Databases Under Siege: December 2025 Threat Report Reveals Tactical Pivot from Remote Access to Data Exfiltration Vectors
HoneyDB Monthly Update
Welcome to the HoneyDB monthly threat report for December 2025. This month, our global network of honeypots revealed a subtle but significant shift in attacker strategy. Join us as we explore the latest data and break down the trends that defined the end of the year in cyber threats.
December 2025 by the Numbers
Our sensors tracked a massive volume of activity throughout the month. Here are the top-level statistics for December 2025:
Total Attack Events: 165,372,608
Total Unique Attacking Hosts: 163,633
Top 3 Most Attacked Services:
MSSQL: 53,327,496 events
VNC: 29,347,346 events
RDP: 28,277,910 events
What Changed from November?
While the overall attack volume and number of unique attackers saw a slight increase compared to November, a closer look at the data reveals significant changes in focus. This data indicates a clear reallocation of attacker resources, targeting different services with new intensity.
The Surprising Surge in Database Attacks
December saw a dramatic increase in attacks targeting database services. Microsoft SQL (MSSQL) attacks jumped from approximately 44.9 million in November to over 53.3 million, cementing its position as the top target. Even more striking was the surge in MySQL attacks, which exploded by over 530%—a more than six-fold increase—from 1.9 million events in November to over 12 million in December, launching it from 8th to 6th place and putting its attack volume nearly on par with the long-established top-5 vector, SSH.
A Cooling Off Period for Remote Access Protocols?
In a counter-intuitive trend, we observed a noticeable decrease in activity against key remote access services. Despite VNC and RDP remaining in the top three most attacked services, both saw a significant drop in volume. VNC attacks fell by nearly 25% from roughly 38.9 million in November to 29.3 million in December, and RDP attacks dropped by over 12% from about 32.2 million to 28.3 million over the same period.
Our Final Takeaway
While the total number of attacks increased by a marginal 1.3% from November, the real story is the tactical shift demonstrated by attackers. The pronounced pivot towards database services like MSSQL and MySQL, coupled with a de-emphasis on common remote access vectors like VNC and RDP, marks a clear change in strategy. This shift may indicate a strategic move by threat actors away from broad, opportunistic access attempts and toward more targeted, high-value attacks aimed directly at data exfiltration and monetization. Is this targeted focus on data services a sign of a more significant trend we should expect in the coming year?
Explore the Data Yourself
Get hands-on with our threat intelligence. Sign up at honeydb.io to access the full dataset via our API or contribute to global security by running your own honeypot sensor.