Among remote access and loader tools, several RAT and Trojan families continue to dominate underground discussions and sales activity, reflecting their ongoing role as first-stage infection mechanisms. Figure 1 illustrates the steady level of RAT activity observed across dark web forums and marketplaces, incorporating trends in mentions, listings, and related infection telemetry. All subsequent graphs in this section draw on the same dataset, representing aggregated deep and dark web mentions, marketplace listings, recent activity, and observed infections.
In contrast, general malware activity (as seen below) across the underground shows consistent volume with periodic surges around newly released stealer kits and ransomware variants.
Emerging malware trends and tools from 2025
New and evolving malware families continue to surface, reflecting both innovation among threat developers and the influence of geopolitical conflicts. The following threats and malware tools were particularly active or noteworthy during the first half of 2025:
- Sponsor Backdoor: This malware exploits Microsoft Exchange vulnerabilities (CVE-2021-26855) to gain persistent access and exfiltrate host and network data.
- BUGHATCH Malware: BUGHATCH has targeted organizations across the Americas, exploiting Veeam Backup & Replication vulnerabilities to deploy additional payloads.
- WhisperGate, FoxBlade, DesertBlade, and CaddyWiper: These destructive malware families have been deployed in cyber operations primarily targeting critical infrastructure. Their behavior, overwriting system files and boot records, underscores the continuing intersection between state-aligned and criminal operations.
- ChaosBot: A newly identified malware written in Rust, ChaosBot uses Discord for command and control, blending malicious communication within legitimate network traffic. This highlights an ongoing trend of attackers abusing mainstream platforms for stealth and persistence.
Malware targeting by sector: Who’s most at risk?
Threat actors are motivated by profit, ideology, and influence and their targeting patterns reflect those priorities. During the first half of 2025, Bitsight observed persistent targeting across several key industries.
1. Technology
The technology sector remains one of the most frequently targeted industries. Threat actors continue to exploit trusted vendor relationships, managed service providers, and software supply chains to access downstream clients. The sector’s interconnected nature makes it a prime target for both espionage and financially motivated operations. According to Bitsight Threat Intelligence data derived from observed third-party breach telemetry, nearly half (46.75%) of breaches in 2025 involved technology products and services, underscoring the sector’s systemic exposure through vendor and partner ecosystems.
Bitsight also observed a relative decline in deep and dark web mentions, infection telemetry, and targeting references associated with this sector in recent months. This decrease may indicate a temporary shift in attacker focus, improved defensive posture, or reduced underground visibility rather than a long-term reduction in risk.
2. Government and Administration
Government organizations continue to face sustained attacks from both state-linked and financially motivated actors. Bitsight observed ongoing data theft, espionage, and disruption campaigns targeting ministries, defense agencies, and local administrations. Dark web chatter and incident telemetry indicate steady pressure on public-sector networks, reflecting the persistent value of governmental and defense-related data.
Although overall activity levels have remained consistent, attacks increasingly leverage vulnerabilities in remote-access infrastructure and publicly exposed services.
3. Finance
Financial institutions remain highly attractive to attackers because of the concentration of personal and transactional data they hold. Bitsight observed a 47% year-over-year increase in attacks against the finance sector during 2024, driven largely by ransomware and credential-theft campaigns.
While many organizations have improved detection and response capabilities, attackers are adapting quickly with new delivery methods and evasion tactics. Access brokers and stealer-log sellers continue to monetize compromised financial credentials, reinforcing the sector’s persistent exposure within the underground economy.
4. Education
Educational institutions continue to experience elevated levels of ransomware and data-theft activity. Decentralized IT environments, legacy systems, and limited resources contribute to ongoing vulnerability. Bitsight data indicates that underground marketplaces regularly advertise access to university networks and research servers, suggesting that educational institutions are being used for both testing and monetization purposes.
Targeting of this sector has remained steady through 2025, reflecting its consistent appeal to opportunistic attackers.
5. Healthcare
Healthcare providers, pharmaceutical firms, and research organizations remain among the most targeted industries due to the sensitivity and urgency of their data. Bitsight Threat Intelligence indicates that 93% of U.S. healthcare organizations reported at least one cyber incident in the past year, and 60% experienced ransomware attacks in 2024.
Breach costs in this sector averaged $10.3 million per incident, the highest across industries. Ongoing ransomware and data-exfiltration campaigns continue to disrupt operations and drive extortion pressure, highlighting healthcare as the single most at-risk vertical.
Outlook: The underground economy ahead
As 2025 progresses, the underground cybercrime economy shows no signs of slowing. Service-based models such as MaaS and RaaS continue to lower the barrier to entry, enabling a wider range of actors to participate in sophisticated operations. Bitsight’s sectoral intelligence indicates that healthcare and technology remain the most persistently targeted industries, while finance and education continue to face steady pressure from credential theft and ransomware campaigns.
Threat actors are increasingly abusing legitimate infrastructure — from cloud platforms to collaboration tools like Discord — to host payloads, exfiltrate data, and manage command-and-control operations, complicating both detection and attribution. Bitsight anticipates continued growth in stealer and loader malware families through the remainder of 2025, alongside sustained third-party and supply chain exposure across critical sectors.
Organizations should maintain heightened vigilance around third-party risk management, patch hygiene, and identity security to mitigate threats emerging from this rapidly professionalizing underground market.
