Smash and grab: Leak site post activity surges 50% during Q4

• Applying patches and security updates quickly is critical, as attackers now move from break-in to damage in about a day.
• A significant number of vulnerabilities exploited in Q4 were 0day vulnerabilities, meaning organizations didn’t have time to patch prior to threat actors abusing the vulnerabilities.
• Email scams caused over a third of reported cyber incidents in Q4.
• AI is beginning to change cyber threats, but not in the ways most people expected.

Beazley Security today releases its Quarterly Threat Report, revealing a sharp uptick in cybercriminal groups publicly posting stolen data online during Q4, with posts surging by 50%.

A total of 12,800 vulnerabilities were published in Q4; while only a small portion met the threshold for critical severity, that subset rose notably during the quarter, prompting Beazley Security Labs (BSL) to issue an increased number of advisories to clients and stakeholders.. High-impact campaigns targeting firewalls, Windows update infrastructure, and commonly implemented web frameworks demonstrated how attackers continue to abuse widely deployed and trusted platforms to scale their attacks.

The ransomware ecosystem continues to evolve with;

• Akira dominating activity, representing the largest share of Beazley Security’s ransomware investigations, followed by Qilin. Together, they made up 65% of ransomware cases taken on by the cybersecurity firm.
• Osiris emerged as a new and highly capable ransomware gang, with incident responders observing custom malware and tooling specifically designed to disable endpoint security controls.
• SHSL, a new extortion collective incl. ShinyHunters and Scattered Spider, scaled-up over the course of 2025 with aggressive social engineering campaigns and public data leak threats.

In a majority of cases (54%), threat actors gained access through compromised credentials accessing a VPN. This was followed by external service exploit (32%), social engineering (7%), compromised credentials accessing RDS (4%), and supply chain attack (4%).

Once the attackers got in, they followed a fast “smash and grab” approach, meaning they didn’t linger or spy for long. They typically launched ransomware and caused disruption within about a day.

Agentic AI influences threat landscape

Beazley Security is not seeing large-scale armies of autonomous attack agents as some predicted. However, it has observed threat actors leveraging AI in ways that automate and enhance operations.

The most visible examples are in AI-enhanced social engineering attacks over the past year, where increasingly convincing, AI-created “deepfake” voice and video media are used to improve the chances of obtaining sensitive data and credentials from intended victims.

As noted in the quarter, During the quarter, Beazley Security identified a phishing email attack that appeared to supported by AI “vibe coding”. In-depth analysis of the email revealed that a part of the phish kit’s infrastructure, specifically a routing component built in to verify its victims and evade security controls, had glaring security flaws in its coding indicating that its development may have been assisted by AI.

Francisco Donoso, Chief Product & Technology Officer at Beazley Security, commented:

"In Q4 2025, threat actors consistently abused identity systems and internet-facing vulnerabilities to gain initial access to organizations. A notable number of intrusions leveraged zero-day vulnerabilities, leaving neither vendors nor clients with an opportunity to patch before exploitation occurred. Non zero-day vulnerabilities were exploited within hours of Proof-of-Concept (PoC) exploits being published. We also saw increased sophistication in MFA bypass techniques, particularly adversary-in-the-middle attacks used to intercept authentication tokens and hijack active sessions. Nearly half of successful incidents we investigated involved cases were MFA was enabled on impacted accounts, underscoring the urgent need for phishing-resistant MFA & authentication methods.

“Looking ahead to 2026, we expect threat actors to further operationalize AI-assisted tradecraft to accelerate reconnaissance, enhance social engineering, and scale early-stage intrusions, ultimately driving more automated, agentic attacks against exposed web applications."

The full report can be viewed here: Quarterly Threat Report: Fourth Quarter, 2025