IBM X-Force: Stealthy attacks on the rise, toolkits targeting AI emerge – Source: www.networkworld.com

Cybercriminals are adopting increasingly stealthy tactics for breaking into networks, while attacks targeting specific AI technologies are an emerging threat.

Those are just a couple of the core findings in IBM X-Force’s newly released 2025 X-Force Threat Intelligence Index, which draws from incident response engagements, dark web and other threat intelligence sources to uncover attack trends and patterns.

“Obfuscation is becoming an important tactic for threat actors, and PDF malware disguises malicious URLs by encrypting them, hiding them in compressed streams or using hexadecimal representations which can also hinder automated analysis of email security solutions,” IBM wrote. “Of all PDFs, 42% used obfuscated URLs, 28% hid their URLs in PDF streams, and 7% were delivered in an encrypted form along with a password.”

Another shifty infection method that threat actors are using is to hide malware within fake or trojanized installers of legitimate applications, according to IBM: “Users are then tricked into downloading and running malicious installers via techniques such as phishing, SEO poisoning, and malvertising. SEO poisoning uses search algorithms to promote malicious web pages, and malvertising directs users to bogus websites where their data can be stolen. These tactics play a significant part in the chain of compromise by spoofing legitimate websites, thereby obtaining valid credentials that enable simple log in (i.e. avoiding the need to hack in).”

On the AI front, IBM X-Force reports that widespread attacks targeting AI models and solutions haven’t emerged – yet.

“While large-scale attacks on AI technologies haven’t materialized yet, security researchers are racing to stay ahead, identifying and fixing vulnerabilities before threat actors can exploit them,” wrote Chris Caridi, a strategic threat analyst with IBM X-Force, in a blog about the index. “Issues like the remote code execution vulnerability that X-Force found in a framework for building AI agents will become more frequent, and where weaknesses exist, attackers will follow. The use of publicly available AI tools to improve production and automate tasks such as coding and email writing has also been documented by X-Force.”

Last year, X-Force predicted that once AI technologies “establish market dominance—when a single technology approaches 50% market share or when the market consolidates to three or fewer technologies—attackers will be incentivized to invest in attack toolkits” that target AI models and solutions. “Are we there yet? Not quite, but adoption is growing,” the report stated. “The percentage of companies integrating AI into at least one business function has dramatically increased to 72% in 2024, up 55% from in the previous year.”

“New technologies, such as gen AI, create new attack surfaces. Security researchers are sprinting to find and help fix vulnerabilities before attackers do. We expect vulnerabilities in AI frameworks to become more common over time, such as the remote code execution vulnerability X-Force found in a framework for building AI agents,” IBM stated. “Recently, an active attack campaign targeting a widely used open source AI framework was discovered, affecting education, cryptocurrency, biopharma, and other sectors. Weaknesses in AI technology translate into vulnerabilities for attackers to exploit.”

Additional findings from X-Force include:

• Reliance on legacy technology and slow patching cycles prove to be an enduring challenge for critical infrastructure organizations as cybercriminals exploited vulnerabilities in more than one-quarter of incidents that IBM X-Force responded to in this sector last year. In reviewing the common vulnerabilities and exposures (CVEs) most mentioned on dark web forums, IBM X-Force found that four out of the top ten have been linked to sophisticated threat actor groups, including nation-state adversaries, escalating the risk of disruption, espionage and financial extortion.
• Ransomware attacks continue their scourge. “Analysis of dark web data reveals a 25% increase in ransomware activity year-over-year. Adoption of a cross-platform approach to ransomware, supporting both Windows and Linux, also appears to be the norm among ransomware threat groups—expanding attack surfaces. Although ransomware is being overshadowed by other tactics, it remains a major threat vector. The most dangerous trend in ransomware is the use of multiple extortion tactics,” IBM stated. Ransomware comprises nearly one-third (28%) of malware incident response cases and 11% of security cases, representing a decline over the last several years.
• While phishing attacks dropped overall, IBM found an 84% spike in phishing emails delivering infostealers in 2024, and early 2025 data shows an even bigger increase (180%). These stolen credentials may be used in follow-on, identity-based attacks. 
• With the increased effectiveness of endpoint detection and response (EDR) solutions detecting backdoor intrusion efforts via phishing, threat actors have shifted to using phishing as a shadow vector to deliver infostealer malware. In 2024, X-Force observed an 84% increase in infostealers delivered via phishing. There was also a 12% year-over-year increase of infostealer credentials for sale on the dark web, suggesting increased usage. More attackers stole data (18%) than encrypted (11%) it last year as advanced detection technologies and increased law enforcement efforts pressure attackers to pivot to faster exit paths.
• In collaboration with Red Hat Insights, IBM X-Force found that more than half of Red Hat Enterprise Linux customers’ environments had at least one critical CVE unaddressed, and 18% faced five or more vulnerabilities. At the same time, IBM X-Force found the most active ransomware families (e.g., Akira, Clop, Lockbit, and RansomHub) are now supporting both Windows and Linux versions of their ransomware. 
• For the fourth consecutive year, manufacturing was the most attacked industry. Facing the highest number of ransomware cases last year, the return on investment for encryption holds strong for this sector due to its extremely low tolerance for downtime.