The third quarter of 2025 reinforced a critical lesson for security professionals: threat actors are becoming increasingly sophisticated in both their technical capabilities and their psychological manipulation tactics.
Leveraging analysis of more than a trillion traffic logs from thousands of devices, the PDI Q3 2025 Threat Landscape Report reveals a cybersecurity landscape in flux with:
- A slight drop in ransomware activity
- A sharp surge in dark web activity
- An unprecedented level of effectiveness for social engineering threats
Ransomware evolving beyond encryption
While overall ransomware publications decreased 10.9% compared to Q2 2025, this decline masks important trends. For example, Qilin ransomware reclaimed its position as the most active operation, publishing nearly 250 extortions.
What’s particularly concerning is Qilin’s pressure tactics. The group now offers affiliates a “Call Lawyer” feature designed to identify compliance violations and regulatory risks in stolen data, weaponizing legal frameworks like GDPR, CCPA, and HIPAA to coerce victims into paying a ransom. Manufacturing and professional services bore the brunt of Q3 attacks, while extortion publications against retailers nearly doubled.
Key takeaway: Any business with highly distributed infrastructure and third-party dependencies remains particularly vulnerable to double-extortion tactics.
Dark web marketplace expansion
Dark web marketplace activity grew 6% in Q3 2025, with total listings exceeding 2.8 million. While Lumma remains the most prevalent variant, its activity dropped 42% following targeted law enforcement operations in early 2025. In its place, infostealer alternatives Acreed grew by 104% and Rhadamanthys surged with a 313% increase.
Key takeaway: This diversification signals greater adaptability within cybercriminal ecosystems as threat actors pivot to newer, less-detected alternatives that maintain similar functionality.
The human element: ClickFix’s alarming rise
Perhaps most concerning is the explosive growth of “ClickFix” social engineering attacks, which bypass software vulnerabilities and instead exploit human trust. By presenting fake error messages or verification pages that prompt users to execute PowerShell commands, threat actors are turning victims into unwitting accomplices. ClickFix’s adoption spans the entire threat spectrum, from ransomware operators like Qilin to nation-state actors.
Key takeaway: This new technique is especially effective because it requires no zero-day exploits, bypasses technical controls, and exploits a natural human desire to resolve computer issues as quickly as possible.
Looking ahead
The convergence of refined ransomware tactics, thriving dark web marketplaces, and human-centered attack vectors demands a fundamental shift in defensive strategies.
PDI recommendation: Implement comprehensive security programs that include robust user awareness training, strict PowerShell governance, and integrated visibility across endpoint, SIEM, and threat intelligence platforms.
Check out the threat report and webinar
Download the full Q3 2025 Threat Landscape Report for detailed analysis, industry-specific insights, and actionable mitigations.
Watch the Q3 2025 Threat Landscape Webinar to hear directly from the threat analysts.
You can find more PDI security and network management resources here.