2025年上半年恶意软件与漏洞趋势

H1 2025 Malware andVulnerability Trends Vulnerabilities in Microsoft productsand edge security appliances were themost exploited in H1 2025,with state- RATs such as XWorm and Remcosovertook infostealers as primarytools for persistent access and datatheftcompared to H1 2024, while Android banking trojans adoptedoverlays and NFC relay attacks forreal-world fraud,while Magecartoperators expanded beyond Magento Executive Summary The first half of 2025H1 2025reflected a rapidly evolving threat landscape defined by theconvergence of persistent legacy threats and advanced new tactics. The total disclosed CVEs increased by 16% from H1 2024, and threat actors exploited 161 vulnerabilities with assigned CVEs, with nearly half linked to malware or ransomware campaigns. Microsoft remainedthe most targeted vendor, while edge security and gateway devices continued to be high-value targetsfor initial access. Malware activity was similarly dynamic: while law enforcement takedowns disruptedmajor players like LummaC2, a resurgence of legacy malware such as Sality indicated that old tools stilloffer utility for modern actors. Remote access trojansRATslike AsyncRAT, XWorm, and Remcos also Mobile malware threats continued to grow in H1 2025, with Android banking trojans adoptingvirtualization-based overlays and near-field communicationNFCrelay attacks to bypass userdefenses and enable real-world financial fraud. These innovations reflect a growing trend in financialfraud toward mobile-first exploitation targeting both app and payment ecosystems. Ransomware Taken together, H1 2025 underscores that the threat landscape is not only expanding but fragmenting,with threat actors exploiting both novel and legacy tools across diverse attack surfaces. To respondeffectively, organizations should prioritize patching of internet-facing systems, particularly gateway andedge security products, which are frequently targeted for initial access. Detection capabilities must Key Findings ●CVE disclosures increased 16% compared to H1 2024, with 161 of those vulnerabilities activelyexploited in H1 2025. Of those, 42% had a public proof-of-conceptPoCexploit, nearly 69%required no authentication, and 30% enabled remote code executionRCE, underscoringattackersʼpreference for low-friction, high-impact exploits. Microsoft and edge-gateway ●Based on Recorded Future Triage submissions and Insikt Group reporting, Command and ControlTA0011was the most frequently observed malware tactic, with over 194,000 detections. Toptechniques (according to theMITRE ATT&CK matrix) included data encrypted for impactT1486, ●The mobile threat landscape continued to evolve during the first half of 2025, marked by thediscovery of eleven new mobile malware strains and the resurgence or continued operation ofnine others. This included banking trojans, infostealers, spyware, and RATs. Long-standing ●Threats to contactless payments increased, as evidenced by the discovery of SuperCard X, aChinese MaaS platform that enables NFC relay fraud by capturing and transmitting contactless ●Ransomware threat actors adopted new TTPs across the attack chain during the first half of2025. This included ClickFix-based social engineering for initial access, endpoint detection andresponseEDRevasion via bring-your-own-installerBYOItechniques, and custom payloadsusing just-in-timeJIThooking and memory injection to bypass detection. Ransomware threat Table of Contents Vulnerability Exploitation Trends Key TakeawaysMicrosoft Leads Actively Exploited Vulnerabilities as Total Disclosed Vulnerabilities Rise Comparedto 2024UNC5221 Focuses on Ivanti Products as Cobalt Strike Is Most Frequently Associated with Malware Trends Mitigations Vulnerability ExploitationMalware IntrusionsMagecart AttacksOutlook Vulnerability Exploitation Trends Key Takeaways ●23,667 CVEs were published in H1 2025, a 16% increase compared to H1 2024. Attackersactively exploited 161 vulnerabilities, and 42% of those exploited flaws had public PoC exploits.21 out of the 27 Nuclei templates published by Insikt Group corresponded to vulnerabilities that ●Microsoft products accounted for 17% of such exploitations, but attackers also concentratedon edge‑security and gateway appliances such as SSL‑VPNs and next-gen firewalls (similarly17%, whose position at the network perimeter makes them attractive entry points for attacks ●69% of exploited vulnerabilities did not require authentication, and nearly one-third enabledRCE. 151 exploited vulnerabilities were used to deploy malware and 73 to launch ransomware,with backdoors the most common payload. State-sponsored actors drove more than half of Microsoft Leads Actively Exploited Vulnerabilities as Total Disclosed In the first half of 2025, the volume of disclosed vulnerabilities continued to climb. The total number ofCVEs increased by 16% compared to H1 2024, rising from 20,385 in H1 2024 to 23,667 in H1 2025. Thisgrowth suggests an expanding