Trellix Details Surge in Cyber Activity Targeting United States, Telecom

Latest report finds intensification of threats from China and Russia, increased exploitation of vulnerabilities, cybercriminal voice cloning tools for sale

RSAC CONFERENCE – Trellix, the company delivering the future of AI-powered cybersecurity, today issued The CyberThreat Report: April 2025, the latest research from the Trellix Advanced Research Center. The report investigates the cyberthreat landscape and the tools, techniques, and motivations of the most persistent and nefarious nation-state and cybercriminal actors. Notably, Trellix telemetry showed advanced persistent threat (APT) detections targeting the U.S. in Q1 2025 are 2.4 times or 136% higher than the level seen the prior quarter.

“The Trellix Advanced Research Center saw global threat detection volume from APT actors rise 45% alone from Q4 2024 to Q1 2025 – the landscape is acute, and the escalation of actor activity and increasing complexity of attack chains shouldn’t be overlooked,” said John Fokker, Head of Threat Intelligence, Trellix. “Operational threat intelligence is just one ingredient to building resilience and outpacing bad actors. The current landscape demands a cybersecurity approach that can address multi-vector threats with defense in breadth.”

The CyberThreat Report: April 2025 examines cyberthreat activity from October 1, 2024 - March 31, 2025. Key themes in the research include:

• Spikes in activity targeting the United States: APT detections targeting the U.S. increased 136% in Q1 2025 alone. When looking at APT activity directed at the U.S., 47% of detections were attributed to China and 35% to Russia-aligned groups. Further, the U.S. remains the primary target of ransomware activity and was the reported victim in 58% of ransomware posts.
• Increased intensification of threats linked to China: China-affiliated threat actors continued to evolve and refine their tactics, relying on exploiting zero-day and known vulnerabilities versus traditional methods like phishing. The most active APT groups were China’s APT40 and Mustang Panda, with the two groups generating 46% of all detected APT activity. China-aligned APT41 showed a 113% increase in activity in Q1 2025 relative to the previous quarter.
• Heightened cyber activity originating from Russia: Trellix telemetry data identified a notable increase in threat activity linked to Russia-aligned cyber actors, particularly the Sandworm team, during the final quarter of 2024. Additionally, Russia-aligned APT29, also known as Midnight Blizzard, was the third most active APT group, directing most of its activities toward transportation and shipping (55%) and telecommunications (40%).
• Focus on telecom and technology sectors: While analysis of industry reports shows government institutions far outpaced other sectors as a target of malicious activity, Trellix observed APT detections targeting the telecommunications sector increased 92% in Q1. The technology sector saw an increase in APT-related detections as well, generating 119% more detections in Q1 2025 than Q4 2024.
• Expanding use of complex attack chains: The analysis of the vulnerability landscape revealed a sustained high level of malicious activity targeting known weaknesses in software and systems, along with increases in tool sophistication, greater emphasis on evasion, an evolution of post-exploitation frameworks, and more complex attack chains. Further, Trellix observed increased targeting of security software to compromise security infrastructure.
• AI-based cybercriminal tools: Analysis of tools for sale in the cybercriminal underground also found AI-based tools for sale for as little as 30 cents USD and profound developments in AI-based voice synthesis technology. The voice cloning technology for sale enables human-like interactions across multiple languages–particularly noteworthy in its ability to maintain context-aware conversations.

The CyberThreat Report: April 2025 includes proprietary data from Trellix’s sensor network, investigations into nation-state and cybercriminal activity by the Trellix Advanced Research Center, and open and closed-source intelligence. It integrates AI-assisted data gathering to enhance the depth and timeliness of insights. The report is based on telemetry related to threat detections, when a file, URL, IP address, suspicious email, network behavior, or other indicator is detected and reported by the AI-powered Trellix Security Platform.

Additional Resources:

• Trellix Advanced Research Center LinkedIn Newsletter
• The CyberThreat Report: April 2025
• Executive Summary | The CyberThreat Report: April 2025
• Trellix Insights in Action
• Trellix Threat Intelligence
• Advanced Research Center Reports

About the Trellix Advanced Research Center

The Trellix Advanced Research Center is at the forefront of research into the emerging methods, trends, and tools used by cyber threat actors across the global cyber threat landscape. Our elite team of researchers serve as the premier partner of CISOs, senior security leaders, and their security operations teams worldwide. The Trellix Advanced Research Center provides operational and strategic threat intelligence through cutting-edge content to security analysts, powers our industry leading AI-powered cybersecurity platform, and offers intelligence products, and services to customers globally. More at https://www.trellix.com/advanced-research-center.

Follow Trellix on LinkedIn and X.

View source version on businesswire.com: https://www.businesswire.com/news/home/20250429196302/en/

Notably, Trellix telemetry showed advanced persistent threat (APT) detections targeting the U.S. in Q1 2025 are 2.4 times or 136% higher than the level seen the prior quarter.