What a Billion Cyberattacks Reveal in 2025

The Great Pivot from Data to Control

Over the past ten months of 2025, the HoneyDB global honeypot network logged over one billion malicious events. That’s an average of over 380 malicious actions logged every second of every day, providing an unparalleled, real-time pulse of attacker activity. This constant, low-level hum of automated attacks, probes, and exploitation attempts provides a unique, ground-truth view of the global threat landscape. It’s a firehose of data that captures the unfiltered intentions and priorities of attackers in real-time.

What does this firehose of data tell us about what cyber criminals are truly after? By analyzing the most targeted services month by month, we can see beyond individual incidents and identify the large-scale strategic shifts that define the year. This post will distill this complex data into three clear, impactful takeaways about the evolving threat landscape and what it means for defenders.

The Waning Dominance of Database Attacks

For the first three quarters of 2025, Microsoft SQL Server (MSSQL) wasn’t just a top target; it was the undisputed king, holding the #1 position without fail. The volume of malicious traffic directed at this service was staggering, peaking with over 68.2 million events in April (68,260,040) and 55.9 million in March (55,913,670). For nine consecutive months, attackers relentlessly hammered databases, making it the clear number one priority for exploitation.

However, a dramatic shift occurred in the latter part of the year. By October, attacks targeting MSSQL had fallen to 23,931,998 events. While still a significant number, this drop was enough to push MSSQL down to the third most-attacked service. This decline could indicate that defenders are successfully hardening their database security postures. Alternatively, it may signal that attackers are pivoting their resources toward easier paths to compromise. But does this decline reflect a drop in broad, noisy brute-force campaigns, while more sophisticated, targeted SQL injection attacks continue undetected by honeypots? This shift could represent a maturation of the threat, not necessarily a reduction.

The Alarming Rise of Remote Access Exploits

As attacks on databases began to recede, a new category of target surged to the forefront: remote access services. The combined rise of Virtual Network Computing (VNC) and Remote Desktop Protocol (RDP) attacks paints the clearest picture of attackers’ new primary objective.

The growth of VNC was particularly explosive. In March, it was a minor target with just 367,301 events logged. By October, it had skyrocketed to become the single most attacked service in the world, with a staggering 30,152,290 malicious events. While absent from the top 10 in early 2025, RDP exploded onto the scene in March with over 1.1 million events and immediately began a relentless climb, peaking at 23,998,829 events in October.

The significance of this pivot cannot be overstated. In October, the combined VNC and RDP attack traffic totaled 54,151,119 events -more than double the traffic hitting the former top target, MSSQL. This trend is critical because these protocols offer attackers something more valuable than just data: direct control. A successful exploit can hand an attacker the keys to a machine, providing a crucial foothold for deeper network infiltration and ransomware deployment. The focus has shifted from stealing what’s on the server to owning the server itself.

The Old Guard: Persistent Threats vs. Fading Campaigns

Looking at two of the internet’s oldest protocols, SSH and Telnet, reveals two fundamentally different types of threat activity.

SSH represents the constant, persistent “background noise” of the internet. It appeared in the top 10 most-attacked services every single month from January to October. With consistently high volumes, from 22,322,363 events in January to 9,937,681 in October, SSH remains an evergreen target. Attackers are always scanning for and attempting to brute-force weak credentials on this ubiquitous management protocol.

In contrast, Telnet activity looks more like an intense but short-lived campaign. The year began with a massive wave of Telnet attacks, hitting 33,292,963 events in January and 16,479,970 in February, making it the #2 target. But this fire burned out quickly, and after March, Telnet attacks dropped off sharply. This sharp decline in Telnet activity is characteristic of a specific botnet campaign that has either been dismantled by law enforcement or has simply moved on to new targets after exhausting the pool of low-hanging fruit. Unlike SSH, which is a perennially targeted protocol, this Telnet traffic appears to have been a finite storm rather than a change in climate.

The data from 2025 tells a clear story: attackers are pivoting. The primary focus has shifted from the broad-based hammering of databases like MSSQL to a more strategic and aggressive pursuit of direct remote access via VNC and RDP. This is a move from data exfiltration to total system control.

This evolution in attacker methodology requires a corresponding evolution in defensive strategy. The question for every CISO is no longer just “Is my data secure?” but “Who is holding the keys to my kingdom?”

Explore the Data Yourself

You can explore the raw threat intelligence data from HoneyDB’s global honeypot network yourself via its API. We encourage security researchers and developers to join this global effort by deploying their own HoneyDB honeypot to help gather this valuable data.

Visit honeydb.io to learn more and get started.

Originally published at https://deception.substack.com.

Introduction to Malware Binary Triage (IMBT) Course

Looking to level up your skills? Get 10% off using coupon code: MWNEWS10 for any flavor.

Enroll Now and Save 10%: Coupon Code MWNEWS10

Note: Affiliate link – your enrollment helps support this platform at no extra cost to you.

Article Link: https://medium.com/@foospidy/what-a-billion-cyberattacks-reveal-in-2025-4e3c33ad6fbe?source=rss-58df3dedf52b------2

1 post - 1 participant

Read full topic

Malware Analysis, News and Indicators - Latest topics