Expel Quarterly Threat Report, Q2 2025: Threat intel recap

This Q2 2025 quarterly threat report summarizes observed attacker activity: identity-targeting social engineering (credential theft, help-desk MFA bypass, and the novel Atlas Lion tactic of enrolling malicious VMs), increasing ransomware-focused social engineering via Microsoft Teams (attributed to Black Basta and affiliates), and distribution of loaders/malware such as Latrodectus and OysterLoader via infected websites and malicious ads; it highlights code-signing abuse and shifts in attacker tactics across thousands of incidents.