Rapid7 has published its Q3 2025 Threat Landscape Report, shedding light on trends in ransomware and artificial intelligence in the realm of cyber threats. The report highlights how malicious actors are enhancing their operations by weaponising AI and consolidating ransomware efforts, while exploiting vulnerabilities both new and longstanding.
This intelligence is built on data from Rapid7’s Intelligence Hub, AttackerKB, incident response activities, and managed detection and response (MDR) telemetry, providing a comprehensive view of adversary behaviours and defensive strategies.
Critical vulnerability exploitation
Rapid7 found a 21% decrease in newly exploited vulnerabilities from the second to the third quarter
In its recent quarterly review, Rapid7 found a 21% decrease in newly exploited vulnerabilities from the second to the third quarter. Despite the reduction, attackers are increasingly targeting older, unpatched vulnerabilities, some over a decade old.
Notably, critical vulnerabilities, such as those found in Microsoft SharePoint (CVE-2025-53770) and Cisco ASA/FTD products are being exploited as soon as patches are disclosed, emphasising the importance of timely patch management.
Christiaan Beek, Senior Director of Threat Intelligence and Analytics at Rapid7, noted, "The moment a vulnerability is disclosed, it becomes a bullet in the attacker’s arsenal, necessitating fast action from organisations."
Ransomware activity spikes
The report recorded an increase in active ransomware groups, with 88 groups operating in Q3 compared to 65 in Q2 and 76 in Q1. This rise underscores the dynamic nature of these groups. Notably, Qilin, SafePay, and WorldLeaks have been at the forefront, forming alliances that target various sectors including business services, manufacturing, and healthcare.
These groups are innovating through fileless attacks, single-extortion data leaks, and offering affiliate services, such as ransom negotiation training, demonstrating a strategic shift towards more sophisticated operations.
Generative AI in threats
Generative AI is identified as a tool lowering barriers for launching phishing campaigns and developing adaptive malware. LAMEHUG, an example of such malware, adapts by generating new commands dynamically.
Additionally, state-sponsored actors from countries, such as Russia, China, and Iran are refining their techniques to blur the lines between espionage and disruption. They are increasingly targeting supply chains and identity systems with strategies emphasising stealth and persistence.
Rapid7, a pioneer in threat detection and exposure management, has released its Q3 2025 Threat Landscape Report, revealing how threat actors are accelerating the race between vulnerability disclosure and exploitation, consolidating ransomware power structures, and increasingly weaponising artificial intelligence to evade detection.
The report draws from Rapid7’s Intelligence Hub, AttackerKB, incident response, and managed detection and response (MDR) telemetry, offering data-driven insight into how adversaries are evolving and how defenders can adapt.
“Ransomware has evolved significantly beyond its early days to become a calculated strategy that destabilises industries,” said Raj Samani, Chief Scientist at Rapid7. “In addition, the groups themselves are operating like shadow corporations. They merge infrastructure, tactics, and PR strategies to project dominance and erode trust faster than ever.”
Critical vulnerability exploitation
Rapid7’s quarterly analysis shows that the total number of newly exploited vulnerabilities trended downward, dropping 21% from Q2 to Q3. However, adversaries doubled down on older, unpatched weaknesses, including CVEs more than a decade old, indicating that historic exposures remain potent attack vectors.
The mass exploitation of critical vulnerabilities in Microsoft SharePoint (CVE-2025-53770) and Cisco ASA/FTD products underscores the narrowing window between patch disclosure and in-the-wild attacks.
“The moment a vulnerability is disclosed, it becomes a bullet in the attacker’s arsenal,” said Christiaan Beek, Senior Director of Threat Intelligence and Analytics at Rapid7, adding “Attackers are no longer waiting. Instead, they’re weaponising vulnerabilities in real time and turning every disclosure into an opportunity for exploitation. Organisations must now assume that exploitation begins the moment a vulnerability is made public and act accordingly.”
Ransomware activity spikes
The quarter also saw 88 active ransomware groups, up from 65 in Q2 and 76 in Q1, signalling an increase in activity as well as underscoring these groups’ fluidity.
Groups like Qilin, SafePay, and WorldLeaks led a wave of alliances targetting industries like business services, manufacturing, and healthcare, and experimenting with fileless operations, single-extortion data leaks, and affiliate service offerings, such as ransom negotiation assistance, where a more senior member of the group partners with a less experienced player to extort the victim.
Generative AI
The report details how generative AI is lowering the barrier for creating convincing phishing campaigns and enabling adaptive malware, such as LAMEHUG, which can dynamically generate new commands.
Meanwhile, nation-state operators from Russia, China, and Iran refine their tactics, blurring the line between espionage and disruption by targetting supply chains and identity systems with an emphasis on stealth and persistence.
