Non-mobile IT threats evolve into industrial-scale attacks in Q3 2025
While ransomware grabs headlines, automated exploit kits, modular malware, and AI-assisted attacks drive unprecedented growth in non-mobile threats.
• Over 389 million online attacks, 52 million malicious links, and 21 million dangerous files were blocked.
• Ransomware hit nearly 85,000 users, with 2,200 new variants; Qilin, Akira, and INC Ransom were most active.
• AI-assisted malware (Claude, PromptLock) lowered the barrier for ransomware creation, accelerating growth.
Something significant is shifting inside the cybercrime economy. Non-mobile threats targeting traditional computing systems like desktop, servers and corporate networks, no longer look like isolated, improvised break-ins. They are starting to resemble a mature industry, complete with supply chains, division of labour, and increasingly automated production.
For years, this space relied heavily on a narrow pool of highly skilled operators. That barrier has now eroded. Attackers no longer need deep expertise; they only need access to automated tools, many of which now incorporate AI. And Q3 2025 offered clear evidence of that change.
Kaspersky’s report highlights the scale of this acceleration. More than 389 million online attacks were blocked, the by-product of automated exploit kits that now crawl the internet continuously. Another 52 million malicious links were intercepted, many generated by cloned websites or poisoned ad networks. More than 21 million malicious files were stopped, many of them repacked through modular builders that churn out new malware with factory-like repetition.
These are the output of an ecosystem that has learned how to scale more efficiently than defenders can respond.
How AI Became the New Criminal Workforce
The biggest transformation of the quarter, and the most alarming, came from AI.
This showed that a structural shift is underway: low-skilled attackers are now using large language models to generate ransomware, build supporting scripts, and even run full ransomware-as-a-service operations.
Kaspersky’s reporting highlights how accessible these capabilities have become. In one case highlighted by researchers, an attacker with a limited technical background used Claude to assemble a functional ransomware toolkit, complete with network-wide locking features, anti-detection routines and encryption workflows.
Another example, PromptLock, reportedly embedded prompts into its malware components, enabling the malware to request fresh data-theft or encryption scripts from an LLM during execution.
These developments help explain the surge in ransomware activity during Q3, with as many as 2,200 new variants emerging and nearly 85,000 users potentially targeted, according to Kaspersky.
MORE INSIGHTS ON THIS TOPIC:
- Mobile Malware’s New Tricks in Q2 2025
- Mobile devices face unseen war as banking trojans, ransomware, and adware surge in Q3 2025
- Global ransomware activity rises 36% in Q3 2025, but average payments collapse
Attacks Grew Even as Law Enforcement Fought Back
Investigators made meaningful progress in Q3, but each breakthrough revealed how fluid the threat ecosystem has become. The UK’s NCA arrested a suspect linked to the HardBit ransomware attack on several European airports. HardBit spread quickly because attackers found unprotected access points, proving once again that a weak perimeter outweighs technical complexity.
In the US, the Department of Justice charged the administrator behind LockerGoga, MegaCortex, and Nefilim, families tied to years of coordinated enterprise breaches. Authorities also seized over $2.8 million connected to Zeppelin operations. A major multinational effort led by the FBI, HSI, IRS, and global partners dismantled significant parts of BlackSuit’s infrastructure, pulling servers, domains, and more than $1 million in crypto offline.
Still, attacks continued to rise. Takedowns often trigger fragmentation: operators rebrand, affiliates scatter, and leaked source code circulates. Those fragments eventually reach newcomers who may lack technical skill but now have AI-driven tools that narrow the gap instantly. This environment contributed to a noticeable increase in new ransomware modifications, up nearly a third from the previous quarter.
Exploits and Social Engineering Fuelled the Most Breaches
Three major campaigns illustrated the real forces behind many of the quarter’s breaches.
Akira exploited a SonicWall vulnerability that enabled credential theft and MFA bypass, and it persisted largely because organisations misapplied patches. Scattered Spider bypassed technical barriers entirely by manipulating IT support teams into granting access to VMware environments before deploying ransomware across entire infrastructures.
Meanwhile, a ToolShell-based campaign against SharePoint servers introduced the Go-based 4L4MD4R strain, hitting more than 140 organisations and contributing to the growth in new ransomware variants.
In each case, human error, slow patching, and operational weaknesses were the main drivers behind the breaches, issues also reflected in the high volume of malicious files and links detected.
Ransomware Groups that Drove the Quarter’s Activity
Qilin remained the most active group, responsible for 14.96% of victims listed on data-leak platforms. This highly organized Ransomware-as-a-Service (RaaS) operation has rapidly ascended by targeting large enterprises globally. Akira, another RaaS group known for developing cross-platform variants to hit both Windows and Linux systems, continued its upward trend with 10.02%. INC Ransom climbed into third place at 8.15%, driven by aggressive targeting of mid-sized enterprises through double extortion tactics. In contrast, the presence of Clop, a veteran Russian-speaking threat actor famous for its mass exploitation of zero-day vulnerabilities, shrank as several affiliates moved to newer, more profitable brands.
Across the quarter, Kaspersky detected four new ransomware families and 2,259 new modifications. A total of 84,903 users were protected, with July recording the highest activity. Israel had the largest share of attacked users globally at 1.42%, driven by behavioural detections triggered by a cluster of August campaigns.
macOS Threats, Crypto-Mining and IoT Attacks Held Their Ground
macOS malware continued to expand. PasivRobber added new modules and heavier obfuscation, fake VS Code and Cursor AI extensions delivered cryptostealers, and a fresh ChillyHell variant appeared signed with a valid developer certificate. Updated XCSSET campaigns targeted developers by infecting compromised Xcode projects, a method that spreads primarily through trust in familiar tools.
Crypto-mining activity also grew. A total of 2,863 new miner modifications were logged, and 254,414 users were attacked worldwide. The highest infection ratios appeared in Senegal, Mali, and Afghanistan, driven by the prevalence of low-cost devices running outdated software.
IoT threats remained dominated by Mirai variants, still thriving due to unsecured routers and cameras. Across all these categories, the same pattern echoed: scale, automation, and replication.
The Bigger Pattern Emerging
All these point to a deeper industry-level transformation. Non-mobile threats are no longer the work of specialised experts. The ecosystem now runs on automated kits, recycled codebases, and AI-driven tooling that can generate, modify, and deploy threats at speed.
Attackers are increasingly defined not by what they know, but by the tools that amplify what they intend to do.
Skill is no longer the barrier–automation is. Attackers are now defined by the tools that amplify their intent. And those tools are now cheaper, faster, and more powerful than ever.
