Government-backed cybercriminals mostly responsible for exploiting software weaknesses
In the first half of 2025, cybersecurity researchers have observed a significant increase in state-sponsored cyber attacks. According to Recorded Future's Insikt Group, these campaigns were mainly conducted by Chinese state-sponsored actors.
China was found to be behind most state-sponsored campaigns during this period. One of the key tools used by these actors was ClickFix, a social engineering technique that manipulates victims into copying and pasting a malicious script, bypassing security protections as the victim infects themselves.
The success of ClickFix is expected to make it a favored initial access technique throughout 2025, unless widespread mitigations reduce its effectiveness. In January and February 2025, the Interlock gang used ClickFix in their campaigns, leading to the development of FileFix, a tactic where users are tricked into pasting a malicious file path into a Windows File Explorer's address bar.
The primary motives for state-sponsored threat actors remain espionage and surveillance. Researchers predict that the exploitation of edge security appliances, remote access tools, and other gateway-layer software will remain a top priority for both state-sponsored and financially-motivated groups.
Interestingly, the Chinese group UNC5221 exploited the highest number of vulnerabilities in H1 2025. They demonstrated a preference for Ivanti products, including Endpoint Manager Mobile, Connect Secure, and Policy Secure. The strategic value of these systems, acting as intermediaries for encrypted traffic and privileged access, makes them high-reward targets.
Microsoft was the most targeted vendor, with the tech giant's products accounting for 17% of exploitations. The total number of disclosed common vulnerabilities and exposures (CVEs) grew 16% year-over-year. Of the 161 flaws exploited, 30% enabled remote code execution (RCE), which often grants an attacker full control over the target system. Moreover, 69% required no authentication to exploit, while 48% could be exploited remotely over a network.
Financially motivated groups accounted for 47% of vulnerability exploits. Ransomware groups have increased their use of endpoint detection and response (EDR) evasion via bring-your-own-installer (BYOI) techniques and custom payloads using just-in-time (JIT) hooking and memory injection to bypass detection.
As we move forward, it is crucial for organisations to stay vigilant and implement robust cybersecurity measures to protect against these threats. Regular updates, strong authentication protocols, and network segmentation can significantly reduce the risk of successful attacks.
