be applied without downtime, and options to shield systems when patching can'thappen immediately.  

Identity as the primary target 

Marshall:
 If there’s one area where attackers are consistently investing their time and energy, it’s identity. In 2025, identity-based attack techniques were central to major phases of operations, like lateral movement, privilege escalation, and persistence. Controlling identity effectively means controlling access across the environment.  

One of the most striking data points in the report is that fraudulent device registration increased 178 percent year over year. In many cases, attackers convinced administrators to register devices on their behalf through vishing (or voice phishing). They targeted administrator-managed registration flows at three times the rate of user-driven ones. There’s a clear preference for high-value victims. 

Bailey:
 And unfortunately these stolen credentials are widely available. Logging in is often easier than breaking in. Once attackers obtain legitimate access, they can blend in.  

For defenders, identity controls need to go beyond authentication. You need continuous monitoring. You need risk-based adjustments to access. You need to detect abnormal behavior quickly. 

Marshall:
 We’re also seeing a rise in internal phishing. More than a third of phishing incidents we observed involved attackers sending messages from already compromised accounts. 

Once inside, they create mailbox rules to hide replies and suppress visibility. They explore shared drives and collaboration platforms. They look for sensitive information that can help them expand access. This all means defenders need strong visibility into normal user behavior. If accounts suddenly start sending far more messages than usual or accessing data they never touched before, that should stand out. 

Bailey: 
Identity is no longer just an authentication problem. It’s a monitoring and governance problem, as well.  

State-sponsored activity and the blurring of motives 

Marshall:
 We observed continued evolution in state-sponsored activity throughout the year. Talos investigations into China-nexus campaigns increased nearly 75 percent in 2025. These actors are exploiting both zero-day and n-day vulnerabilities while also engaging in financially motivated activity to support their broader goals. 

Russian-linked activity continues to correlate closely with geopolitical developments. We consistently see these actors exploiting unpatched networking equipment to establish long-term access. 

North Korean affiliated actors refined their “Contagious Interview” campaigns. They compromised developers through fake job opportunities and expanded IT worker schemes using AI-generated personas. 

Iranian-linked actors increased hacktivist-style operations by roughly 60 percent last year, and we’ve seen that type of activity rise again during the ongoing conflict in the Middle East. At the same time, actors such as ShroudedSnooper are deploying highly evasive and stealthy backdoors to maintain long-term access to critical telecommunications infrastructure. 

Bailey:
 These groups are adaptive and pragmatic. From a defender’s perspective, the distinction between state-sponsored and criminal actors is less useful than it used to be. Techniques overlap, tools are shared, and infrastructure gets reused.  

What matters is speed. These actors move quickly and often target the edge of the network through unpatched devices and legacy infrastructure.   

That’s where intelligence becomes critical. At Cisco, when Talos identifies a campaign or toolset, that intelligence feeds directly into protections for customers. Speed of detection and response must match the pace of the threat.  

AI and the acceleration of attacks 

Marshall:
 In 2025, AI was most commonly used to automate and scale parts of traditional attacks, especially social engineering. It lowered the barrier to creating convincing phishing lures and fraudulent sites. 

The Year in Review is based on trends throughout 2025, but we also want to call attention to the fact that the AI threat landscape is changing fast, even in the first few months of 2026. Research into threats like VoidLinkshows how AI can accelerate malware development. The tasks that previously required extended development cycles are now being completed quicker than ever.   

We’re also seeing early examples of AI-enabled malware in mobile environments. Agentic capabilities can analyze screen content and determine next actions. It’s still early, but the pace of change is notable. 

Bailey:
 Organizations also need to think about how they deploy AI internally. 

We saw rapid adoption of consumer AI tools, followed by a realization that guardrails were necessary. Prompt injection, data exposure, unauthorized model access... These are real concerns.  

Now we’re seeing companies implement controls such as semantic inspection of prompts, model scanning, and discovery of shadow AI deployments. Secure AI deployment will quickly become standard practice. It has to. 

