Press Releases

SAN JOSE, Calif.--(BUSINESS WIRE)-- Trellix, the company delivering the future of AI-powered cybersecurity, today issued The CyberThreat Report: October 2025, the latest research from the Trellix Advanced Research Center. The report, detailing threat intelligence insights observed from April 1 to September 30, 2025, reveals an increase in the adoption of AI-powered malware and tools by cybercriminals compared to previous quarters, as well as notable shifts in the threat landscape driven by geopolitical tensions and disruptive ransomware attacks.

Ransomware affected sectors: The industrial sector's dominance suggests ransomware groups have identified industrial operations as particularly vulnerable to disruption-based extortion.

“We’re seeing a transformation of threat actor behavior, with two clear and converging trends: automation and geopolitical malice,” said John Fokker, VP, Threat Intelligence Strategy, Trellix. ”As threat actors near the AI adoption inflection point, demonstrating a more structured use of AI-powered attack methods over the last six months, they’ll be able to chain multiple AI-driven attacks with unprecedented fluidity, significantly shortening and diversifying the time required to execute an attack. Consequently, security teams must prioritize a defense-in-depth strategy, focusing on multiple detection opportunities across the entire attack kill-chain.”

The report highlights the convergence of nation-state operations and financially motivated campaigns, with the speed and breadth of attacks increasing across sectors. Key findings include:

• APT detections continue to rise: An analysis revealed one of the most comprehensive APT datasets to date, with 540,974 total APT detections across 1,221 unique campaigns spanning 121 countries and 14 sectors. Most notably, Türkiye and the United States received the most detections, with the telecommunications sector heavily targeted.
• North Korean insider threats target the United States: The threat landscape is shifting from traditional malware attacks to subtle, “malware-less” insider threats orchestrated by state-sponsored actors. The report highlights the DPRK IT worker campaign, as North Korean operatives seek to infiltrate American organizations by gaining employment.
• Emergence of a new dominant player: Russian-speaking ransomware group Qilin has experienced a rapid ascent following the downfall of RansomHub. The group’s targeting strategy shows a clear preference for industrial organizations (29.25% of their attacks), followed by consumer services (16.10%), and financials (9.52%), suggesting an understanding of which sectors are most vulnerable and likely to pay ransoms quickly due to operational disruption concerns.
• Escalation in AI adoption by threat actors: Cybercriminals increasingly seek to incorporate AI into their existing tools to accelerate malware development or to develop new AI-powered tools, such as the AI-powered infostealer LameHug. Additionally, Trellix observed the emergence of a fully automated, AI-generated ransomware on GitHub.
• Exploiting weaknesses in the software supply chain: Threat actors actively exploited vulnerabilities in enterprise applications and open-source software, targeting foundational weaknesses. The proliferation of vulnerabilities in development tools during this period highlights the growing awareness of these risks.

"The evolving cyber landscape and ever-present threat of attack demands organizations adopt actionable threat intelligence approaches," said Frank Dickson, VP Security & Trust, IDC.

While threat actors continue to evolve and scale their methods, defenders are adapting as well. Advancements in AI automation and the adoption of proactive operational threat intelligence build organizational resilience and readiness, narrowing the gap between detection and response. The continued collaboration, focus, and investment in public-private information sharing is also paramount to defense, as cybersecurity remains a shared responsibility.

The CyberThreat Report: October 2025 includes proprietary data from Trellix’s sensor network, investigations into nation-state and cybercriminal activity by the Trellix Advanced Research Center, and open and closed-source intelligence. It integrates AI-assisted data gathering to enhance the depth and timeliness of insights. The report is based on telemetry from threat detections, including when a file, URL, IP address, suspicious email, network behavior, or other indicator is detected and reported by the AI-powered Trellix Security Platform.

Additional Resources:

• The CyberThreat Report: October 2025
• Trellix Advanced Research Center LinkedIn Newsletter
• Trellix Insights in Action
• Trellix Threat Intelligence
• Advanced Research Center Reports

About the Trellix Advanced Research Center
The Trellix Advanced Research Center is at the forefront of research into the emerging methods, trends, and tools used by cyber threat actors across the global cyber threat landscape. Our elite team of researchers serve as the premier partner of CISOs, senior security leaders, and their security operations teams worldwide. The Trellix Advanced Research Center provides operational and strategic threat intelligence through cutting-edge content to security analysts, powers our industry leading AI-powered cybersecurity platform, and offers intelligence products, and services to customers globally. More at https://www.trellix.com/advanced-research-center.

Follow Trellix on LinkedIn and X.