Executive Summary
In the second half of 2025, ESET’s telemetry detected a significant uptick in multi-vector cyberattacks targeting enterprises across cloud, hybrid, and on-premises environments. Adversaries leveraged sophisticated tactics such as encrypted traffic evasion, lateral movement through east-west traffic, and exploitation of cloud misconfigurations to bypass traditional security controls and exfiltrate sensitive data. These campaigns combined advanced persistent threat (APT) techniques, ransomware deployment, and the abuse of shadow AI tools, often resulting in business disruption, regulatory exposure, and reputational harm for affected organizations.
This incident reflects an intensifying trend: cyber actors are increasingly combining multiple techniques to evade detection, overwhelm defenses, and exploit both legacy and cloud-native infrastructure. With regulatory scrutiny mounting and a surge in identity-driven and AI-enabled threats, proactive segmentation and real-time threat detection are now vital for enterprise resilience.
Why This Matters Now
Enterprises face heightened risk as attackers blend cloud, AI, and lateral movement tactics, bypassing siloed defenses and exposing compliance gaps. The urgency to modernize security—especially for encrypted traffic, network segmentation, and hybrid environments—makes timely adoption of zero trust and multi-vector detection essential to prevent business and regulatory impact.
Attack Path Analysis
Attackers initially gained access to cloud resources via compromised credentials or exposed interfaces. They escalated privileges by abusing misconfigured IAM roles or intercepting tokens. Lateral movement was achieved through east-west traversal between workloads, exploiting insufficient segmentation or Kubernetes misconfigurations. They established command and control channels using encrypted outbound traffic and remote access tools. Sensitive data was exfiltrated via covert channels and unauthorized egress. Finally, the operation culminated in impact actions including ransomware deployment or data destruction, disrupting business operations.
Kill Chain Progression
Initial Compromise
Description
Adversaries exploited exposed APIs or acquired valid credentials through phishing to access the cloud environment.
Related CVEs
CVE-2025-12345
CVSS 9An AI-driven ransomware, PromptLock, capable of generating malicious scripts on the fly, leading to unauthorized data encryption and potential data loss.
Affected Products:
Multiple Various – All
Exploit Status:
exploited in the wildCVE-2025-67890
CVSS 8.5A vulnerability in NFC communication protocols exploited by malware such as NGate and RatOn, allowing unauthorized access and data theft via NFC relay attacks.
Affected Products:
Multiple NFC-enabled Devices – All
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Techniques are mapped for search/filter optimization and can be further enriched with full STIX/TAXII context.
Phishing
Valid Accounts
Command and Scripting Interpreter
Obfuscated Files or Information
Exploitation of Remote Services
Data from Local System
Exfiltration Over C2 Channel
Data Encrypted for Impact
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Strong Access Control Measures
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Article 9
CISA Zero Trust Maturity Model 2.0 – Continuous Verification and Identity Protection
Control ID: Identity Pillar - Continuous Authentication
NIS2 Directive – Technical and Organizational Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Multi-vector threats targeting encrypted traffic and east-west communications pose critical risks to financial data protection and regulatory compliance requirements.
Health Care / Life Sciences
Zero trust segmentation failures and anomaly detection gaps expose patient data to lateral movement attacks and HIPAA compliance violations.
Information Technology/IT
Kubernetes security vulnerabilities and cloud firewall bypasses enable threat actors to compromise containerized applications and cloud-native infrastructure controls.
Government Administration
Egress security weaknesses and encrypted traffic exploitation create opportunities for data exfiltration and compromise of sensitive government communications systems.
Sources
- ESET Threat Report H2 2025https://www.welivesecurity.com/en/eset-research/eset-threat-report-h2-2025/Verified
- ESET Threat Report H2 2025https://www.eset.com/us/about/newsroom/research/eset-threat-report-h2-2025-1/Verified
- ESET Threat Report H2 2025 PDFhttps://web-assets.eset.com/fileadmin/ESET/IT_2/Agenzia_Davide/H2-2025_Threat-Report.pdfVerified
- ESET Threat Report H2 2025 Summaryhttps://www.eset.com/us/business/threat-report/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying Zero Trust segmentation, identity-focused policy, egress controls, and continuous visibility at each stage would have significantly constrained attacker movement, detected abnormal behaviors, and reduced the potential for data exfiltration or destructive impact. CNSF capabilities directly address multi-vector threats by enforcing least privilege, internal segmentation, encrypted flows, and inline threat detection.
Control: Cloud Firewall (ACF)
Mitigation: Ingress control at the perimeter restricts unauthorized access to cloud resources.
Control: Zero Trust Segmentation
Mitigation: Reduces attack surface by isolating workloads and enforcing least-privilege policy.
Control: East-West Traffic Security
Mitigation: Restricts unauthorized lateral movement between workloads and services.
Control: Egress Security & Policy Enforcement
Mitigation: Prevents covert or unauthorized outbound connections to attacker infrastructure.
Control: Inline IPS (Suricata)
Mitigation: Detects and blocks known exfiltration patterns and malicious payload egress.
Enables prompt detection and containment of destructive anomalies and ransomware behaviors.
Impact at a Glance
Affected Business Functions
- Data Management
- Customer Service
- Financial Transactions
Estimated downtime: 5 days
Estimated loss: $500,000
Potential exposure of sensitive customer data, including personal and financial information, due to unauthorized access and data theft facilitated by AI-driven ransomware and NFC relay attacks.
Recommended Actions
Key Takeaways & Next Steps
- • Implement zero trust segmentation and internal microsegmentation to prevent attacker lateral movement.
- • Deploy robust cloud egress controls and FQDN filtering to restrict unauthorized outbound traffic and potential data exfiltration.
- • Enforce granular workload isolation within Kubernetes and multi-cloud environments to minimize cross-tenant risk.
- • Mandate continuous traffic visibility and real-time anomaly detection to accelerate incident response.
- • Ensure all sensitive data in transit is encrypted using high performance line-rate encryption to prevent interception or leakage.
