Bitsight Threat Intelligence Briefing: Top TTPs Leveraged by Threat Actors in 2025

Tags:

top ttps in 2025 blog
emma-stevens-bio-portrait
Written by Emma Stevens
Threat Intelligence Researcher

Introduction

As the global cyber threat landscape evolves, adversaries continue to refine and adapt their tactics. Bitsight threat intelligence indicates that there are several tactics, techniques, and procedures (TTPs) that are most commonly and consistently leveraged by threat actors. 

These attacks are not isolated; they’re systemic. Threat actors are exploiting the growing interconnectivity of enterprise and industrial systems to gain access, move laterally, exfiltrate sensitive data, and disrupt business-critical operations.

unique monthly IP count data vs forecast

By mapping these TTPs to the MITRE ATT&CK framework, Bitsight provides defenders with a structured, intelligence-led understanding of adversary behavior, empowering organizations to detect and disrupt threats earlier in the kill chain.

Top techniques mapped to MITRE ATT&CK

Below are the most frequently observed techniques in recent campaigns, organized by MITRE ATT&CK category.

Initial access

  • Exploiting Public-Facing Applications (T1190)
    Attackers continue to exploit internet-facing vulnerabilities to gain initial access and execute code remotely. In 2025, threat actors have actively abused newly discovered flaws such as CVE-2025-58360, a critical XML External Entity (XXE) vulnerability in GeoServer added to CISA’s Known Exploited Vulnerabilities catalog, which allows unauthorized file access and other malicious actions when left unpatched.
     
  • Phishing (T1566.001)
    Phishing remains one of the most common entry points for threat actors. According to Bitsight threat intelligence and observed research, adversaries continue to rely on phishing and targeted spear phishing campaigns that mimic trusted internal communications to harvest credentials and gain initial access. These campaigns often direct victims to fraudulent login portals or other spoofed resources designed to capture sensitive information such as personally identifiable information PII.

Execution

  • Command and Scripting Interpreter (T1059)
    Post-compromise, adversaries often execute payloads via PowerShell (T1059.001) to automate reconnaissance, persistence, or data exfiltration, while evading traditional antivirus detection.

Credential access

  • OS Credential Dumping (T1003.001)
    Tools like Mimikatz remain widely used to steal credentials directly from system memory, enabling privilege escalation and lateral movement within enterprise networks.

Persistence

  • Scheduled Task/Job (T1053) and Registry Run Keys (T1547.001)
    Creating scheduled jobs or modifying registry keys are still among the most common persistence mechanisms. These ensure that malware reactivates even after system reboots.

Exfiltration and impact

  • Exfiltration Over Web Services (T1567.002)
    Attackers are exfiltrating data via trusted platforms (e.g., cloud storage) to avoid detection and blend with legitimate network traffic. CISA’s eviction strategies documentation describes Exfiltration to Cloud Storage, noting that adversaries may misuse services like Dropbox and Google Docs to transfer stolen data because hosts within the victim network often already communicate with these services, providing cover and reducing suspicion.
  • Data Encrypted for Impact (T1486) and Data Destruction (T1485)
    Ransomware and wiper operations remain top threats, with adversaries encrypting or destroying data to extort victims and disrupt operations.

Infrastructure abuse

  • Reflection/Amplification (T1498.002)
    Adversaries use reflection and amplification to generate large scale DDoS traffic by abusing misconfigured or exposed network services to magnify spoofed requests. These volumetric attacks can overwhelm upstream links in seconds disrupting online services across sectors including financial services and are often used as a smokescreen to complicate incident response. Recent reporting on botnets such as Aisuru highlights how hyper volumetric UDP based attacks can cause collateral disruption across ISPs gaming platforms hosting providers and financial institutions.

Supply chain compromise

  • Resource Hijacking (T1496)
    Attackers are targeting service providers to infiltrate supply chains (e.g. npm supply chain attack). By hijacking partner infrastructure, they can propagate malware or conduct stealthy C2 operations across multiple organizations simultaneously.

Bypassing security measures

Modern threat actors prioritize defense evasion as much as intrusion. Bitsight has observed the following recurring behaviors:

  • Disabling Microsoft Defender and tampering with EDR processes.
  • Altering Group Policy Objects (GPOs) to weaken enterprise-wide controls.
  • Modifying or deleting event logs to remove forensic traces.

