The latest Cloud Threat Horizons Report, highlighting significant changes in the tactics employed by threat actors targeting cloud environments during the second half of 2025. Key findings reveal that third-party software vulnerabilities have, for the first time, surpassed weak credentials as the primary driver of Google Cloud intrusions.
The report indicates a pivotal shift in threat actor tactics. In H2 2025, unpatched third-party vulnerabilities were exploited in 44.5% of incidents, sharply rising from just 2.9% in H1 2025.
Concurrently, breaches facilitated by weak or absent credentials dropped from 47.1% to 27.2%. The window between the disclosure of vulnerabilities and their exploitation has significantly decreased from weeks to mere days, emphasizing the need for improved security measures.
Identity compromise was a factor in 83% of observed incidents, underscoring the growing sophistication of social engineering tactics. Voice-based phishing, or vishing, was noted in 17% of cases, indicating a trend away from traditional phishing strategies.
Additionally, malicious insiders are increasingly leveraging cloud storage for data theft, with both corporate and personal cloud services being used for exfiltration in 35% of data theft cases. This trend necessitates vigilance and proactive measures to manage insider threats effectively.
The report also documented a sophisticated campaign by North Korean group UNC4899, which utilised Kubernetes workloads to facilitate multi-million dollar cryptocurrency theft. By tricking a developer into downloading compromised software, the group manipulated the target’s Google Cloud environment and escalated their privileges through compromised accounts.
Furthermore, AI-driven supply chain attack techniques have gained traction, with threat actors using large language models (LLMs) to automate credential harvesting. This enables rapid transitions from developer environments to full cloud administrative access.
One notable attack involved the exploitation of a compromised Node Package Manager (NPM) package, which allowed attackers to create new administrator roles within a victim’s cloud environment.
As organisations navigate these emerging threats, the report serves as a vital resource for CISOs aiming to strengthen their security postures against increasingly sophisticated cloud attacks.
