Interactive Report Summary

Q2 2025 Cyber Threat Report

New ransomware groups rise. Infostealers surge. Firewall exploits persist.
PDI’s latest threat intelligence reveals NightSpire’s rapid emergence, dark web listings nearly doubling, and evolving exploit tactics targeting edge devices. Get actionable insights to protect what matters most.

Download the Report

Top Findings at a Glance

EXPLOIT

Edge device exploits persist.

Despite an overall drop in volume, attacks against edge technologies like firewalls and VPNs remain high, with threat actors exploiting both new and legacy vulnerabilities.

DARK WEB

Marketplace activity nearly doubles.

Dark web listings surged 99.36% from Q1, led by a 2,290% increase in Vidar Stealer activity and Lumma’s rapid rebound after a mid-quarter takedown.

RANSOMWARE

NightSpire becomes top ransomware group.

A new group, NightSpire, became the most active ransomware operator, with Finance seeing a 14.95% increase in targeting, even as overall volumes dipped slightly.

Image

Industry Spotlight: Finance Under Attack

Ransomware attacks against the financial sector rose by nearly 15% in Q2 2025, making it the only major sector to experience growth in activity. Financial institutions remain a high-value target for threat actors due to sensitive data, complex infrastructure, and strict regulatory environments.

Methodology

Hover over tiles to learn more

GATHER

Collects threat intelligence and data from global sources, client devices and reputable third parties.

PROCESS

Data is analyzed by a combination of machine learning, algorithm scoring and anomaly detection.

DETECT

Using PDI’s cloud-based SIEM, log data is ingested and alerts the security operations center (SOC). The SOC then notifies the client and works with them to remediate the threat.

EVALUATE

Analysts further scrutinize the research, scoring and tracking of existing and new threats.

DISSEMINATE

Analysts leverage the insights to constantly improve the SOC, alerting, and the community through the creation of detection rules, briefs, and presentations.

APRIL THROUGH JUNE
Q2 2025 in Review

Q2 2025 revealed a dramatic spike in dark web listings, the emergence of new ransomware groups, and continued targeting of VPNs, firewalls, and edge devices.

Let's Dive Into the Data

Q2 2025 highlighted a surge in infostealer malware, a drop in overall ransomware publications, and intensified attacks on remote access infrastructure.


April
4.4
Targeted Scanning Against PAN-OS GlobalProtect Portals
4.8
Fortinet Releases Critical FortiSwitch Patch Alongside Multiple Vulnerability Advisories
4.10
Microsoft’s April Patch Tuesday Addresses 1 Actively Exploited Zero-Day, 126 Vulnerabilities
4.17
Fortinet Warns Attackers Retain Access to Patched FortiGate VPNs Using Symlinks
4.22
Multiple State-Sponsored Groups Weaponize ClickFix Social Engineering Tactic
May
5.2
SonicWall Advises SMA Appliances Being Actively Exploited
5.6
Venom Spider Spear-Phishing Campaign Targets Corporate HR Departments
5.14
Microsoft’s May Patch Tuesday Addresses 5 Actively Exploited, 72 Vulnerabilities
5.16
Fortinet Patches Critical Zero-Day Exploited in FortiVoice System
5.20
Ransomware Groups Increasing Using Skitnet Malware for Post-Exploitation Attacks
5.22
Lumma InfoStealer’s Infrastructure Seized During Global Coordinated Takedown
5.29
Operation ENDGAME Dismantled Global Ransomware Infrastructure
June
6.6
Google Issues Emergency Patch to New Chrome Zero-Day Actively Exploited in Attacks
6.11
Microsoft’s June 2025 Patch Tuesday Addresses 11 Critical Vulnerabilities and Two Zero-Days
6.17
Over 46,000 Grafana Instances Exposed to Malicious Account Takeover Attacks
6.27
New ‘CitrixBleed 2’ NetScaler Vulnerability Lets Attacker Hijack Sessions

#
Activity
Average
0

Total Publications

0

Daily Publications

-0%

Change from Q1

RANSOMWARE

#
Activity
Average
0M

Total Listings

0%

Vidar Increase

0%

Total Increase from Q1

DARK WEB ACTIVITY

#
Activity
Average
0M

Events

0

Unique Exploits

-0%

Change from Q1

EXPLOITS

Stay Vigilant

Despite the varying levels of malware, botnet and exploit activity, bear in mind that just one successful breach can significantly impact your business. It's essential to maintain a clear view of your environment to defend against potential threats. As threat actors continually update their strategies, your security measures need to adapt accordingly. Always stay on guard!
Download the Report

Meet Our Threat Intelligence Experts

Justin Heard
Justin Heard
Director of Security Operations

As PDI's Director of Security Operations, Justin Heard is at the helm of the company's key security initiatives, encompassing incident response, threat hunting and cyber intelligence. With over 16 years of experience in cybersecurity, including roles such as threat hunter, incident commander and intelligence analyst, Justin has a deep understanding of the cybersecurity domain. His leadership is instrumental in bolstering PDI’s defenses and adapting to the rapidly changing landscape of cyber threats.

Before his tenure at PDI, Justin enhanced his skill set in the defense sector, serving as a network administrator and security engineer. Justin has an associate degree in Computer Networking Systems from ITT Tech.

Josh Smith Bio
Josh Smith
Supervisor, Threat Intelligence

Josh is a supervisor of threat intelligence at PDI who works closely in organizational threat landscapes, curating threat intelligence, and authoring PDI’s Quarterly Threat Landscape Report. Josh holds a Master’s degree  in Cybersecurity Technology. Previously he served with the U.S. Navy as an Operations Specialist with 14 years of service. Josh has been quoted in Forbes, CSO Online, Channel Futures, Dark Reading, and others. 

Download the Full Report