Fortinet has released the new Fortinet FortiGuard Labs 2025 Global Threat Landscape report that reveals a sharp rise in Cybercrime-as-a-Service activity on the darknet, driving a booming underground market for stolen credentials, exploits, and unauthorized access. The report also highlights a record surge in automated cyberattacks, as threat actors increasingly weaponize AI and deploy sophisticated new techniques.
Data shows adversaries are moving faster than ever, automating reconnaissance, compressing the time between vulnerability disclosure and exploitation, and scaling their operations through the industrialization of cybercrime. Also, Fortiguard observed that threat actors are leveraging automation, commoditized tools, and AI to erode traditional advantages held by defenders systematically.
“Our latest Global Threat Landscape Report makes one thing clear: Cybercriminals are accelerating their efforts, using AI and automation to operate at unprecedented speed and scale,” Derek Manky, chief security strategist and global vice president for threat intelligence at Fortinet FortiGuard Labs, said in a media statement. “The traditional security playbook is no longer enough. Organizations must shift to a proactive, intelligence-led defense strategy powered by AI, zero trust, and continuous threat exposure management to stay ahead of today’s rapidly evolving threat landscape.”
The FortiGuard Labs 2025 report disclosed that cybercriminals are deploying automated scanning tools at a massive scale. In 2024, active scanning in cyberspace surged by 16.7 percent globally. FortiGuard Labs recorded billions of monthly scan attempts, equivalent to 36,000 scans per second. These scans increasingly target exposed services such as SIP, RDP, and OT/IoT protocols like Modbus TCP, accounting for about 1.6 percent of scans, highlighting concerns about industrial infrastructure and supervisory control and data acquisition (SCADA) systems.
The Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) released a joint cybersecurity advisory (CSA) to warn that certain advanced persistent threat (APT) actors have exhibited the capability to gain complete system access to multiple industrial control system (ICS)/SCADA devices.
Weaponized tools like SIPVicious and commercial scanners are being used to identify vulnerable systems before patches can be applied, reflecting a major shift toward ‘left-of-boom’ tactics focused on pre-attack reconnaissance.
Hackers are also adopting AI to enhance phishing, impersonation, extortion, and evasion techniques. Tools like FraudGPT, BlackmailerV3, and ElevenLabs are being used to automate malware generation, craft realistic deepfakes, clone voices, and build phishing sites—creating more scalable, convincing, and effective attack campaigns. As predicted, Cybercrime-as-a-Service (CaaS) operators are embracing specialization, optimizing distinct parts of the attack chain using these AI capabilities.
The report found that the underground economy for initial access has exploded. FortiGuard Labs observed a 42 percent increase in compromised credentials available for sale, alongside a surge in Initial Access Broker (IAB) activity offering VPNs, RDPs, and admin panels. Infostealers like Redline and Vidar have driven a staggering 500 percent increase in credential logs found on darknet forums, enabling threat actors to purchase ready-made access to corporate environments. These credentials are the backbone of ransomware and espionage operations. Threat actors no longer just hunt for vulnerabilities to exploit; they’re buying entry into networks, and as long as stolen credentials remain abundant, brute force is unnecessary.
The FortiGuard Labs 2025 report said that while 13 new ransomware groups entered the Ransomware-as-a-Service (RaaS) ecosystem in 2024, illustrating market fragmentation, the top four groups still accounted for 37 percent of observed attacks, underscoring their continued dominance. Hacktivists are increasingly adopting ransomware tactics, and nation-state actors remain active, targeting key sectors such as manufacturing, government, education, and technology. Telegram has emerged as a central hub for sharing exploits, tools, and infrastructure, fostering operational unity across otherwise disparate threat groups.
While the average time to exploit new vulnerabilities remained steady at around 5.4 days in 2024, the volume of exploitation attempts surged, exceeding 97 billion for the year. Attackers increasingly targeted exposed IoT devices, routers, firewalls, and cameras for botnet control, lateral movement, and persistent access. Notably, CVE-2024-21887 in Ivanti products was exploited just six days after disclosure.
