Verizon 2025 DBIR findings coincide with dangers of malicious adtech

Infoblox Threat Intel recognized as a contributor in the Verizon 2025 Data Breach Investigation Report (DBIR).

The Verizon 2025 DBIR provides multiple insights on how adversaries have increased the scale of their operations and succeeded in finding new targets. According to Dr. Renée Burton, head of Infoblox Threat Intel, many of the Verizon findings highlight the under-recognized threat of traffic distribution systems (TDS) and malicious adtech. Infostealers, ransomware or advanced phishing are no longer isolated threats-they're leveraging the adtech ecosystem to hide and advance their operations. To disrupt one, you must understand how modern threats are being delivered to evade detections. Let's look at major observations and how malicious adtech enables this.

"Infostealers, ransomware or advanced phishing are no longer isolated threats-they're leveraging the adtech ecosystem to hide and advance their operations."

Key Observations from Verizon 2025 DBIR

1. Actors increasing the scale of their operations. Ransomware saw a 37 percent growth. This increase underscores the persistent and evolving nature of ransomware attacks, which have become more sophisticated and widespread. Ransomware is also disproportionately affecting small organizations. Compared to enterprises, small- and medium-sized businesses had double the number of ransomware cases covering 88 percent of the breaches in their segment.
2. The human element is the key target. Individuals, their actions and credentials are a prime target with 60 percent of breaches involving a human element. Additionally, phishing and credential abuse, often obtained via infostealers, accounted for 38 percent of known initial access vectors.
3. Infostealers and access brokers fuel ransomware: The report sheds light on the growing threat of infostealers, which are malware designed to steal information, such as stored passwords, cookies and other sensitive data from compromised systems. Infoblox discovered earlier that infostealers typically use some kind of traffic distribution system or cloaking to target the right audience while evading threat research. The report also made a clear correlation between infostealer logs and ransomware attacks; 54 percent of the ransomware victims had their domains show up in infostealer logs and 40 percent had corporate email addresses as part of the compromised credentials.
4. Unprotected BYOD attack surface: Regarding analysis of stolen credentials on infostealer logs, enterprise-licensed devices accounted for 30 percent of the compromised systems. However, non-managed or bring-your-own-device (BYOD) program devices accounted for 46 percent of infostealer-compromised systems as these systems host personal and business credentials. This last metrics show how actors target unprotected devices to successfully collect credentials.
5. Social Engineering via Prompt Bombing: The 2025 DBIR reported a new action on the block, "prompt bombing," in which users are bombarded with multi-factor authentication (MFA) login requests. This is showing up along with "baiting," where compromised versions of legitimate software are planted via search engine optimization (SEO) or ad purchasing, results in unsuspecting users downloading malware instead of some fancy digital coupon browser extension.

Malicious AdTech as a key enabler

This year, the Verizon DBIR represented the highest number of breaches ever analyzed in a single report, providing insights like a 37 percent increase in ransomware and infostealer problems. Other threat research reports also highlighted how information stealers themselves are propagated through the use of malicious TDSs, including the annual report by GoDaddy which analyzed over 1 million compromised websites. Despite these numbers, threat actor use of adtech to fuel their operations remains under-reported. Threat actors abuse legitimate adtech companies and affiliate with malicious adtech companies to create an ecosystem in which the true nature of their activity is well hidden.

At the heart of malicious adtech are TDSs used to deliver infostealers, advanced phishing tools or malicious advertisements while remaining undetected. In 2024, Infoblox discovered several actors, one of them named Vane Viper, who delivers highly popular LummaStealer malware hidden behind a fake CAPTCHA. Another actor named Vacant Viper, who hijacks domain names for their homegrown 404TDS, is known to deliver numerous remote access trojans (RATs).

During in-depth research earlier this year, Infoblox reported that visiting a website linked with malicious adtech can have a long-lasting impact on the user's experience with their device. Through adtech integration, malicious adtech trick users into website notifications, often called push notifications. Once the victim accepts notifications, deceptive messages or prompt bombing, such as fake virus alerts, will pop onto the screen. Clicking on those pop-ups will lead to more malicious content, which in turn negatively influences the user's experience with legitimate websites and newsfeeds.

Protective DNS is a critical mechanism to identify and track these threat actors. While there is growing awareness of the role of adtech, specifically usage of TDS in the attack chain, the domains used by these actors remain largely undetected by most major security vendors. By using protective DNS solutions, enterprises of all sizes and individuals can be safeguarded from all manner of threats in a cost-effective way. Over the past years, Infoblox blocked over 75 percent of all threat domains prior to the very first DNS query from our customers, with success rates exceeding 90 percent in most individual customer networks.

To learn more about malicious adtech

• Attend the 2025 RSA Conference learning lab "What Just Happened?! How Traffic Distribution Systems Fool Everyone" (Lab2-W08)
• Visit us at the RSA Conference booth #S726
• Or visit Infoblox Threat Intel at www.infoblox.com/threat-intel/