Trellix’s latest CyberThreat Report for October 2025 highlights a significant increase in the adoption of AI-powered malware and tools by cybercriminals, alongside a shifting threat landscape influenced by geopolitical tensions and sophisticated ransomware campaigns observed between April and September 2025.

The report, compiled by the Trellix Advanced Research Center, details that cybercriminals are increasingly integrating AI into their existing tools to accelerate malware development or to create new AI-powered instruments, exemplified by the AI-powered infostealer LameHug. Additionally, fully automated, AI-generated ransomware has been identified on GitHub.

John Fokker, VP of Threat Intelligence Strategy at Trellix, noted, “We’re seeing a transformation of threat actor behavior, with two clear and converging trends: automation and geopolitical malice. As threat actors near the AI adoption inflection point, demonstrating a more structured use of AI-powered attack methods over the last six months, they’ll be able to chain multiple AI-driven attacks with unprecedented fluidity, significantly shortening and diversifying the time required to execute an attack. Consequently, security teams must prioritize a defense-in-depth strategy, focusing on multiple detection opportunities across the entire attack kill-chain.”

The research also revealed a convergence of nation-state operations and financially motivated campaigns, resulting in an escalation of attack speed and breadth across various sectors. The analysis recorded 540,974 total Advanced Persistent Threat (APT) detections across 1,221 unique campaigns spanning 121 countries and 14 sectors. Türkiye and the United States registered the highest number of detections, with the telecommunications sector being a primary target.

Key findings underscore a shift from traditional malware to “malware-less” insider threats, particularly in the context of the DPRK IT worker campaign where North Korean operatives seek employment within American organizations for infiltration purposes. Furthermore, the Russian-speaking ransomware group Qilin has rapidly emerged as a dominant player following the decline of RansomHub. Qilin’s targeting strategy shows a preference for industrial organizations (29.25% of attacks), followed by consumer services (16.10%), and financials (9.52%).

Threat actors also actively exploited vulnerabilities in enterprise applications and open-source software, targeting foundational weaknesses in the software supply chain. The report notes a growing awareness of risks associated with the proliferation of vulnerabilities in development tools during the reporting period.

Frank Dickson, VP Security & Trust at IDC, stated, “The evolving cyber landscape and ever-present threat of attack demands organizations adopt actionable threat intelligence approaches.” The report suggests that advancements in AI automation and the adoption of proactive operational threat intelligence are crucial for building organizational resilience and narrowing the gap between detection and response. It also emphasizes the importance of continued collaboration, focus, and investment in public-private information sharing for effective defense, framing cybersecurity as a shared responsibility.

The CyberThreat Report: October 2025 leverages proprietary data from Trellix’s sensor network, investigations by the Trellix Advanced Research Center into nation-state and cybercriminal activity, and open and closed-source intelligence. It integrates AI-assisted data gathering to enhance the depth and timeliness of its insights, basing its findings on telemetry from threat detections reported by the AI-powered Trellix Security Platform.