Using the report as a prioritization tool 

Marshall:
 We designed the Talos Year in Review to help defenders prioritize. And in terms of those priorities, I’d like to leave people with a few that stand out. 

The data shows that attackers consistently pursue access for scale and leverage. They want the keys to the kingdom, so they target identity systems, administrators, and end-of-life infrastructure because it gives them broad access. 

Strengthening your identity controls, understanding your environment, and safeguarding and removing EOL infrastructure are three of the most important actions organizations can take. 

Bailey:
 I agree. Patching is still crucial, but just as important is ensuring you have visibility across devices, strong segmentation, and continuous monitoring for abnormal behavior. 

We’re also seeing attacks happening faster, increasingly amplified by automation and AI.  Agentic AI is opening the door to a catalogue of features that will automate manual work and allow adversaries to greatly expandtheir capabilities. Now more than ever, defenders need architectures that are resilient and observable in the face of these developments.  

I encourage everyone to read the full Talos report. It’s filled with data and practical guidance.   

Marshall:
  

Thank you, Peter. This report represents a tremendous amount of effort across Talos and it's built with our customers in mind. I'd like to extend a sincere appreciation to my team and all of our partners who contributed to its life and launch.  

Our goal with the Year in Review, much like our general mission at Talos, is simple: Show where adversaries are succeeding, and provide clear guidance on how to reduce that success rate.  

In addition, I would ask all of our customers to use this report to challenge us, challenge Cisco. We strive to give you the greatest protection, products, and services possible. Let us know how we can be better. 

Read the 2025 Cisco Talos Year in Review

Download now

Ransomware attacks aren’t smash-and-grab anymore. They’re built on access that already looks legitimate — closer to positioning chess pieces than breaking the door down.

That’s the big trend that comes through in the ransomware data from the Talos 2025 Year in Review. Once attackers have initial access (and 40% of the time it’s through phishing) they move the way a user or administrator would: logging in, checking systems, and using the same remote access tools that are already installed.

In fact, one of the biggest challenges for defenders today is that ransomware actors are deliberately trying to overlap with everyday activity. RDP, PowerShell, and PsExec are the top three tools that are used by ransomware actors, but in many environments, these tools are part of normal operations.

The difference is how they’re being used. If they’re being used to expand access and move across systems, this should raise a few red flags. I’m not sure it’s possible to emphasise enough how important your asset management comes into play here — having clear asset inventories and network behaviour baselines and conducting continuous anomaly monitoring.

Like the rest of the Talos Year in Review, identity is what ties everything together. Valid accounts show up across nearly every stage of ransomware attacks: initial access, lateral movement, and execution. 

Top-targeted sectors

From our ransomware data analysis, manufacturing continues to be the most targeted sector, which reflects how challenging these environments are to monitor closely. There’s a mixture of systems, users, and processes, often with limited tolerance for disruption.

Professional, scientific, and technical services (second on the most targeted sectors list) face similar exposure, especially when access spans multiple systems or organizations.

Most prolific ransomware groups

The ransomware-as-a-service (RaaS) groups have had a bit of a shakeup. After LockBit topped our 2024 report, the group fell to 35^th this year following sustained law enforcement pressure. Qilin, a constant pain in the “you-know-what” for our incident responders for over a year now, came in at No. 1.

Qilin uses a double-extortion approach, combining data encryption with threats to release stolen information publicly. According to their data leak site, in 2025, Qilin targeted more than 40 victims every month except January, signaling that this ransomware group will remain a persistent and significant threat in 2026.

Akira and Play (No. 2 and 3 in the chart) had continued success, which can likely be credited to their evolving and adaptable tactics and absorption of affiliates from defunct ransomware groups (i.e., LockBit).

An opportunity for defenders

What’s interesting to note is that for the second year running, January saw lower activity, likely tied to holiday slowdowns and Eastern European public holidays.

