Midyear Threat Report: Numbers Grow in Nearly All the Wrong Places

In the first half of 2025, Forescout Research – Vedere Labs published a wide range of blogs and reports analyzing some of the most prominent developments in the cybersecurity threat landscape, from vulnerabilities and ransomware campaigns to the shifting behavior of threat actors.

Our data shows that cybercriminals continue to rely on familiar  IT-based tactics for malware delivery, particularly via ClickFix, which has emerged as a favorite tool for deploying both infostealers and ransomware. At the same time, ransomware operators are expanding the types of assets leveraged in their attacks, often in an attempt to bypass EDR solutions.

Network infrastructure remains a popular initial access point, with over 20% of newly exploited vulnerabilities in H1 targeting these devices. But we’ve also seen attackers exploiting IP cameras and BSD servers for lateral movement and impact.

Beyond traditional cybercrime, the line between hacktivists and state-sponsored actors has become increasingly blurred, especially in attacks on critical infrastructure. What was once the exclusive domain of shadowy state actor groups is now often executed by faketivist fronts. We explored this trend in depth in our April report. Since then, escalating conflict in the Middle East has triggered renewed concern over Iranian hacktivist campaigns reaching targets in the US and Europe,  echoing the notorious CyberAv3ngers campaign of late 2023.

Our new threat briefing reviews developments between January 1 and June 30, 2025 (2025H1) analyzing how the threat landscape has shifted compared with the same period in 2024. It includes a detailed examination of Iranian hacktivist activity and a breakdown of global attack trends.

Beyond the Numbers: Cybercrime Evolution, Healthcare Breaches, and Opportunistic OT Attacks

The full report goes deeper than raw metrics, offering analysis of how threat actor behavior continues to evolve, particularly in relation to ransomware, infostealers, healthcare breaches and OT exposure.

Ransomware and Infostealers

Most cybercriminal campaigns in 2025H1 involved either ransomware or infostealers. Several TTPs stood out:

• Initial access: Widespread use of Initial Access Brokers (IABs) and exploitation of VPNs, remote access tools, and file transfer solutions.
• ClickFix campaigns: Attackers trick users into copying and executing malicious PowerShell commands. First observed in late 2024, ClickFix has been gaining traction in 2025 and is now a favored delivery method for infostealers and occasionally ransomware.
• New asset types exploited: In March 2025, Akira ransomware was deployed via a compromised IP camera, echoing our 2022 R4IoT scenario. Also in March, the VanHelsing ransomware family introduced a multi-platform encryptor including support for BSD UNIX systems, with RansomHub and Hunters International also developing FreeBSD variants.

Healthcare Sector Under Pressure

Healthcare remained one of the top targeted industries. According to Health-ISAC, ransomware, VPN vulnerabilities, and compromised credentials were the most persistent risks. Data breaches also surged. In 2025H1:

• 341 healthcare breaches were reported in the US, each affecting over 500 individuals
• 29,799,648 individual identities were impacted
• 74% of breaches occurred at healthcare providers
• 76% were due to hacking/IT incidents
• 62% of breached data was located on network servers

Opportunistic Attacks on OT

Not all OT attacks are targeted. Increasingly, opportunistic threat actors, including hacktivists, are scanning and striking vulnerable OT environments indiscriminately. We track these through two lenses:

• Hacktivists claiming OT attacks. In 2025H1 we continued to observe hacktivist groups aligning with nation-state interests to disrupt cyber-physical systems. Increasingly, state-sponsored actors are adopting hacktivist personas to obscure attribution, amplify psychological impact and provoke geopolitical tension under the guise of grassroots hacktivism. Recent examples include pro-Iranian groups such as GhostSec and Arabian Ghosts attacking PLCs in Israel. Meanwhile, pro-Russian actors like Sector16 and Z-Pentest launched disruptive campaigns targeting oil and gas facilities in the US.

These groups often post edited screenshots, videos, and technical walk-throughs of compromised systems across Telegram and other platforms, blurring the line between real capability and propaganda.

