Threats Top Takeaways from IBM’s 2025 X‑Force Threat Intelligence Index

Every year, IBM’s X-Force Threat Intelligence Index provides a critical pulse check on the evolving global threat landscape. The 2025 edition offers a sobering look at the shifting strategies of cybercriminals, with a clear theme emerging: stealth, identity compromise, and data theft now dominate the threat actor playbook.

This isn’t just a report about cybercrime trends; instead, it’s a roadmap for how defenders must adapt if they hope to outpace adversaries who are rapidly evolving, leveraging advanced tools, and exploiting systemic weaknesses faster than organizations can respond.

Below, we unpack the key findings from the report, with deeper insight into what they mean for security teams, CISOs, and enterprise decision-makers navigating this increasingly complex terrain.

1. Identity is the New Perimeter (and the New Primary Target)

One of the most striking findings from the 2025 report is the rapid rise in identity-based intrusions. Attackers are no longer solely reliant on brute-force tactics or exploitation of software vulnerabilities. Instead, they are choosing to log in rather than break in.

In fact, 30% of all intrusions examined by IBM’s incident response teams involved the use of valid, compromised credentials. This trend reflects a significant evolution in attacker methodology: the perimeter is no longer the firewall—it’s the user. Credentials stolen through phishing, purchased on dark web forums, or harvested through infostealer malware now offer cybercriminals low-friction access to enterprise systems, often without triggering alarms.

Phishing continues to play a key role in these identity-driven attacks, though its purpose has shifted. It is no longer primarily used to directly infect endpoints with ransomware. Instead, attackers are deploying infostealers like RedLine, Vidar, and Lumma, which operate silently, collecting browser-stored passwords, session cookies, and credentials for VPNs, SaaS platforms, and internal portals.

IBM’s data shows an 84% increase in weekly phishing campaigns tied to infostealer delivery. These credentials serve as keys for follow-on attacks where the adversary can impersonate users, escalate privileges, or pivot into cloud environments—all while appearing legitimate to security tools.

2. Critical Infrastructure and Manufacturing Remain Top Targets

For the fourth year in a row, the manufacturing sector topped the list of most targeted industries. These attacks are driven not just by the pursuit of ransom payments, but by the high value of proprietary designs, supply chain disruption potential, and often outdated operational technology environments. Extortion remains the dominant attack objective within this vertical, accounting for 29% of all attacks, followed closely by data theft at 24%. The reason is clear: manufacturers often have sprawling networks, complex legacy systems, and inadequate segmentation between IT and OT environments, making them ideal targets for attackers seeking both profit and disruption.

More broadly, IBM reported that a staggering 70% of all cyberattacks in 2024 were directed at organizations within critical infrastructure sectors. This includes not only manufacturing but also energy, transportation, financial services, and healthcare. Many of these intrusions leveraged vulnerabilities in internet-facing systems—most notably unpatched web applications, remote access gateways, and outdated cloud infrastructure. The continued reliance on legacy technologies and the growing exposure of connected systems fosters a near-constant state of vulnerability for these sectors.

3. Ransomware Activity Declines, But Data Theft Surges

IBM’s 2025 X-Force report shows a marked decline in encryption-based ransomware attacks, which previously dominated the malware threat landscape.

Insights from this takeaway include:

• Despite ransomware still accounting for 28% of malware-related incidents, the overall volume is decreasing year-over-year.

• This decline is not due to reduced criminal intent but reflects tactical adaptation by threat actors seeking lower-risk, higher-reward strategies.

• Attackers now increasingly focus on data exfiltration over encryption, stealing sensitive files for sale, extortion, or geopolitical leverage.

• Exfiltrated data is often:

  • Sold on Dark Web marketplaces

  • Used in doxing and extortion schemes

  • Leveraged in state-sponsored espionage operations

• A growing trend is double extortion without encryption:

  • Adversaries quietly exfiltrate sensitive data.

  • Victims are threatened with public exposure if they don’t pay.

• This method is faster, more covert, and harder for defenders to detect in real time.

According to IBM, data theft attacks (18%) now outnumber encryption-based ransomware attacks (11%), marking a shift toward high-impact, low-visibility cybercrime.

4. There Are Geopolitical Shifts in Play

Geopolitically, the X-Force report reveals a significant shift in the regional distribution of attacks. The Asia-Pacific (APAC) region now represents the largest share of total attacks at 34%, surpassing North America, which accounts for 24%. This reflects the increasing global influence of APAC economies, their growing digital infrastructure, and the critical role they play in global supply chains. From advanced manufacturing hubs to cloud infrastructure centers, organizations in this region are now prime targets for both financially motivated cybercriminals and state-sponsored adversaries.

North America, while slightly behind in volume, remains a high-value target due to its concentration of Fortune 500 companies, financial institutions, and federal agencies. Attacks in this region continue to focus on credential harvesting, BEC (business email compromise), and long-dwell reconnaissance activity. The data also suggests that the attackers are becoming more strategic in selecting targets... pursuing not just volume, but strategic disruption and valuable data.

5. Vulnerability Exploits and Dark Web Acceleration

Despite the emphasis on credential abuse, attackers continue to exploit known vulnerabilities at scale. This is especially true when exploit code is readily available. IBM reported that four of the top ten most discussed vulnerabilities on the dark web were tied to state-linked threat actors and had publicly available exploit kits. The window between disclosure and exploitation is shrinking, with some vulnerabilities being weaponized in the wild within days of being published.

This underscores the critical need for organizations to maintain tight vulnerability management programs. Timely patching, continuous external attack surface management, and dark web intelligence integration are no longer nice-to-haves—they are foundational controls. Without them, even organizations with strong internal defenses may find themselves exposed to opportunistic exploits and APT-led intrusion campaigns.

6. AI Tools Are Enhancing Attacker Capabilities

The growing accessibility of generative AI tools has not gone unnoticed by the threat landscape. While IBM did not observe widespread breaches involving AI infrastructure in 2024 and the start of 2025, threat actors are actively using AI to enhance their operations. Malicious actors now use AI to write more convincing phishing lures, clone websites for credential harvesting, generate deepfake content for social engineering, and even assist with malware code generation.

These tools lower the barrier of entry for less sophisticated attackers while augmenting the capabilities of advanced groups. The result is an elevated threat from both ends of the spectrum. Organizations must now contend with phishing emails that are grammatically flawless, social media impersonations that mimic real employees, and malware variants that mutate too quickly for traditional signatures to catch.

Conclusion

The IBM X-Force 2025 Threat Intelligence Index paints a picture of a threat landscape that is rapidly evolving—not in brute force, but in precision, stealth, and speed. The common denominator across the most successful attacks is credential abuse, lax patching, and delayed detection. While the tools attackers use have changed, the gaps they exploit remain frustratingly consistent. Defenders must stop playing catch-up and start anticipating the next move.

Organizations should prioritize identity protection, reduce privilege sprawl, invest in EDR/XDR platforms with behavioral analytics, and implement rapid threat intelligence cycles that include Dark Web Monitoring. Proactive Red Team and assumed breach assessments, like those offered by Packetlabs, can help validate controls before they are tested by real adversaries. In an age where adversaries now log in rather than break in, resilience isn’t just about keeping them out—it’s about detecting them quickly and limiting what they can do once they’re in.