It may be wise for security teams to consider testing ransomware defenses in months where activity levels are generally lower, such as January, as there is a reduced chance of interfering with real incidents.

Defender recommendations

• Strengthen identity protections. Actors predominately targeted the person who holds the key rather than the lock itself (i.e., the target’s infrastructure). Phishing and social engineering training is highly recommended.
• Monitor the use of built-in administrative tools such as RDP, PowerShell, and PsExec for lateral movement. Look for unexpected usage patterns, and abnormal access requests.
• Basics, basics, basics! They very much still hold true. Strengthen your backup, EDR, segmentation, logging, and recovery capabilities.
• Regularly test ransomware response readiness.

Read the full 2025 Talos Year in Review to dig deeper into ransomware trends, vulnerability exploitation, phishing and MFA bypass, state-sponsored activity, and how AI is shaping the threat landscape.

In this episode of Talos Takes, Amy is joined by William Largent (Cisco Talos) and Lou Stella (Splunk) for a "double-header" discussion. With the recent release of the Cisco Talos 2025 Year in Review and the Splunk Top 50 Cybersecurity Threats report, we’re breaking down the most critical trends that shaped the security landscape last year — all based on Cisco telemetry, Talos' original research, and Talos Incident Response engagements.

From the professionalization of ransomware-as-a-service to the persistent challenge of decade-old vulnerabilities, this episode moves beyond the headlines to provide a practical roadmap for defenders. You’ll get tips on how to prioritize your defenses and reduce your attack surface for the year ahead.

View the 2025 Year in Review today.

The Beers with Talos B team (that’s Hazel, Bill, Joe and Dave) break down (sometimes in the literal sense) the 2025 Talos Year in Review which is available now.

The team dives into the biggest cybersecurity trends of the year, including:

• The rapid weaponization of new vulnerabilities
• Why identity abuse showed up everywhere 
• Ransomware trends
• A rise in APT investigations
• What defenders should prioritize heading into the year ahead

Before that, we discuss the cyber activity tied to the situation in the Middle East (full details on our blog).

There’s also an alarming amount of discussion about glutes. And gravy. Listen here:

Download the full 2025 Talos Year in Review today.

The 2025 Talos Year in Review is now available to view online.

The pace and scale of adversary activity in 2025 placed sustained pressure on security teams across industries. As with each annual report, our goal at Talos is to provide the security community with a clear analysis of the tactics, techniques, and procedures that shaped adversary operations, and to help organizations prioritize the actions that reduce exposure and strengthen defenses.

What defined 2025

Three themes emerged consistently across Talos’ threat research, telemetry, and incident response engagements:

1. Exploitation at both extremes

New large-scale vulnerabilities were operationalized almost immediately, but adversaries also continued to exploit CVEs that have been exposed for years. This rapid operationalization of new vulnerabilities reflects a rise in automated exploit development, public proof-of-concept code, and mature adversary coordination.

React2Shell, released in December, ranked first by year’s end only three weeks after disclosure, while a vulnerability disclosed 12 years ago ranked seventh. That range tells a story about organizational technical debt: Long-standing exposure continues to be reliably and successfully exploited.

2. The architecture of trust

In 2025, adversaries focused on the systems that manage authentication, authorization, and device trust.

Attackers who gained access through compromised credentials stealthily extended that access through internal phishing and abuse of identity controls within network infrastructure. Control of identity often meant control of the environment.

3. Targeting centralized systems for more leverage

Threat actors targeted centralized infrastructure, management platforms, and shared frameworks to expand the impact of a single compromise.

Approximately 25% of the vulnerabilities in the Top 100 targeted list affected widely used frameworks and libraries that are embedded deep within the software stack. Because these components underpin applications and network appliances across vendors, a single CVE can create mass exploitation potential across industries. Compromising these shared foundations enabled lateral movement across environments. 

Read the full report

View the full report online (it’s not gated and never will be) to see where attackers are gaining ground, and how to disrupt their playbook. 

Read the 2025 Cisco Talos Year in Review

Download now