Obrela, a global pioneer in cyber risk management and Managed Detection and Response (MDR), has published its H1 2025 Digital Universe Report, providing insight into the current global cyber threat landscape.
The report reveals that attackers are increasingly using scalable automation and stealthy, in-memory techniques to evade detection and infiltrate critical systems.
According to the report, brute force attacks accounted for over a quarter of all alert activity (27%), while vulnerability scanning (22%) and IoC matches (20%) reflect a reliance on automation for initial access. This highlights that adversaries are increasingly relying on scalable, automated methods such as brute force, alongside stealthier techniques like fileless and in-memory attacks to bypass traditional defenses.
Confirmed cyberattacks
The report data is from Obrela’s global MDR infrastructure, which processed 16.8 petabytes of telemetry from more than 522,000 monitored endpoints during the first half of 2025. The system generated 876,842 alerts and identified 11,351 confirmed cyberattacks.
“Our new report shows that attackers aren’t just getting faster and more sophisticated, they’re stealthier,” said Dr George Papamargaritis, VP MSS of Obrela.
“We have seen brute force and vulnerability scanning surge, while traditional malware has nearly disappeared from early alerts. This marks a clear move toward evasion, automation and persistence. To stay ahead, defenders must adopt behavioural analytics, identity-first controls, and faster, intelligence-driven response models.”
Sector-by-sector breakdown
The report also includes a sector-by-sector breakdown of adversarial activity
The report also includes a sector-by-sector breakdown of adversarial activity. Retail and e-commerce remain the most targeted sector, with 28% of total attacks. This is driven largely by web exploitation, credential abuse, and fraud.
Financial services accounted for 19.23% of all confirmed cyberattacks in the first half of 2025, with insider activity (26%) and sector-specific attack patterns (32%) being the most prevalent in incident profiles.
Sectors such as healthcare and shipping continued to face high malware volumes, accounting for 25% and 62% of sector incidents, respectively, while telecoms, aviation, and defence environments were more frequently targeted with highly customised, infrastructure-level threats. Telecoms, in particular, reported that 95% of threats were industry-specific, underlining the advanced, tailored nature of attacks targetting core infrastructure.
Industry-specific threats
The aviation, construction, and manufacturing sectors continue to report high levels of suspicious internal activity and industry-specific threats.
Regionally, Southeastern Europe (35.31%) and Northern Europe (31.22%) were the most targeted geographies, demonstrating a focus on politically sensitive and digitally mature environments. The Middle East and Asia continued to see significant state-aligned activity, particularly against energy, telecoms, and government organisations.
Africa accounted for a relatively small proportion of total attacks (2.1%) but faced a disproportionate volume of insider threats and reconnaissance activity due to its expanding infrastructure and weaker access control measures.
Ransomware groups
The report also tracked the activity of major nation-states and ransomware groups
The report also tracked the activity of major nation-states and ransomware groups.
Chinese APTs including UNC5174, Hafnium, and Mustang Panda were highly active in exploiting zero-day vulnerabilities, while Russian groups such as APT29 and APT44 focused on stealthy access and supply chain compromise.
North Korea’s Lazarus Group continued its focus on cryptocurrency theft, while Indian and Pakistani groups expanded activity against energy and defence targets.
Evolved ransomware operations
Ransomware operations have also evolved. Qilin emerged as the most active group in Q2 2025, with Akira following closely. New actors such as EncryptHub and NightSpire demonstrated highly evasive capabilities and rapid deployment models, while established groups like Cl0p and BlackCat maintained a strong presence across sectors.
Key findings (H1 2025) at a glance:
General:
- 16.8PB of telemetry analysed across 522,952 endpoints
- 876,842 alerts processed, with 11,351 confirmed cyber incidents
- Brute Force (27%), vulnerability scanning (22%), and IoC matches (20%) led alert categories
- 0% direct malware payloads in trending alerts — signalling a major shift to fileless attacks
- Average response time for critical incidents: 11.2 minutes
- SLA availability remained at 99.996%
Sector-specific highlights:
- Retail & eCommerce: Most targeted sector (28% of all attacks)
- Financial Services: 32% industry-specific threats; 26% insider-driven
- Shipping: 62% of all threats were malware-based
- Telecoms: 95% of incidents were industry-specific
Regional threat distribution:
- Southeastern Europe: 35.31% of observed global attacks
- Northern Europe: 31.22%
- Middle East: 18.27%; Asia: 11.98%
- Africa: 2.1% of attacks, with high insider threat concentration
APT and ransomware activity:
- Chinese APTs exploited zero-days (Ivanti, SAP, VPNs)
- Russian APTs focused on stealth access and supply chain targetting
- Lazarus Group targeted cryptocurrency infrastructure
- Qilin and Akira led ransomware activity; EncryptHub and NightSpire gained prominence