Emerging adversary activity

  • North Korea–aligned threat actors
    North Korea aligned state sponsored threat actors conduct global espionage and ransomware operations in support of the DPRK’s military and nuclear programs. According to a joint advisory from CISA the FBI the NSA and international partners these actors primarily target defense aerospace nuclear and engineering organizations to steal sensitive technical information and intellectual property. They gain initial access by exploiting known vulnerabilities in public facing web servers including Log4j and other widely used software then deploy web shells conduct system discovery escalate privileges and leverage custom malware remote access tools and dual use utilities for execution lateral movement and data exfiltration. These actors also conduct phishing operations using malicious LNK and HTA attachments and fund portions of their espionage activity through ransomware attacks against US healthcare organizations.
     
  • China–aligned threat actors
    Increasingly active in telecommunications, manufacturing, and energy, China-aligned actors exploit edge devices and conduct phishing and credential-harvesting operations. Their focus remains long-term persistence and supply chain infiltration.

MITRE ATT&CK technique summary

Category

Technique (MITRE ID)

Description / Observed Use
Initial Access Exploit Public-Facing Application (T1190) Vulnerabilities in web apps like Log4j and SonicWall exploited for access.
  Phishing (T1566.001) Credential harvesting via spear phishing and QR-based “quishing.”
Execution Command & Scripting Interpreter (T1059.001) PowerShell used for payload execution and evasion.
Credential Access OS Credential Dumping (T1003.001) Mimikatz extracts credentials from system memory.
Persistence Scheduled Task/Job (T1053), Registry Run Keys (T1547.001) Ensures persistence post-reboot or restart.
Exfiltration Exfiltration Over Web Services (T1567.002) Data exfiltration through trusted platforms.
Impact Data Encrypted for Impact (T1486), Data Destruction (T1485) Ransomware and wipers used for extortion/disruption.
Infrastructure Abuse Reflection/Amplification (T1498.002) DNS/NTP abuse for DDoS attacks.
Supply Chain Resource Hijacking (T1496) Compromise of third-party infrastructure to reach targets.
Defense Evasion Modify GPOs / Disable Security Tools Attackers disable endpoint defenses and alter system policies.

Strategic recommendations

Organizations can strengthen defenses and mitigate these risks through proactive measures:

  1. Prioritize patch management: Patch high-risk vulnerabilities, especially those with known exploits.
  2. Enhance phishing defenses: Implement advanced email filtering, user awareness training, and anti-quishing measures.
  3. Adopt multi-factor authentication (MFA): MFA prevents the majority of credential-based intrusions.
  4. Enforce configuration integrity: Audit and monitor critical settings such as GPOs, firewall rules, and endpoint protections.
  5. Align with MITRE ATT&CK for detection: Configure EDR/SIEM solutions to monitor for specific TTPs listed above.
  6. Harden endpoint detection & response (EDR): Invest in tools that provide deep behavioral analytics and automated response.
  7. Test and evolve incident response plans: Run MITRE ATT&CK–aligned tabletop exercises to test detection and containment capabilities.

Conclusion

The modern threat landscape demands continuous visibility, intelligence, and adaptability. Adversaries are not only exploiting technical weaknesses but also operational blind spots within organizations and their partners.

By leveraging Bitsight Threat Intelligence and aligning defenses to the MITRE ATT&CK framework, organizations can bridge the gap between detection and prevention, transforming threat data into actionable defense strategies.

Proactive security posture management, visibility into supply-chain exposure, and behavior-based monitoring remain the cornerstones of resilience in 2025 and beyond.

About Bitsight Threat Intelligence

Bitsight provides the industry’s leading cyber risk and threat intelligence platform, offering organizations visibility into their security posture and the threats targeting their digital ecosystem.

Bitsight’s Threat Intelligence team continuously analyzes adversary behavior, uncovering insights into emerging vulnerabilities, exploit trends, and attacker infrastructure. By integrating these insights into security operations, organizations can:

  • Detect active exploitation earlier,
  • Prioritize mitigation of high-impact risks, and
  • Strengthen resilience against evolving global threats.
state of the underground cta cover

TRACE Report

State of the Underground 2025 — Research report

Ransomware, breach sharing, stealer logs, credentials, and cards. What has shifted and how to respond.

Get the report