June Threat Intelligence Spotlight Report

August 14, 2025

https://www.linkedin.com/sharing/share-offsite/url=mailto:?subject=June%20Threat%20Intelligence%20Spotlight%20Report&body=
Download the Report

Each month, our Cyber Threat Intelligence team compiles data from our engagements to determine key industry trends. We look at the initial access methods threat actors are using to gain entry into a network, types of incidents most commonly impacting organizations, which sectors are being more heavily targeted, and which threat groups are most prevalent. 

 

Our Methodology 

  • Kroll CTI monthly spotlights are based on intelligence from Kroll’s cyber incident response engagements where we are engaged to respond, manage, or mitigate a cybersecurity incident.
  • Kroll’s incident response work is informed by intelligence gained from the 3,000+ engagements handled per year by the Kroll Cyber Risk team. 
  • Data is collected and processed by the Kroll Cyber Threat Intelligence team during the initial scoping intake as well as during the lifecycle of a Kroll engagement. 

Industry Analysis

  • Professional, Scientific, and Technical Services was the most impacted industry in June 2025
  • Email Compromise was the top threat incident type impacting the Professional, Scientific, and Technical Services industry
  • In June, threats against the Professional, Scientific, and Technical Services industry most often involved Valid Accounts as the initial access method.
  • Finance and Insurance was the 2nd most impacted industry in June 2025
  • Email Compromise was the top reported threat incident type impacting the Finance and Insurance industry.
  • In June, threats against the Finance and Insurance industry most often involved Valid Accounts as the initial access method.

Ransomware Analysis

QILIN was the most common ransomware variant observed by Kroll in June 2025.

  • In June, Health Care and Social Assistance was the top industry targeted by ransomware actors across Kroll engagements.
  • Ransomware actors primarily gained initial access through Phishing: Attachment and External Remote Services, such as VPN. The most frequently observed VPN was SonicWall.
  • Consumer and industrial was the top industry for victims posted to ransomware actor-controlled shaming sites and blogs.
  • North America was the top region for victims posted to ransomware actor-controlled shaming sites and blogs.