Meanwhile, post-exploitation tactics have grown stealthier. Despite a 39 percent increase in CVEs year-over-year, zero-day attacks remain rare. The FortiGuard Labs 2025 report said that hackers increasingly rely on living off the land techniques, leveraging legitimate tools and protocols for privilege escalation and persistence. FortiGuard Labs observed advanced behaviors such as Active Directory manipulation (DCShadow, DCSync), RDP-based lateral movement, and encrypted command-and-control using DNS and SSL.
Another interesting disclosure from the FortiGuard Labs 2025 report was that credentials available on the darknet are not just from past data breaches. “In 2024, FortiGuard Labs observed a 500 percent increase in logs from systems compromised by infostealer malware, with 1.7 billion stolen credential records shared in underground forums.”
Underground forums don’t just trade access and credentials, they also serve as a marketplace for sophisticated exploit kits targeting a wealth of vulnerabilities. In 2024, more than 40,000 vulnerabilities were added to the National Vulnerability Database, representing a 39 percent increase over 2023. Last year, 331 zero-day vulnerabilities were identified in darknet forums with increased available exploits.
Cybercriminals increasingly rely on sophisticated malware to establish long-term persistence within compromised environments. In 2024, the FortiGuard Labs team identified several particularly active and dangerous remote access trojans (RATs). Xeno RAT is feature-rich, open-source malware capable of screen capture, data exfiltration, persistent access, and using a Socks5 reverse proxy for stealthy communication; SparkRAT is a highly advanced RAT that enables command execution, system manipulation (including shutdown, restart, and hibernation), as well as file and process control, while AsyncRAT and Trickbot remain prominent threats, frequently linked to cyber espionage, credential theft, and persistent intrusion across networks.
The FortiGuard Labs 2025 Report highlights a rapidly evolving threat landscape in 2024, driven by the emergence of new ransomware groups, the growing sophistication of hacktivist campaigns, and the persistent activity of state-sponsored espionage actors. FortiGuard Labs analyzed these developments to deliver a comprehensive overview of adversaries’ tactics, techniques, and procedures (TTPs).
The RaaS ecosystem continues to expand, with new groups emerging and establishing double and triple extortion models. In 2024, RansomHub (13 percent), LockBit 3.0 (12 percent), Play (8 percent), and Medusa (4 percent) were the most active ransomware groups, accounting for 37 percent of the 1,638 identified victims used in the research analysis.
State-sponsored actors continued to operate with high levels of sophistication. China and Russia led cyber activity, with groups like Lazarus (21 percent), KIMSUKY (18 percent), APT28 (13 percent), Volt Typhoon (12 percent), and APT29 (10 percent) conducting advanced campaigns. Not surprisingly, government institutions remain the primary focus, followed by organizations in the technology and education sectors.
The FortiGuard Labs 2025 Report also highlighted strategic areas for CISOs (Chief Information Security Officers) to focus on. They include shifting from traditional threat detection to continuous threat exposure management, as the proactive approach emphasizes continuous attack surface management, real-world emulation of adversary behavior, risk-based remediation prioritization, and automation of detection and defense responses.
Utilizing breach and attack simulation (BAS) tools to regularly assess endpoint, network, and cloud defenses against real-world attack scenarios ensures resilience against lateral movement and exploitation. They must also simulate real-world attacks by conducting adversary emulation exercises, red and purple teaming, and leveraging MITRE ATT&CK to test defenses against threats like ransomware and espionage campaigns.
Additionally, it recommends reducing attack surface exposure by deploying attack surface management (ASM) tools to detect exposed assets, leaked credentials, and exploitable vulnerabilities while continuously monitoring darknet forums for emerging threats. It also suggests prioritizing high-risk vulnerabilities by focusing on remediation efforts on vulnerabilities actively discussed by cybercrime groups, leveraging risk-based prioritization frameworks such as EPSS and CVSS for effective patch management. Lastly, it prescribes leveraging dark web intelligence by monitoring darknet marketplaces for emerging ransomware services and tracking hacktivist coordination efforts to preemptively mitigate threats like DDoS and web defacement attacks.
Click Here For The Original Source.