A new report out today from Google Cloud’s Office of the CISO dig into a growing trend in the evolution of cyberattacks, the rise of financially motivated threat actors who are now targeting backup infrastructure directly, not just encrypting production systems.

As detailed in the H2 2025 Cloud Threat Horizons Report, Google’s researchers have observed advanced persistent threat groups, including UNC3944, UNC2165 and UNC4393. They’re actively deleting backup routines, corrupting stored data and modifying user permissions to prevent recovery.

The report notes the change in tactics is a significant escalation from earlier tactics: Attackers are aiming to erase any remaining lifelines to force quicker ransom payouts by eliminating restoration paths.

A key trend highlighted in the report is the increasing complexity of cyber recovery, as threat actors now deliberately create prolonged downtime scenarios. The tactics increase business disruption by introducing cascading failures, taking out not only production environments but also the tools and infrastructure necessary for recovery.

The report details that credential compromise and misconfiguration remain dominant initial access vectors, involved in 47% and 29% of cases respectively. Not surprisingly, leaked credentials remain an ongoing concern: The report emphasizes the need for improved identity security and posture management.

The continued misuse of cloud services such as Google Drive, GitHub and Dropbox to host malicious decoy files is also highlighted. Threat actors and other hackers were found to be sharing malicious files, often disguised as harmless PDFs hosted on cloud services, but the files themselves trigger background malware downloads.

Another part of the report details activity from North Korea-aligned group UNC4899, also known as TraderTraitor. It has been bypassing multifactor authentication protections via social engineering and session cookie theft to target cloud-hosted cryptocurrency platforms. Google’s researchers observed the North Korean hackers disabling and later re-enabling MFA to avoid detection, demonstrating an advanced level of both precision and awareness.

The report concludes with advice on how to mitigate the evolving threats, though perhaps a bit self-serving: Google has introduced multiple updates across its ecosystem, including the Verified CRX Upload process for Chrome extensions, which was launched in May. The feature adds a second authentication layer using developer-held private keys to prevent malicious extension updates in the event of OAuth token theft or account compromise.

Image: SiliconANGLE/Reve