Threat Group Activity Tripled in 2025, Dataminr Study Finds

Threat group activity tripled in 2025 compared to 2024, according to Dataminr’s inaugural Cyber Threat Landscape Report.

Designed to provide cybersecurity teams with actionable insight into an evolving threat landscape, the report aims to help professionals identify and understand trends that can strengthen ongoing protection efforts for their organization.

Significant uptick in alert and threat activity

The report found a 225 percent surge in threat actor activity in 2025, with average monthly alerts rising from 1,490 to 4,840. The analysis was based on Dataminr’s tracking of 6,500 threat actors to identify major shifts in attacker behavior.

“The problem is bigger than alert fatigue. As threat actors ramp up their attacks, it’s becoming increasingly difficult for security analysts to keep up,” said Dataminr in an official statement.

Dataminr also observed that several threat actors in 2025 re-exploited initial vendor fixes to compromise victims.

One example cited was Microsoft SharePoint vulnerabilities CVE-2025-49706 and CVE-2025-49704, which were reportedly bypassed within days of the July patches. That led to secondary CVEs, CVE-2025-53770 and CVE-2025-53771, tied to the same underlying flaws.

“These recurring bypasses highlight a systemic failure in traditional vulnerability management. Organizations are shifting to prioritize fixes based on real-world exploitability and live telemetry rather than static CVSS scores,” Dataminr said.

Identity-focused attacks and other key findings

Alongside the rise in alerts, the study highlighted the growing prevalence of “identity-centric” tactics. It identified a shift away from traditional exploits toward identity-focused attacks, with people increasingly serving as the primary entry point through AI-enhanced social engineering. 

The report cited Scattered Lapsus$ Hunters (SLH) as one example, noting the group’s use of AI-enhanced voice phishing (vishing) to bypass technical security controls.

Other key findings include:

• Qilin emerged as the most active ransomware group of the year, consolidating the market by offering high affiliate payouts and a stable platform.
• 2025 marked a shift from frequent cyber losses to fewer events with materially larger financial impacts.

• Dwell time continued to collapse, with the window between initial targeting and data exfiltration effectively shrinking to near zero.
• Digital risk and exposure grew sharply, as organizations faced an overwhelming volume of external threats beyond their immediate infrastructure.

In terms of methodology, the Cyber Threat Landscape Report used both qualitative and quantitative methods and relied primarily on data from Dataminr and ThreatConnect. This included more than 43 terabytes of event, threat, and risk signals ingested by Dataminr daily.

Last year, Dataminr acquired cybersecurity platform ThreatConnect for $290 million, aiming to combine real-time event intelligence with deeper contextualization capabilities. Read more about the move and how it’s expected to strengthen resilience across industries.