Press Releases

Ontinue Threat Intelligence Report Reveals Attackers Increasingly “Log In,” Rather Than Breaking In

Stolen Credential Listings Tied to LummaC2 Surged 72% as more than 7,000 Ransomware Attacks were Reported Globally In 2025

ZURICH, Switzerland –  March 30, 2026  – Ontinue, a leading provider of AI-powered Managed Extended Detection and Response (MXDR), today released its 2H 2025 Threat Intelligence Report, revealing a significant shift in how cybercriminals gain access to organizations. The report finds that attackers increasingly rely on compromised credentials, identity abuse, and trusted integrations rather than traditional malware-driven intrusion techniques.

Drawing on investigations conducted by Ontinue’s Advanced Threat Operations (ATO) team and telemetry from the Ontinue ION MXDR platform, the report highlights how identity compromise has become the most common pathway into cloud environments.

“Attackers aren’t trying to break through defenses anymore, they’re logging in with stolen credentials,” said Balazs Greksza, Director of Advanced Threat Operations at Ontinue. “Infostealers are feeding a growing underground market for corporate access. Once attackers obtain valid identities, they can bypass traditional security controls and move through environments as legitimate users, often without triggering the alarms organizations rely on.”

Identity Attacks and Credential Theft on the Rise

The report documents how identity-based attacks – including adversary-in-the-middle (AiTM) phishing, password spraying, and service principal credential exposure – now dominate security investigations. Rather than exploiting software vulnerabilities, attackers increasingly rely on compromised credentials to gain direct access to cloud environments.

Infostealer malware plays a central role in fueling this trend. Malware families such as LummaC2 harvest browser passwords, session cookies, and authentication tokens from infected systems. These stolen credentials are then packaged into “logs” and sold through underground marketplaces, allowing other threat actors to purchase ready-made access to corporate environments.

The report notes that listings of stolen credentials linked to LummaC2 increased by 72% on underground marketplaces, reflecting the rapid expansion of this credential theft ecosystem. Stolen corporate access can command thousands of dollars per account, making credential theft one of the most profitable entry points in the modern cybercrime economy.

Ransomware Remains a Major Threat

Despite a modest decline in traceable ransomware payments, falling from $892 million in 2024 to $820 million in 2025, the number of attacks continues to increase. The report cites more than 7,000 ransomware incidents reported globally in 2025, with over 120 active ransomware groups operating across industries.

Modern ransomware campaigns increasingly combine multiple forms of pressure, including data theft, operational disruption, distributed denial-of-service (DDoS) attacks, and direct intimidation of victims’ employees or customers, tactics often described as double, triple, or even quadruple extortion.

Emerging Use of Generative AI in Malware Development

The report also highlights early signs that threat actors are beginning to use generative AI to accelerate the development of malicious tools. Analysis of several recovered webshells and commodity malware samples revealed coding patterns consistent with LLM-assisted development, including verbose explanatory comments, duplicated functions generated through iterative prompting, and visually polished interfaces paired with insecure implementations.

While adversarial AI remains an emerging capability rather than a dominant attack vector, Ontinue researchers note that generative AI may significantly lower the technical barrier for developing functional malware and attack infrastructure.

Supply Chain and SaaS Attacks Expand

Growing risks associated with software supply chains and cloud integrations are also on the rise. Threat actors are increasingly targeting development pipelines, SaaS platforms, and third-party service providers to gain indirect access to corporate environments.

These attacks can spread rapidly across trusted ecosystems, enabling adversaries to compromise multiple organizations simultaneously.

Record-Breaking Infrastructure Attacks

In addition to identity-driven attacks, the report documents a dramatic increase in infrastructure-scale threats. Distributed denial-of-service campaigns reached a peak of 31.4 Tbps, powered by botnets leveraging more than 500,000 compromised systems.

These attacks demonstrate the growing scale and automation capabilities available to modern threat actors.

Key Findings

• Identity-based attacks are now a leading entry point for cyber intrusions
• Infostealers are fueling a global credential-theft economy
• Over 7,000 ransomware incidents were reported globally in 2025
• 129 ransomware groups were active during the year
• Global ransomware payments reached $820M in 2025
• Early evidence of LLM-assisted malware development observed in commodity attack tooling
• DDoS attacks peaked at 31.4 Tbps

“The reality organizations face today is that attackers are moving faster, leveraging stolen identities and automation to bypass traditional defenses,” said Craig Jones, Chief Security Officer at Ontinue. “Cyber resilience is no longer just about preventing breaches, it’s about proactive risk reduction, environment hardening, by detecting threats quickly, responding decisively, and maintaining operational continuity when incidents occur. Partnering with the right managed security provider allows organizations to combine advanced technology, real-time threat intelligence, and experienced analysts to stay ahead of attackers and strengthen their ability to withstand and recover from modern cyber threats.”

Download the full report.

Read more on our blog, Attackers aren’t Breaking in Anymore, they’re Logging in.

About Ontinue

Ontinue is a leading provider of agentic AI-powered managed extended detection and response (MXDR) services, empowering modern organizations to securely embrace their digital future. We’re on a mission to redefine managed security operations with Nonstop SecOps, a 24/7 approach that delivers continuous protection through trust and innovation.

Ontinue ION leverages an agentic AI-powered platform, human expertise and our customers’ own Microsoft tools to deliver tailored protection that conforms to your environment and operations. The result is fast threat detection and response, and continuous security posture hardening. With ION handling the daily security operations, CISOs and their teams get more time back in their day to focus on the next big initiative to propel their organization forward.

ION’s innovative collaboration model and transparent architecture ensure that security analysts always have instant access to eyes-on-glass SecOps support and complete control of their data. Additionally, Ontinue’s unparalleled Microsoft expertise helps CISOs, and CIOs maximize return on their investment in Microsoft controls and consolidate their security stack.

Continuous Trust. Continuous Innovation. Continuous Empowerment.

That’s Nonstop SecOps from Ontinue.