Rapid7 has released its Q3 2025 Threat Landscape Report, highlighting accelerating exploitation timelines, new alliances among ransomware groups and growing use of generative AI to support cyber-attacker operations. The findings draw on telemetry from Rapid7’s intelligence platforms, incident response cases and managed detection and response (MDR) services.
The report shows that while the total number of newly exploited vulnerabilities fell by 21 per cent compared with the previous quarter, attackers are increasingly leaning on older, unpatched flaws — including vulnerabilities more than a decade old — to gain initial access. Recent mass exploitation of critical bugs in Microsoft SharePoint (CVE-2025-53770) and Cisco ASA/FTD systems underscored how quickly attackers now act once security gaps are made public.
Rapid7 says the traditional concept of measuring “time to patch” is becoming outdated, as exploitation frequently begins as soon as vulnerability details are disclosed.
Ransomware activity rose sharply, with 88 active groups tracked during the quarter, up from 65 in Q2. The report notes growing collaboration between cybercriminal groups, including alliances between operators such as Qilin, SafePay and WorldLeaks. These collectives are experimenting with tactics such as fileless intrusions, single-extortion leak operations and new affiliate services where senior members offer negotiation support to less experienced operators.
Rapid7 also reports an increasing use of generative AI in cyber operations. Attackers are using AI tools to produce more convincing phishing campaigns and to support adaptive malware capable of generating new commands on the fly. The report cites the LAMEHUG malware family as an example of this trend.
Nation-state activity from Russia, China and Iran remains focused on stealth and persistence, with operators targeting supply chains and identity systems in ways that blur the line between espionage and disruption.
Rapid7 says the data reflects a threat environment in which attackers exploit both new and longstanding weaknesses and are expanding their operational models through collaboration and automation.
You can read the full report here.
