Trellix issued new research on Tuesday, identifying that the threat landscape has seen a notable intensification, with threat detection volume increasing by 45 percent from the fourth quarter of last year to the first quarter of this year. The CyberThreat report identified that a surge in activity was accompanied by more sophisticated and targeted attacks, a wider range of active campaigns, and shifts in the geographical focus of these threats, highlighting the growing complexity and breadth of cyber threats faced by organizations worldwide.
In its ‘The CyberThreat Report: April 2025,’ Trellix revealed that the telecommunications sector has been particularly affected, with APT (Advanced Persistent Threat) activity targeting it more than any other industry. In fact, the telecom sector accounted for 47 percent of all detected APT activity, followed by the transportation and shipping industries. Notably, APT detections in the telecommunications sector increased by 92 percent in the first quarter of this year compared to the previous quarter, underscoring the growing threats to critical infrastructure in this field.
The CyberThreat report pointed out that China continues to be a dominant actor in the APT landscape. The most active groups during the reporting period were China’s APT40 and Mustang Panda, which together accounted for 46 percent of all detected APT activity. Additionally, the activity of China-aligned APT41 saw a significant increase of 113 percent in the first quarter of this year compared to the previous quarter, reflecting the persistent and evolving nature of Chinese cyber operations.
For the third consecutive report, Türkiye remained the country most frequently targeted by APT actors, with 38 percent of the detections directed at it. Additionally, the U.S. experienced a substantial rise in targeted attacks, with APT detections increasing by 136 percent in the first quarter of this year compared to the fourth quarter of last year. This highlights the growing prominence of the U.S. as a primary target in the current cyber threat landscape.
The CyberThreat report investigates the cyberthreat landscape and the tools, techniques, and motivations of the most persistent and nefarious nation-state and cybercriminal actors. Notably, Trellix telemetry showed APT detections targeting the U.S. in the first quarter of this year are 2.4 times higher than the level seen in the prior quarter. Of this activity, 47 percent was attributed to China-affiliated actors and 35 percent to Russia-aligned groups. The U.S. also remained the top target for ransomware, accounting for 58 percent of ransomware-related posts observed during the reporting period.
“The Trellix Advanced Research Center saw global threat detection volume from APT actors rise 45% alone from Q4 2024 to Q1 2025 – the landscape is acute, and the escalation of actor activity and increasing complexity of attack chains shouldn’t be overlooked,” said John Fokker, head of threat intelligence at Trellix. “Operational threat intelligence is just one ingredient to building resilience and outpacing bad actors. The current landscape demands a cybersecurity approach that can address multi-vector threats with defense in breadth.”
There was also an intensification of threats linked to China. China-based threat actors demonstrated increasingly refined tactics, shifting their focus from traditional methods like phishing to exploiting both zero-day and known vulnerabilities, the CyberThreat report disclosed.
Russia-aligned cyber activity also surged. Trellix telemetry detected a rise in activity associated with Russian threat groups, particularly the Sandworm team, during the last quarter of 2024. APT29, also known as Midnight Blizzard, emerged as the third most active group, focusing heavily on the transportation and shipping (55 percent) and telecommunications (40 percent) sectors. While government institutions remained the top target across industries, threats to the telecom and technology sectors intensified notably. APT detections in the technology sector saw a 119 percent increase compared to the fourth quarter of last year.
The CyberThreat research also observed an expanding use of complex attack chains. Malicious actors increasingly target known software vulnerabilities while leveraging more sophisticated tools, enhanced evasion techniques, and advanced post-exploitation frameworks. Additionally, attackers increasingly targeted security software itself in efforts to undermine protective infrastructure.
The study also identified a growing presence of AI-based tools in the cybercriminal underground, some of which were available for as little as 30 cents (USD). A particularly concerning development was the advancement of AI-based voice synthesis technology, capable of generating highly realistic, context-aware conversations in multiple languages, potentially revolutionizing social engineering attacks.
Additionally, sophisticated machine learning models capable of processing, de-duplicating, and validating large volumes of stolen credentials in real-time were found for sale on the black market. These models enable cybercriminals to efficiently exploit stolen data at scale, facilitating large-scale credential stuffing and account takeover attacks.
The CyberThreat report identified that a Telegram bot, which leverages AI trained on criminal datasets, was available for sale for $10 per week. This bot enables automated fraud operations and social engineering attacks, providing cybercriminals with an easy-to-use tool for carrying out malicious activities. By harnessing AI’s capabilities, the bot streamlines the execution of various online scams, increasing the threat posed by this tool.
Significant advancements in AI-based voice synthesis technology have made it possible to clone voices with remarkable accuracy, enabling human-like interactions in multiple languages. This technology is particularly notable for its ability to maintain context-aware conversations, making it a powerful tool for social engineering attacks. Cybercriminals can use this technology to impersonate individuals convincingly, posing new challenges for security and trust.
The CyberThreat report detailed that the Black Basta ransomware group was observed utilizing ChatGPT and other AI tools to further their operations. These tools were used to create fraudulent formal letters in English, paraphrase text, rewrite C#-based malware in Python, debug code, and collect victim data. The use of AI in ransomware operations reflects the growing sophistication of cybercriminal tactics, as these tools allow for more efficient and convincing attacks.
