MOXFIVE Monthly Insights - May 2025
In this newsletter, we share the latest threat insights and recommendations from the MOXFIVE team. Click button below to subscribe if not already on the MOXFIVE mailing list.

Subscribe

May Highlights

Ransomware activity was lower than usual throughout May 2025 likely due to threat actors still adjusting to the operational disruption caused by RansomHub’s disappearance in April. Qilin and Play were the most active variants this month, with increased volume likely tied to shifting affiliate activity.

This report also highlights the exploitation of critical vulnerabilities in SAP NetWeaver and Ivanti EPMM, both of which have been actively exploited by threat actors. The featured case study examines how threat actors use living off the land (LOTL) techniques to evade detection and escalate access post-compromise. The Resilience Spotlight outlines key controls for identifying and disrupting this behavior through behavioral monitoring and credential auditing.

Top Threats section

Phishing emails, VPN vulnerabilities, lack of Multifactor Authentication (MFA), software flaws, drive-by downloads, and social engineering remain the most frequently observed initial access points for ransomware attacks.

  • SAP NetWeaver Remote Code Execution Vulnerability (CVE-2025-31324): This critical vulnerability in SAP’s Visual Composer component allows unauthenticated attackers to upload malicious files and gain remote code execution. Actively exploited by ransomware groups including Qilin, BianLian, and RansomEXX throughout May, the vulnerability has been used to compromise SAP NetWeaver systems globally. SAP issued a patch in April, but unpatched systems continued to be targeted in May.
  • Ivanti EPMM Exploit Chain (CVE-2025-4427 & CVE-2025-4428): These two vulnerabilities, affecting Ivanti Endpoint Manager Mobile, were chained together by threat actors to bypass authentication and execute code remotely. Exploitation has been attributed to a China-nexus espionage group, with observed activities including unauthorized access and data exfiltration from exposed Ivanti servers. Ivanti released patches in early May to mitigate both vulnerabilities.
Active Threat Actors section


Ransomware activity levels remained relatively low throughout May 2025, likely due to threat actors still transitioning away from RansomHub following its disappearance in April. Qilin’s elevated volume may be tied to this shift, as the operators offer a similar payment structure that could appeal to former RansomHub affiliates.

  • Play ransomware was the most active variant seen in May. Threat actors using Play often gain access by exploiting vulnerabilities in exposed services and domain controllers before moving laterally and deploying ransomware.
  • Qilin, also known as Agenda, is a Ransomware-as-a-Service (RaaS) group active since 2022. Affiliates use tailored payloads for Windows and Linux environments, with operators offering generous commissions, reportedly as high as 85%, to attract experienced partners.
  • Akira, SafePay, and Inc. followed as the next most active variants. While their activity trailed the top groups, each maintained a steady presence and remains active in ongoing campaigns.

Figure 1: Top ransomware variants based on number of known victims.

For a deeper look into these groups, MOXFIVE has published Threat Actor Spotlights on Qilin and Akira.

Manufacturing & Production remained the most impacted industry in May based on observed ransomware leak site activity. Construction & Engineering followed as the second most targeted, with both sectors frequently affected across multiple ransomware variants due to their operational dependencies and sensitivity to disruption.

Technology, Healthcare, and Education also ranked among the top targeted industries, reflecting the continued spread of ransomware across critical services, infrastructure, and institutions.

Figure 2: Top industries impacted by ransomware this month.

These rankings are based on observed ransomware data leak
site (DLS) activity for impacted organizations in the United States.

Living off the Land
Advanced threat actors often rely on “living off the land” (LOTL) techniques to persist within compromised environments, evade detection, and escalate access. Rather than deploying malware, they abuse legitimate tools and cloud-native features already present in the environment to blend in with normal activity.

One group known for using these tactics is Scattered Spider, which has demonstrated the use of native tooling to support lateral movement, persistence, and data staging all while evading traditional detection.

LOTL techniques are commonly observed during ransomware investigations, particularly in the post-compromise phase when threat actors begin expanding access and preparing data for exfiltration. MOXFIVE has observed the following LOTL behaviors across recent cases:

Resilience Spotlight section

Detecting & Disrupting LOTL Activity
Living off the land techniques often evade traditional detection methods by leveraging legitimate tools and processes. Detecting and disrupting this activity requires greater behavioral visibility and monitoring of native tool usage. The following controls can help improve detection and limit post-compromise escalation:

Improving visibility into legitimate tool usage and tightening control over credential access and automation pathways can help reduce dwell time and disrupt post-access activity before it escalates.

Need Help Now? Whether you need help responding to an incident or are just trying to better prepare for one, we can help. Contact us at 833-568-6695 or email our team directly at incident@moxfive.com.