Cisco Talos Q2 Report: Phishing & Ransomware Dominate, with Qilin Using Deprecated PowerShell 1.0
Ddos 
Image: Cisco Talos
Cisco Talos has released its latest Threat Intelligence Report for Q2 2025, revealing a threat landscape increasingly dominated by credential harvesting and advanced ransomware campaigns, with phishing remaining the leading initial access method. The report offers critical insight into adversarial tactics and evolving attack trends impacting organizations globally.
βPhishing remained the top method of initial access this quarter, appearing in a third of all engagements β a decrease from 50 percent last quarter,β Cisco Talos reports.
Despite a slight decline, phishing continued to account for one-third of initial access incidents, often leveraging compromised internal or trusted partner email accounts.
βThreat actors largely leveraged compromised internal or trusted business partner email accounts to deploy malicious emails, bypassing security controls and gaining targetsβ trust.β
Rather than seeking immediate financial gain, many attackers now favor credential harvesting. In several cases, attackers deployed phishing links that mimicked Microsoft 365 login portals, complete with MFA promptsβan effort to steal both credentials and session tokens.
βCybercriminals may consider brokering compromised credentials as simpler and more reliably profitable than other post-exploitation activities,β the report notes.
One real-world phishing incident began with the compromise of a business partner’s email account, which was then used to phish an organization’s employees. After one user submitted their credentials to a spoofed login page, the attacker sent internal spear-phishing emails from the compromised account, successfully tricking dozens of additional users.
Ransomware-related incidents comprised 50% of all engagements.
βCisco Talos Incident Response (Talos IR) responded to Qilin ransomware for the first time, identifying previously unreported tools and tactics, techniques, and procedures (TTPs), including a new data exfiltration method.β
Qilin attackers used:
- Custom encryptors with hardcoded credentials
- Backblaze-hosted C2 infrastructure
- CyberDuck for data exfiltration
- Commercial remote access tools like TeamViewer, VNC, AnyDesk, and ToDesk
They also implemented persistence mechanisms such as AutoRun registry keys and scheduled tasks, forcing a complete Active Directory rebuild for one victim.
βThese attack techniques ultimately led to a widespread infection requiring a complete rebuild of the Active Directory (AD) domain and password resets for all accounts.β
In a surprising twist, attackers increasingly abused PowerShell 1.0βa deprecated version from 2006βin one-third of ransomware cases.
βUsing this insecure version gives attackers numerous potential advantages as it lacks security features that newer versions have built in,β including script block logging, transcription logging, and AMSI (Antimalware Scan Interface).
Attackers used PowerShell 1.0 to:
- Exclude core system directories from AV scanning
- Bypass execution policies
- Monitor peer-to-peer file transfers
Education was the most targeted industry this quarter, reversing the trend from Q1. Talos suggests this aligns with 2024 trends, where schools faced a surge in ransomware attacks during April through June.
Related Posts:
- Escalating Cyber Threats: Q2 2024 Vulnerability Report
- Qilin Ransomware: Beyond Encryption, a New Threat of Credential Theft
- Qilin Ransomware Attack Exploits MSP Vulnerability to Target Downstream Customers
- Alphabet Soars in Q2: AI Fuels 14% Revenue Jump to $96.4B, Google Cloud Profits Skyrocket
- Qualcomm Thrives Amid Apple Chip Shift, Diversifies Beyond Mobile with Strong Q2 Results
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
