Cybercriminals keep tweaking their procedures, trying out new techniques, and shifting tactics across campaigns. Coverage that worked yesterday may miss how those behaviors appear today.
The 2025 Threat-Led Defense Report from Tidal Cyber draws on tens of thousands of observed techniques and procedures collected through its threat intelligence platform. The study tracks adversary activity across campaigns, sectors, and regions, then maps that activity to MITRE ATT&CK behaviors.
TTP evolution shows groups adapting in place
Attacker tactics, techniques, and procedures continue to evolve within active threat groups.
Void Rabisu shows a shift away from single motive operations. Activity expanded from ransomware driven campaigns into espionage aligned behavior, with targets including telecom, energy, military, and government organizations. Researchers tracked changes in tooling, credential access, and detection evasion, including expanded use of advanced techniques against cloud and enterprise environments.
Scattered Spider activity from 2022 through 2025 reflects steady expansion across platforms and sectors. The group moved from customer support and business process outsourcing firms into retail, technology, and finance. Analysis shows extensive SaaS targeting, including access to Salesforce, Microsoft Teams, Slack, Confluence, and SharePoint. Researchers recorded 225 procedures across 94 clusters tied to Scattered Spider activity.
Akira ransomware operations continued to adapt through 2025. Observations include 165 procedure sightings and noted reuse of familiar commands paired with subtle procedural changes. Activity focused on credential access, data exfiltration, and recovery inhibition. Tooling included AdFind, Net Group, SharpHound, and other common enterprise reconnaissance utilities
Zero day activity spreads outward
Zero-day exploits once appeared mainly in state-sponsored operations. The 2025 data shows wider adoption across criminal and hybrid actors. The report identifies over 58 threat objects associated with known or suspected zero-day exploitation.
Several campaigns illustrate this trend. Chinese-linked groups exploited vulnerabilities in SharePoint environments at scale. Another campaign involved exploitation of Ivanti VPN systems beginning in December 2024. Financially motivated actors also entered the space, using stolen data as leverage in extortion schemes tied to cloud infrastructure compromise.
The report describes zero-day use as commoditized. Exploits move quickly from discovery into active abuse. This compresses defender response windows from weeks into days. Early detection depends on identifying behavior tied to exploitation rather than waiting for vulnerability disclosures or patches.
Social engineering regains ground
Social engineering regained prominence as a primary intrusion path in 2025. The report links this resurgence to automation and AI. Attackers use AI tools to scale phishing, voice calls, and credential harvesting while increasing believability.
Identity became a primary target. Campaigns focused on SaaS access, cloud administration, and single sign-on abuse. Luna Moth evolved from simple callback phishing into multi-channel operations combining voice, email, and infrastructure control. UNC6040 targeted Salesforce environments through impersonation and consent abuse, enabling large-scale data access without malware deployment.
The study highlights 35 procedures connected to social engineering activity, spread across 18 software platforms. This procedural visibility helped analysts connect campaigns early and identify attack chains that bypass endpoint defenses entirely.
Ransomware fragments and multiplies
Ransomware operations continued to fragment and diversify. The report tracked 54 ransomware groups and related entities during the year, with 16 emerging groups identified. Analysts observed extensive cross-group procedure reuse, with 92% of ransomware procedure sightings clustered with previously observed activity.
Encryption remained part of many operations, though extortion relied more heavily on data theft, identity compromise, and business disruption. Groups such as Medusa, Qilin, and Interlock adopted double and triple extortion workflows, targeting backups, cloud assets, and identity systems to increase pressure.
Smaller teams moved faster. These groups adopted multi-platform tooling, cloud abuse, and living-off-the-land techniques to reduce infrastructure overhead. The research shows ransomware activity driven by procedures rather than malware families, making behavioral coverage central to defense.
Coverage gaps appear at the behavior layer
One theme that runs through the findings is the presence of defensive gaps at the procedure level. Many organizations track techniques and tools, while execution details that signal intent receive less attention. The research connects observed procedures directly to detection and prevention controls, showing where coverage holds and where it breaks down.
This approach centers on verification through observed activity. Mapping controls to attacker behavior shows whether alerts trigger during live intrusions or only during testing. The data shows controls failing to activate when attackers alter execution steps, even when the underlying technique remains the same.
“Strength will be measured by the adversary behaviors you can stop, and that starts with how attackers operate and the exact techniques they use.” said Tidal Cyber CEO Rick Gordon.