2025H1 Threat Review

Vulnerabilities, Threat Actors, and Ransomware

Once again, Forescout Research – Vedere Labs widens its mid-year lens with a macro look at the most pressing cybersecurity risks to date. From 3,649 ransomware attacks to state-sponsored intrusions to new trends in lateral movement, here are the new threat patterns and cyber attack behavior you need to know right now.

Get the research get the newsletter

 

Year Over Year Increases: By the Numbers

80%+

CISA KEV additions

46%+

0-day exploits

36%+

Ransomware attacks

20/day

Ransomware attacks

137 Threat Actors, Origins, and Countries Targeted

China, Russia and Iran have the highest number of threat actors. The US, India, the UK, Germany, and Australia are the countries most targeted by threat actors.

Key Trends: Attackers Move Across the Network

What we predicted in our 2022 “R4IoT” research scenario is now a reality: IP cameras and BSD systems are now common targets increasingly used for lateral movement or operational impact in ransomware campaigns. These asset types often fall outside the coverage of traditional endpoint protections.

Key Trends: Is It Hacktivism or a State-Sponsored Attack?

In today’s geo-political landscape, this line is increasingly blurred, often by design. Identity-shifting threat actors use this ambiguity to confuse attribution and complicate response. The image is from the group “APT Iran” who has claimed many attacks against Israel and the US in 2025, but have not been independently verified.

Attacks Targeting Industries

The most targeted industries are government, technology, financial services, telecommunications, and energy. Financial services dropped from second to third place while energy rose from eighth to fifth — reflecting increased threat activity against this sector.

Exploited Zero Days by Targeted Vendor

In 2025H1, 63 vulnerabilities were exploited as 0-days, up from the 43 in 2024H1. These 0-days impacted products from 27 vendors: 2025 is on track to exceed the record 100 exploited 0-days from 2024.
IoMT devices – pump controllers, medication dispensing systems and workstations – have some of the most dangerous vulnerabilities – and highlight healthcare security risks.

Ransomware Attacks Per Industry

The top five industries remain in the top 5 with a minor change: Healthcare had more attacks than retail last year. Financial services: +72% more ransomware in 2025H1. Retail increased 66% YoY. Technology rose by 48%. Manufacturing increased by 24%.

2025H1 Threat Review Report Cover Shadow

Dive Into the Research

Stay on top of this year’s trends, so you can know where to focus your cybersecurity and OT defenses. Get all the data and analysis, including:

  • What’s really happening in state-sponsored activity against OT/ICS —including a deep dive on ‘APT Iran’ and shifting identities
  • Threat actor trends by name, including new threat actor groups and new uses of ClickFix and initial access brokers in infostealer campaigns
  • Why aggressive EDR bypass techniques are now taking over defense evasion over obfuscation
  • And much more …

See the Research, Share the Presentation

Vedere Labs shares an overview of the research in a presentation format for you and your security team to use and share. Get all the details of this mid-year threat report, key findings, and our recommendations for mitigating risk.

How Forescout Can Help

Introducing the Forescout 4D Platform™

Manage risks. Contain events. Mitigate threats.

The Forescout 4D Platform™ continuously identifies, protects and ensures the compliance of all managed and unmanaged cyber assets – IT, IoT, IoMT and OT – without business disruption.

  • Risk and exposure management. Identify, quantify and prioritize cybersecurity risk. Start by discovering and assessing every connected asset to gain real-time awareness of your attack surface.
  • Network security. Continuously monitor all connected assets to govern network access, using real-time traffic visibility to manage segmentation and dynamic control policies to mitigate and remediate risk.
  • Threat detection and response. Detect, investigate and respond to true threats and incidents using threat detection and response capabilities to collect telemetry and logs, correlate attack signals, generate high-fidelity detections and enable automated responses.
Demo RequestForescout PlatformTop of Page