Obrela, a global leader in cyber risk management and Managed Detection and Response (MDR), has published its H1 2025 Digital Universe Report, providing insight into the current global cyber threat landscape. The report reveals that attackers are increasingly using scalable automation and stealthy, in-memory techniques to evade detection and infiltrate critical systems.

 According to the report, brute force attacks accounted for over a quarter of all alert activity (27%), while vulnerability scanning (22%) and IoC matches (20%) reflect a reliance on automation for initial access. This highlights that adversaries are increasingly relying on scalable, automated methods such as brute force, alongside stealthier techniques like fileless and in-memory attacks to bypass traditional defences.

 The report data is from Obrela’s global MDR infrastructure, which processed 16.8 petabytes of telemetry from more than 522,000 monitored endpoints during the first half of 2025. The system generated 876,842 alerts and identified 11,351 confirmed cyberattacks.

“Our new report shows that attackers aren’t just getting faster and more sophisticated, they’re stealthier,” said Dr George Papamargaritis, VP MSS of Obrela.“We have seen brute force and vulnerability scanning surge, while traditional malware has nearly disappeared from early alerts. This marks a clear move toward evasion, automation and persistence. To stay ahead, defenders must adopt behavioural analytics, identity-first controls and faster, intelligence-driven response models.”

 The report also includes a sector-by-sector breakdown of adversarial activity. Retail and e-commerce remain the most targeted sector, with 28% of total attacks. This is driven largely by web exploitation, credential abuse and fraud. Financial services accounted for 19.23% of all confirmed cyberattacks in the first half of 2025, with insider activity (26%) and sector-specific attack patterns (32%) being the most prevalent in incident profiles.

 Sectors such as healthcare and shipping continued to face high malware volumes, accounting for 25% and 62% of sector incidents respectively while telecoms, aviation, and defence environments were more frequently targeted with highly customised, infrastructure-level threats. Telecoms, in particular, reported that 95% of threats were industry-specific, underlining the advanced, tailored nature of attacks targeting core infrastructure.

 The aviation, construction, and manufacturing sectors continue to report high levels of suspicious internal activity and industry-specific threats.

 Regionally, Southeastern Europe (35.31%) and Northern Europe (31.22%) were the most targeted geographies, demonstrating a focus on politically sensitive and digitally mature environments. The Middle East and Asia continued to see significant state-aligned activity, particularly against energy, telecoms and government organisations. Africa accounted for a relatively small proportion of total attacks (2.1%) but faced a disproportionate volume of insider threats and reconnaissance activity due to its expanding infrastructure and weaker access control measures.

 The report also tracked the activity of major nation-state and ransomware groups. Chinese APTs including UNC5174, Hafnium and Mustang Panda were highly active in exploiting zero-day vulnerabilities, while Russian groups such as APT29 and APT44 focused on stealthy access and supply chain compromise. North Korea’s Lazarus Group continued its focus on cryptocurrency theft, while Indian and Pakistani groups expanded activity against energy and defence targets.

 Ransomware operations have also evolved. Qilin emerged as the most active group in Q2 2025, with Akira following closely. New actors such as EncryptHub and NightSpire demonstrated highly evasive capabilities and rapid deployment models, while established groups like Cl0p and BlackCat maintained a strong presence across sectors.

 Notes for editors

Key Findings (H1 2025) at a glance:

General:

  • •16.8PB of telemetry analysed across 522,952 endpoints
  • • 876,842 alerts processed, with 11,351 confirmed cyber incidents
  • • Brute Force (27%), vulnerability scanning (22%), and IoC matches (20%) led alert categories
  • • 0% direct malware payloads in trending alerts — signalling a major shift to fileless attacks
  • • Average response time for critical incidents: 11.2 minutes
  • • SLA availability remained at 99.996%

Sector-specific highlights:

  • • Retail & eCommerce: Most targeted sector (28% of all attacks)
  • • Financial Services: 32% industry-specific threats; 26% insider-driven
  • • Shipping: 62% of all threats were malware-based
  • • Telecoms: 95% of incidents were industry-specific

Regional threat distribution:

  • • Southeastern Europe: 35.31% of observed global attacks
  • • Northern Europe: 31.22%
  • • Middle East: 18.27%; Asia: 11.98%
  • • Africa: 2.1% of attacks, with high insider threat concentration

APT and ransomware activity:

  • • Chinese APTs exploited zero-days (Ivanti, SAP, VPNs)
  • • Russian APTs focused on stealth access and supply chain targeting
  • • Lazarus Group targeted cryptocurrency infrastructure
  • • Qilin and Akira led ransomware activity; EncryptHub and NightSpire gained prominence
E-mail me when people leave their comments –

You need to be a member of Global Risk Community to add comments!

Join Global Risk Community

Protecht is excited to announce a significant investment from PSG, a leading growth equity firm that specializes in partnering with high-growth software companies. This investment marks a key milestone in our journey, enabling us to accelerate innovation, expand our global reach, and continue delivering best-in-class risk management solutions to our customers, partners, and stakeholders.

Growth Equity Firm PSG invests US $280 Million in…

Read more…

On Thursday 13 March 2025, The Conduit London will host Insurance in a Changing World, a landmark conference held in the heart of London’s West End in collaboration with Howden Insurance. Bringing together more than 300 high-level leaders from cornerstone industries, including technology, insurance, risk management, philanthropic, energy and finance, this full-day gathering will explore the potential for insurance as a driver of economic growth and…

Read more…

Community Guidlines


GlobalRisk Community Guidelines

The purpose of the Global Risk Community is to foster business, networking, and educational exploration among members. We reserve the right to remove any content or to ban a participant who does not follow the spirit of our…

Read more…
Views: 115
Comments: 0

The quick start guide


Dear New Member,
We're super excited to have you as part of our community. Feel free to invite new people, participate in discussions, activities and share knowledge. 

Special Bonus for new member:

20% off the…

Read more…
Views: 648
Comments: 0

    About Us

    The GlobalRisk Community is a thriving community of risk managers and associated service providers. Our purpose is to foster business, networking and educational explorations among members. Our goal is to be the worlds premier Risk forum and contribute to better understanding of the complex world of risk.

    Business Partners

    For companies wanting to create a greater visibility for their products and services among their prospects in the Risk market: Send your business partnership request by filling in the form here!

lead