In the full report, we provide a deep dive into  APT IRAN, a newly emergent Iranian persona that appears to carry forward the OT/ICS targeting playbook of CyberAv3ngers. The group’s messaging, targeting choices, and defacement tactics suggest it may be the latest identity in a broader IRGC-run faketivist continuum..

• Internet-wide scanning and honeypot activity. Data from our Adversary Engagement Environment (AEE) shows continued growth in scans of OT protocols. Last year, we saw growing dominance of Modbus as the most scanned OT protocol and an increase in scans related to building automation protocols such as BACnet, KNX and Fox. Both trends continued in 2025H1. Modbus now accounts for 57% of OT interactions in the AEE (up from 40%), and BACnet is the third most popular at 8% of interactions (up from fifth place at 7% of interactions in 2024). EtherNet/IP remained in second position with 20% of interactions, down from 28% in 2024.

APT IRAN and Shifting Identities – A Continuum of Iranian Hacktivist Threats to OT/ICS

Iranian hacktivist groups, often state-sponsored faketivists, have targeted US and Israeli OT/ICS environments since at least 2020. Their campaigns typically spike in response to geopolitical events and frequently rely on psychological warfare, including exaggerated or fabricated claims.

At the end of H1, a with a new persona ,APT IRAN, began claiming attacks on the same types of PLCs previously targeted by CyberAv3ngers. The group appears to be another iteration of a recycled IRGC-linked identity. The full report explores APT IRAN’s messaging, tooling, and close operational overlap with its predecessors.

 

Mitigation Recommendations

We encourage all organizations to prioritize visibility, risk assessment and proactive controls across today’s increasingly exploited attack surface, including network perimeter assets, operational technology, healthcare systems and IoT devices.

At a minimum, you should:

• Ensure proper visibility into these devices, including their presence on the network, the software they run, and their communication patterns. This can be achieved with agentless solutions.
• Understand their risk profile concerning vulnerabilities, weak configurations, exposure and other factors.
• Disable unused services and patch vulnerabilities to prevent exploitation.
• Change default or easily guessable credentials and use strong, unique passwords for each device.
• Enforce Multi-factor Authentication (MFA) whenever possible to add an additional layer of security, especially for VPN authentication processes.
• Encrypt all sensitive data in transit and at rest, especially personally identifiable information (PII), protected health information (PHI) and financial data.
• Avoid exposing unmanaged devices directly to the internet, except in rare cases. Ensure administrative interfaces (such as web UIs and engineering ports) on connected devices require authentication and are secured behind IP-based access control lists or a VPN-protected management VLAN.
• Enable IP-based access control lists for specific protocols, such as Modbus and BACnet for OT networks.
• Segment the network to isolate IT, IoT and OT devices, limiting network connections to only authorized management and engineering workstations or among unmanaged devices that need to communicate. Segmentation also helps to prevent lateral movement with compromised credentials.

Additional mitigation recommendations from our research in 2025H1 include:

• Enable endpoint logging beyond alerts to include process, file, user, network, registry, driver and PowerShell activities.
• Gather logs from systems handling user authentication, especially single-sign on and cloud service access.
• Deploy continuous monitoring for suspicious authentication attempts and frequently review logs for potential unauthorized access.
• Rotate credentials and cryptographic keys suspected of being compromised.
• Block suspicious TLDs associated with infostealer infrastructure.
• Implement browser security controls to protect against credential theft.
• Conduct targeted training on social engineering techniques.

After implementing these proactive controls, ensure that threat detection and response systems encompass every device within the whole organization. Since threats now move from one type of device to another, it is crucial to detect them throughout the entire organization – from an entry point such as a vulnerable router, to a pivot point, like a misconfigured workstation, and finally to a target such as an insecure OT device. Ensure your threat detection solution covers all device types and ingests multiple data sources, including firewalls, intrusion detection systems, endpoint detection and response (EDR), and other security tools.