The cyber threat landscape has continuously evolved and expanded over the last few years and in 2025 it’s been nothing short of relentless. In the first six months of the year, Quorum Cyber’s Threat Intelligence team identified and tracked over 70 new threat groups and Malware-as-a-Service (MaaS) offerings. During this period, the team observed a marked rise in the sophistication and innovation of certain threat actors, including some bold new tactics borrowed from the corporate world that haven’t previously been observed.

Key discoveries from H1 2025

Relentless Threats: 2025 Mid-Year Global Cyber Risk Outlook Report highlights several key developments, including the rise of ransomware groups such as Codefinger, which has begun exploiting legitimate features of Amazon Web Services (AWS) to encrypt cloud storage. This shift signifies a troubling trend towards targeting cloud-native infrastructure.

The emergence of Acreed, a new variant of stealware, has been observed following law enforcement crackdowns, emphasising the ongoing resilience of the underground market.

Notably, there is a growing convergence of state and criminal capabilities, exemplified by North Korea’s Moonstone Sleet using a Russian-language Ransomware-as-a-Service (RaaS) platform to attack software companies.

Furthermore, groups like Qilin and DragonForce are expanding their extortion tactics by offering services such as legal harassment, AI-driven negotiation bots, and call centres to intensify pressure on victims. This points to the emergence of ‘quadruple extortion’ as the next stage in ransomware operations.

Another noteworthy development in the RaaS ecosystem is its evolution towards greater maturity and scalability, adopting strategies from enterprise business models. A newly discovered white-label model allows cybercriminal affiliates to rebrand ransomware payloads and create their own distinct identities. This approach empowers threat actors, who might otherwise lack the necessary skills and resources, to customise attacks for specific industries, regions, or victim profiles. It also helps the parent operation to enhance its revenue, resilience, and scalability.

What other developments have been seen since the beginning of the year?

The report also reveals that ransom demands have risen 53% from Q1 2022 to Q1 2025, adding significant financial strain on organisations across multiple sectors. However, the extent of these increases in ransom demands varies by sector, influenced by the financial size of the victim’s business and the specific behaviours of the threat actors involved

“What we’ve seen in H1 2025 is both striking and sobering. The sheer volume of new entrants, more than 70 new threat groups and MaaS offerings, highlights the unyielding pace of cybercriminal innovation,” says Paul Caiazzo, Quorum Cyber’s Chief Threat Officer. “As we move into the latter half of 2025, we anticipate further innovation in social engineering, extortion tactics, and cloud abuse. We also expect greater regulatory and legal entanglements as the lines between sanctioned actors and criminal affiliates blur.”

Watch the webinar to learn more about the report findings

Paul was joined by Senior Threat Intelligence Analyst Jack Alexander, and Incident Response Consultant Emily Benbow to present the team’s findings in a live webinar, on 20th August, which included a Q&A session.

The three experts described the new emerging tactics and techniques they have seen, including how RansomBay’s white-label service is enabling relatively low-skilled attackers to create their own brands, and how Qilin has begun an audacious new legal and customer harassment extortion tactic to put victims under even more pressure to pay ransoms. They shared actionable advice for organisations in any sector to defend themselves against these emerging cyber threats, particularly those using ransomware or stealware. You can watch the session, called for free at any time.

Join the Threat Intelligence Community

We regularly publish threat bulletins, malware reports, and threat actor profiles on the Threat Intelligence Community Group. Why not join to access a centralised archive of resources, opportunities for peer-to-peer knowledge sharing, and expert analysis and commentary?