Quorum Cyber’s Chief Threat Officer Paul Caiazzo hosted an insightful and engaging Mid-Year Intelligence Briefing on 20th August when his Threat Intelligence team highlighted a number of key developments that they have observed from the ever-evolving threat landscape in the first half of 2025. Incident Response Consultant Emily Benbow and Senior Threat Intelligence Analyst Jack Alexander presented research findings from the new Relentless Threats: 2025 Mid-Year Global Cyber Risk Outlook Report, which contains a lot more detail and is full of actionable advice. During the webinar, Paul shared his main recommendations for how organisations can best defend their IT estate from specific types of cyber-attacks.    

You can watch the full 60-minute webinar replay for free at Relentless Threats: 2025 Mid-Year Intelligence Briefing. 

New cybercriminal tactics and techniques   

In an eye-opening tour through the first six months of 2025, Emily and Jack selected the most notable developments from January to June, highlighting new trends and emerging cybercriminal groups and strategies to watch out for.  

Brand hijacking 

Focusing on one cyber incident in January, Emily stressed that financially motivated cybercriminals are increasingly pretending to be other groups to hide their tracks and deceive both victims and cyber security professionals. Such brand hijacking is allowing “low-skilled threat actors to obtain greater funds” and means that “extra due diligence is required” from defenders.    

At Quorum Cyber we try to verify the precise threat actor behind each crime because we aim to understand their motivation, intent, and capability in order to predict their next moves, and their tactics and techniques so that we can get one step ahead of adversaries. To counter this, adversaries could be increasingly using brand mimicry. “Attribution is hard to do well” when threat actors are trying to hide, said Paul.  

Hackers log in 

Emily’s main lesson from February was that a new infostealer called Acreed emerged and has filled a gap in the infostealer market after law enforcement agencies took down the Lumma group. To protect against infostealers, “firms need to lock down browsers, manage plug-ins, and patch regularly,” advised Paul. “Hackers don’t hack in, they log in. And they use stolen credentials to launch ransomware attacks.”   

Ransomware negotiations  

Covering March, Emily said, “We’re increasingly seeing nation-state groups deploy ransomware to achieve their strategic aims. If you’re successfully hit by a ransomware attack, then you either need to fight through it or pay the ransom.” She stressed that any organisation that finds itself in this unenviable situation should “contact experts to handle the negotiations”.  

Paul emphasised this point: “If you’re left with this choice, then please engage with a skilled negotiation firm.” He added that some cybercriminals are sanctioned by national or international regulations. “At Quorum Cyber, we follow a structured process to deal with sanctioned entities.”  

From Big Game Hunting to smaller, faster attacks 

Jack disclosed another key trend from April: “Threat actors seem to be moving away from encryption to only exfiltration” to speed up their attacks and save the expense of encryption. 

His Threat Intelligence team has also observed that adversaries are “shifting their strategy from ‘Big Game Hunting’ to smaller high-volume attacks with a faster turnaround”. He said that “ransomware groups are under pressure to bring in the money faster” – intelligence that is very useful for Quorum Cyber’s highly experienced ransom negotiation team. Jack also noted that stolen credentials are being sold on the dark web for as little as $3 each. 

On the subject of encryption and decryption of data, Paul advised that while many organisations are tempted to pay for decryption keys, they don’t always work. The act of encryption can corrupt data making it impossible to decrypt effectively without a loss of data or data being irreparably damaged. He advised that “early detection and hardening” are the most effective tactics.  

Threat actors are also known to look for information about cyber insurance to get an idea of how ransom money an organisation will pay – although insurers are wary of this tactic.      

White-label tactics add a new dimension to cybercrime 

In May the team uncovered the new white-label model which adversaries have copied from the private sector. It’s another sign that the Ransomware-as-a-Service (RaaS) ecosystem is maturing and becoming even more sophisticated. RansomBay, a RaaS platform tied to the DragonForce ecosystem, has started offering a white-label service to enable affiliates to customise DragonForce payloads under their own branding. This model provides affiliates with greater autonomy and branding flexibility. “This white label model has lowered the capability bar considerably,” said Jack. “And it’s made attribution and defence more difficult.” 

“We still see threat actors targeting the low-hanging fruit,” added Paul. “Please patch your vulnerabilities across your organisation’s external attack surface”  

AI chatbots used in ransom negotiations   

In June the team saw evidence that a cybercriminal group named GLOBAL was conducting negotiations on behalf of threat actors. “Let the experts handle negotiations – with their experience and knowledge, they can identify whether they are communicating with humans or chatbots.” 

Another audacious development observed in June was that cybercriminal group Qilin began providing legal services to other threat actors. “Its legal team scour stolen information from organisations to search for evidence of tax violations, regulatory breaches, and instances of non-compliance with the law,” explained Jack. “They then send this evidence to the relevant authorities. It’s yet to be seen if the authorities will take any action given that the evidence was stolen.”  

Watch the webinar replay and download the report    

The full 60-minute webinar replay is available to watch for free at any time at Relentless Threats: 2025 Mid-Year Intelligence Briefing. You can also download the detailed Relentless Threats: 2025 Mid-Year Global Cyber Risk Outlook Report, which contains much more information on over 70 emerging cybercriminal groups and their tactics that Quorum Cyber’s Threat Intelligence team found in the first half of 2025.