2025 Cloud Threat Hunting and Defense Landscape

Threat actors are increasingly targeting cloud infrastructure through misconfigured services, stolen credentials, and hybrid environment pivots. Initial access commonly occurs via vulnerable internet-exposed systems such as application delivery controllers, monitoring dashboards, and ERP platforms, with credentials obtained from public leaks and social engineering. Post-compromise, attackers leverage native cloud and SaaS functionality for data exfiltration, backup destruction, CI/CD pipeline manipulation, and covert C2 via calendar services. Emerging trends include threat actors registering legitimate cloud resources for attack chains and a shift toward targeting LLM and AI-powered services. Notably, traditional DDoS attacks show declining effectiveness against cloud environments due to improved cloud-native mitigation capabilities. Organizations should prioritize secure configuration, credential governance, and monitoring of AI/ML services to counter these evolving threats.

Threat actors are doubling down on cloud infrastructure — exploiting misconfigurations, abusing native services, and pivoting through hybrid environments to maximize impact. See how attack patterns are evolving across exploitation, ransomware, credential abuse, and AI service targeting in this latest cloud threat roundup.

Threat actors are increasingly targeting cloud infrastructure through misconfigured services, stolen credentials, and hybrid environment pivots. Initial access commonly occurs via vulnerable internet-exposed systems such as application delivery controllers, monitoring dashboards, and ERP platforms, with credentials obtained from public leaks and social engineering. Post-compromise, attackers leverage native cloud and SaaS functionality for data exfiltration, backup destruction, CI/CD pipeline manipulation, and covert C2 via calendar services. Emerging trends include threat actors registering legitimate cloud resources for attack chains and a shift toward targeting LLM and AI-powered services. Notably, traditional DDoS attacks show declining effectiveness against cloud environments due to improved cloud-native mitigation capabilities. Organizations should prioritize secure configuration, credential governance, and monitoring of AI/ML services to counter these evolving threats. Threat actors are doubling down on cloud infrastructure — exploiting misconfigurations, abusing native services, and pivoting through hybrid environments to maximize impact. See how attack patterns are evolving across exploitation, ransomware, credential abuse, and AI service targeting in this latest cloud threat roundup. Executive Summary Insikt Group has observed continued trends of growth and increased activity of threat actors leveraging and exploiting cloud infrastructure to broaden the number of victims they target and infect. Recent reporting across the observed incidents shows that cloud-focused threats are converging on a few consistent patterns, which serve as the main sections of this report: Exploitation and Misconfiguration Cloud Abuse Cloud Ransomware Credential Abuse, Account Takeover, and Unauthorized Access Third-Party Compromise Across cases, initial access frequently comes from vulnerable or misconfigured services exposed to the internet — including application delivery controllers, monitoring dashboards, email security gateways, and enterprise resource planning (ERP) platforms — as well as stolen or weakly governed credentials sourced from public leaks, compromised developer workstations, and socially engineered helpdesk workflows. Once inside a targeted environment, threat actors systematically pivot through hybrid identity and virtual private network (VPN) infrastructure, targeting directory-synchronized accounts, non-human and executive identities, and privileged cloud roles to gain tenant-wide administrative control. Post-compromise activity is characterized by heavy use of built-in cloud and SaaS functionality: enumerating and exfiltrating data via native storage and backup services, destroying or encrypting cloud backups and snapshots for impact, manipulating static frontends and continuous integration/continuous deployment (CI/CD) pipelines to subvert trust in applications and repositories, and using mainstream platforms such as calendar services as covert command-and-control (C2) channels. In comparison to its previous iteration , the majority of the events discussed in this report indicate that threat actors are engaging in similar threat behaviors; however, there are three specific trends that appear to have emerged since the most recent iteration: Cloud threat actors are registering their own legitimate cloud resources for use in attack chains. DDOS attacks are becoming less effective when targeting cloud environments, even in instances of record-breaking throughput, due to increased cloud-native capabilities for mitigating these threats. Cloud threat actors are increasingly diversifying the types of services that they target in victim environments during an attack chain, with a notable focus on LLM and other AI-powered services hosted in cloud environments. The trends associated with abuse indicate a shift in threat actor perception, demonstrating that threat actors are exploring the broader benefits that compromised cloud services can provide. Download Cloud Threat Landscape: Executive Insights