Forescout’s newly released 2025H1 Threat Review (5 August 2025) reveals an alarming escalation in cybersecurity threats, including advanced ransomware operations, infostealer tactics like ClickFix, and a sophisticated Iranian state-linked campaign targeting OT/ICS environments. The report warns that legacy vulnerabilities and growing geopolitical tensions are fuelling highly disruptive cyber activity worldwide, with critical infrastructure in the crosshairs.
According to Forescout, between 1 January and 30 June 2025, ransomware attacks surged to 3,649 cases globally – a 36% year-over-year increase from H1 2024. The U.S. remains the top target, now accounting for 53% of global ransomware incidents. Cl0p surpassed LockBit to become the most active ransomware group, while LockBit dropped to 19th after a takedown in early 2024.
BSD and IP Cameras in the Crosshairs
Threat actors are targeting unconventional devices to bypass EDR systems. Notably, Akira ransomware was deployed via a compromised IP camera in March, and the VanHelsing group introduced a BSD-compatible encryptor – signaling a pivot toward less-defended systems.
Healthcare Under Siege: Ransomware, Infostealers, and Real-World Harm
In the first half of 2025:
- 341 breaches hit healthcare organizations, impacting 29.8 million individuals.
- 76% of breaches stemmed from hacking or IT incidents.
- One ransomware-linked delay in a UK blood test reportedly contributed to a patient’s death.
The Interlock ransomware group claimed responsibility for major U.S. attacks, including one breach involving 732,490 files and requiring three weeks for recovery.
Meanwhile, infostealer campaigns – particularly those using ClickFix social engineering techniques – spread rapidly in 2025, often via GitHub, SEO poisoning, Telegram bots, and cracked software sites.
OT/ICS Under Attack: Faketivist Fronts and Iranian Playbooks
The Rise of APT IRAN and the “Faketivist” Ecosystem
Forescout’s detailed analysis reveals a continuum of Iranian personas – ICTUS TEAM, CyberAv3ngers, and now APT IRAN – targeting Western OT/ICS systems under rotating identities to obfuscate attribution and stay ahead of sanctions.
Iranian actors executed verified attacks on Unitronics PLCs (Programmable Logic Controllers), defacing them across multiple U.S. water utilities. CyberAv3ngers was directly sanctioned by the U.S. in February 2024. Now, APT IRAN has emerged with similar tactics – including ransomware deployment for disruption, not ransom – and coordinated propaganda.
“These personas offer operational advantages to the IRGC. They can be activated or de-activated at will, allowing for staged exits, rebranding and resurrection during periods of heightened tension,” notes Forescout’s analysis.
Global & Regional Impact
Exploited Legacy Vulnerabilities a Persistent Risk
Nearly half of exploited CVEs in 2025H1 were published before 2025. Of the 132 CVEs added to the CISA KEV catalog, 21% targeted perimeter infrastructure like routers and firewalls.
Top sectors impacted:
- Services
- Manufacturing
- Technology
- Retail
- Healthcare
Top targeted countries:
- United States
- Canada
- India
- UK
- France
MEA Observations (Where Applicable)
While the report doesn’t explicitly highlight new MEA-specific campaigns, Iran’s cyber activities and rising Middle East tensions add weight to regional cyber risk, especially for OT operators in energy, oil & gas, and utilities sectors. The Middle East’s high dependency on OT infrastructure makes it a likely future battleground.
Expert Insight
“Threat actors are increasingly willing to exploit any exposed system regardless of sector or sensitivity,” the report warns, citing findings from honeypots mimicking water treatment environments, which received over 1.4 million requests in just three months.
“The blending of hacktivist branding with APT-grade capabilities is no accident – it’s part of a strategic evolution in psychological and infrastructure warfare,” stated Forescout Vedere Labs researchers.
Actionable Takeaways for CISOs and Defenders
- Patch all perimeter-facing assets, including VPNs, firewalls, and routers.
- Disable unused services and rotate credentials for internet-exposed devices.
- Segment networks to separate IT, OT, and IoT infrastructure.
- Block suspicious TLDs (.shop, .top, .club, .run) linked to infostealer C2s.
- Harden OT interfaces – ensure all PLC web interfaces require strong authentication.
- Use agentless asset discovery tools for visibility into unmanaged or legacy devices.
- Enable PowerShell and driver-level logging for advanced detection.
- Monitor for ClickFix-style social engineering, and train staff accordingly.
- Encrypt PII/PHI at rest and in transit, especially in healthcare environments.
- Detect lateral movement attempts across diverse device types including IP cameras, BSD systems, and IoT.
Conclusion: What’s Next?
The first half of 2025 has confirmed what defenders feared: nation-states are merging with hacktivists, ransomware groups are shifting toward unconventional devices, and vulnerabilities — even old ones — remain open doors. OT and healthcare systems are proving easy prey for adversaries seeking visibility, impact, or geopolitical leverage. The cybersecurity community must evolve beyond traditional silos, adopting full-spectrum visibility and detection across every device class — or risk losing control of the infrastructure that keeps society running.
Sources
- 2025H1 Threat Review – Forescout
- CISA Alert – Iranian Actors
- Healthcare Malware: Silver Fox
- ClickFix Sector Alert – HHS
- Akira Ransomware via Webcam
- CyberAv3ngers Attacks
- LockBit Takedown
- US Treasury Sanctions IRGC Officers
- Iranian Cyber Threat to Critical Infrastructure
- Microsoft Security Blog – OT Exposure