1 Bitsight Threat Intelligence, 2025. Based on observed dark web and exposure data.
Among remote access and loader tools, several RAT and Trojan families continue to dominate underground discussions and sales activity, reflecting their ongoing role as first-stage infection mechanisms. Figure 1 illustrates the steady level of RAT activity observed across dark web forums and marketplaces, incorporating trends in mentions, listings, and related infection telemetry. All subsequent graphs in this section draw on the same dataset, representing aggregated deep and dark web mentions, marketplace listings, recent activity, and observed infections.
In contrast, general malware activity (as seen below) across the underground shows consistent volume with periodic surges around newly released stealer kits and ransomware variants.
Emerging malware trends and tools from 2025
New and evolving malware families continue to surface, reflecting both innovation among threat developers and the influence of geopolitical conflicts. The following threats and malware tools were particularly active or noteworthy during the first half of 2025:
- Sponsor Backdoor: This malware exploits Microsoft Exchange vulnerabilities (CVE-2021-26855) to gain persistent access and exfiltrate host and network data.
- BUGHATCH Malware: BUGHATCH has targeted organizations across the Americas, exploiting Veeam Backup & Replication vulnerabilities to deploy additional payloads.
- WhisperGate, FoxBlade, DesertBlade, and CaddyWiper: These destructive malware families have been deployed in cyber operations primarily targeting critical infrastructure. Their behavior, overwriting system files and boot records, underscores the continuing intersection between state-aligned and criminal operations.
- ChaosBot: A newly identified malware written in Rust, ChaosBot uses Discord for command and control, blending malicious communication within legitimate network traffic. This highlights an ongoing trend of attackers abusing mainstream platforms for stealth and persistence.
Malware targeting by sector: Who’s most at risk?
Threat actors are motivated by profit, ideology, and influence and their targeting patterns reflect those priorities. During the first half of 2025, Bitsight observed persistent targeting across several key industries.
1. Technology
The technology sector remains one of the most frequently targeted industries. Threat actors continue to exploit trusted vendor relationships, managed service providers, and software supply chains to access downstream clients. The sector’s interconnected nature makes it a prime target for both espionage and financially motivated operations. According to Bitsight Threat Intelligence data derived from observed third-party breach telemetry, nearly half (46.75%) of breaches in 2025 involved technology products and services, underscoring the sector’s systemic exposure through vendor and partner ecosystems.
Bitsight also observed a relative decline in deep and dark web mentions, infection telemetry, and targeting references associated with this sector in recent months. This decrease may indicate a temporary shift in attacker focus, improved defensive posture, or reduced underground visibility rather than a long-term reduction in risk.
2. Government and Administration
Government organizations continue to face sustained attacks from both state-linked and financially motivated actors. Bitsight observed ongoing data theft, espionage, and disruption campaigns targeting ministries, defense agencies, and local administrations. Dark web chatter and incident telemetry indicate steady pressure on public-sector networks, reflecting the persistent value of governmental and defense-related data.
Although overall activity levels have remained consistent, attacks increasingly leverage vulnerabilities in remote-access infrastructure and publicly exposed services.
3. Finance
Financial institutions remain highly attractive to attackers because of the concentration of personal and transactional data they hold. Bitsight observed a 47% year-over-year increase in attacks against the finance sector during 2024, driven largely by ransomware and credential-theft campaigns.
While many organizations have improved detection and response capabilities, attackers are adapting quickly with new delivery methods and evasion tactics. Access brokers and stealer-log sellers continue to monetize compromised financial credentials, reinforcing the sector’s persistent exposure within the underground economy.
4. Education
Educational institutions continue to experience elevated levels of ransomware and data-theft activity. Decentralized IT environments, legacy systems, and limited resources contribute to ongoing vulnerability. Bitsight data indicates that underground marketplaces regularly advertise access to university networks and research servers, suggesting that educational institutions are being used for both testing and monetization purposes.
Targeting of this sector has remained steady through 2025, reflecting its consistent appeal to opportunistic attackers.
5. Healthcare
Healthcare providers, pharmaceutical firms, and research organizations remain among the most targeted industries due to the sensitivity and urgency of their data. Bitsight Threat Intelligence indicates that 93% of U.S. healthcare organizations reported at least one cyber incident in the past year, and 60% experienced ransomware attacks in 2024.
Breach costs in this sector averaged $10.3 million per incident, the highest across industries. Ongoing ransomware and data-exfiltration campaigns continue to disrupt operations and drive extortion pressure, highlighting healthcare as the single most at-risk vertical.
Outlook: The underground economy ahead
As 2025 progresses, the underground cybercrime economy shows no signs of slowing. Service-based models such as MaaS and RaaS continue to lower the barrier to entry, enabling a wider range of actors to participate in sophisticated operations. Bitsight’s sectoral intelligence indicates that healthcare and technology remain the most persistently targeted industries, while finance and education continue to face steady pressure from credential theft and ransomware campaigns.
Threat actors are increasingly abusing legitimate infrastructure — from cloud platforms to collaboration tools like Discord — to host payloads, exfiltrate data, and manage command-and-control operations, complicating both detection and attribution. Bitsight anticipates continued growth in stealer and loader malware families through the remainder of 2025, alongside sustained third-party and supply chain exposure across critical sectors.
Organizations should maintain heightened vigilance around third-party risk management, patch hygiene, and identity security to mitigate threats emerging from this rapidly professionalizing underground market.
1 Bitsight Threat Intelligence, 2025. Based on observed dark web and exposure data.
Click Here For The Original Source.
