Welcome to May 2025 Threat Highlight Report

May report covers

This month’s report shines a spotlight on the increasing use of social engineering tactics, turbulence in the ransomware ecosystem, and the evolving threat landscape across cloud and SaaS environments.

The key findings in the May 2025 Threat Highlight Report include:

1. Retail sector under siege
   Scattered Spider actors launched coordinated ransomware attacks against major UK retailers including M&S and Co-Op, exploiting social engineering and third-party weaknesses to inflict massive operational and financial damage.
2. Commvault & ConnectWise breaches
   Vulnerabilities in SaaS platforms led to compromise of customer environments via cloud-hosted backup and remote access services—highlighting the risk of overly permissive configurations and inherited trust.
3. Ransomware trends
   For the first time since 2024, leak site victim volumes dropped year-over-year. Meanwhile, RansomHub has vanished, Lockbit’s leak site was hacked, and new groups like SAFEPAY and Devman have emerged.
4. Credential theft & trojanized software
   A months-long campaign using trojanized KeePass installers revealed how attackers are blurring the lines between legitimate software and malware—culminating in ransomware deployments.
5. Identity and Cloud risks on the rise
   xAI accidentally exposed private keys giving access to unreleased LLMs, and 89 million Steam user records (with MFA data) were reportedly compromised. Japanese financial services suffered nearly $2Bn in unauthorized trading from credential theft.
6. Law enforcement takes action
   Operation Endgame and Operation PowerOff disrupted more than 300 servers and arrested several operators—showing growing global coordination against cybercriminal infrastructure.

Download the full report or subscribe for future insights to empower your cyber strategy with clarity, data, and expert guidance from WithSecure™.