Under the Radar: How Non-Web Protocols Are Redefining the Attack Surface

Attackers have a new favorite playground, and it isn't on the web. The real action is happening below the surface, where they are hijacking non-web protocols like DNSP, RDP and SMB.

From silent data leaks to hidden command and control (C2) channels, these attacks turn ordinary network traffic into the enemy, exposing blind spots in traditional perimeter defenses. The Zscaler ThreatLabz 2025 Protocol Attack Surface Report pulls back the curtain on this hidden attack surface, revealing how non-web protocols are becoming tools of exploitation and which industries are feeling the heat.  

In this blog, we explore the key findings from the report and what organizations can do to stay ahead of the attackers moving under the radar. 

Key Findings

ThreatLabz researchers analyzed attack data and telemetry from November 2024 through April 2025, documenting a dramatic increase in non-web protocol attacks. Here are the top 5 takeaways:

• DNS abuse surges, making up 83.8% of non-web threats: Attackers exploit DNS protocols through tunneling, domain generation algorithms (DGAs), and dynamic updates to exfiltrate data and establish covert command-and-control (C2) communication.
• Brute force attacks skyrocket against RDP and SMB: RDP accounts for 90.3% of brute force traffic, as attackers exploit weak authentication measures to breach systems and propagate ransomware. SMBv1 also remains a prime target, with attackers exploiting legacy vulnerabilities to launch zero-day exploits and facilitate lateral movements within systems.
• Retail remains the most targeted sector (62% of observed attacks): Attacks against retail exploit unpatched systems, highlighting how operational dependency makes it an ideal entry point for ransomware, spyware, and data exfiltration.
• Critical infrastructure faces rampant SSH abuse: Sectors such as energy (61.1%) and manufacturing (76.1%) are prime targets for attackers leveraging SSH to establish footholds, anonymize activity, and maintain persistence.
• Anonymizers worsen the threat landscape: Anonymizer tools, predominantly Psiphon and Tor, are frequently used to obscure attacker activities.

From DNS to Malware: Trends Shaping the Modern Attack Surface

Cybercriminals are weaponizing the protocols that keep networks running—leveraging tools and tactics that bypass traditional defenses. These emerging trends in non-web attacks showcase how even trusted protocols are being turned into security liabilities.

DNS Under Siege
DNS remains the most targeted protocol for one simple reason: it’s too trusted. By hiding malicious activity within DNS queries, attackers can bypass firewalls and maintain undetected C2 connections or exfiltrate data.

Brute Force Strikes Again
The resurgence of brute force attacks, especially against RDP and SMBv1, proves that outdated systems remain a critical security liability. Attackers leverage automated tools to bombard open ports left vulnerable due to weak or default authentication credentials.

Non-Web Protocol Vulnerability Exploitation Rising
Exploitation of vulnerabilities in non-web protocols is increasing, targeting both recent and older, unpatched flaws. Many internet-facing unpatched systems remain accessible, allowing attackers to exploit critical weaknesses in protocols like SMB, RDP, FTP, and DNS. This poses a significant risk for lateral movement, data theft, and ransomware, especially with advanced evasion techniques.

Malware Gets Smarter
Advanced malware strains like Agent Tesla and LockBit ransomware are embedding non-web protocols like SMTP, DNS and SMB into their attack strategies. Gh0st RAT demonstrates how DNS tunneling powers surveillance and persistent C2 channels, while others like AsyncRAT and ValleyRAT take these attacks further by using advanced obfuscation tools.

Read the full report for more insights into this expanding threat landscape.

Industries Under Fire: The Rising Tide of Protocol Exploits

No industry is immune from the surge of non-web protocol attacks, but some are facing a disproportionate share of the threats. The ThreatLabz 2025 Protocol Attack Surface Report exposes how cybercriminals are developing highly targeted strategies to exploit the unique vulnerabilities and operational gaps within specific sectors.

Retail is one of the hardest industries hit, accounting for 62% of observed non-web protocol attacks. Reliance on sprawling supply chains and outdated infrastructure makes it a prime target, with attackers deploying DNS tunneling, brute force methods, and malware to steal customer data, deliver ransomware, and disrupt operations during critical business periods.

Meanwhile, technology firms experienced significant DNS-focused attacks (78.5%), as cybercriminals seek to infiltrate code repositories, compromise intellectual property, and disrupt cloud-based operations. DNS tunneling remains the favorite tool for covert data exfiltration and command-and-control operations in this sector.

The finance sector continues to be a high-value target. Attackers exploit DHCP misconfigurations and SMB protocols to launch data theft campaigns and spread ransomware. Tools like Cobalt Strike, a favorite among advanced threat actors, have been employed extensively to abuse protocols and increase attack efficiency.

These findings paint a clear picture: cybercriminals are abandoning generic attacks in favor of precision strikes. By tailoring their tactics to exploit unique vulnerabilities, attackers are maximizing their ability to cripple organizations and profit from chaos.

Read the full ThreatLabz 2025 Protocol Attack Surface Report for more detailed industry trends and security recommendations.

Secure Non-Web Protocols with Zscaler Zero Trust Firewall

As attackers exploit non-web protocols, traditional perimeter and legacy defenses leave organizations vulnerable. The Zscaler Zero Trust Firewall provides the following critical protections:

• DNS security and tunneling prevention: The Zero Trust Firewall inspects all DNS traffic, including encrypted protocols like DNS over HTTPS (DoH), to identify and block malicious queries, tunneling efforts, and domain-generated algorithms (DGAs) used to facilitate data exfiltration or command-and-control (C2) operations.
• Integrated intrusion prevention system (IPS): Advanced Zero Trust Firewall Cloud IPS Control provides real-time protection for non-web threats including against protocol-specific exploits, and attempts at lateral movement through RDP, SMB, and similar protocols. Continuous updates, built-in protocol defenses, and Snort-compatible custom signatures ensure resilience against emerging threats.
• Anonymizer and tunneling detection: The Advanced Zero Trust Firewall identifies and disrupts traffic from tools like Tor, Chisel, and Psiphon, which are used to create covert communication channels and mask malicious activity.
• Comprehensive segmentation: Leveraging zero trust principles, the Zero Trust Firewall enforces least-privilege access for authenticated users, devices, and applications. Integrated app-to-app and user-to-app segmentation prevents unauthorized access, closes common lateral movement paths, and limits the scope of compromised credentials.

Your attack surface is larger than you think. Non-web protocols like DNS, SMB, and RDP are now the preferred playgrounds of attackers, offering covert pathways for data theft, ransomware, and malicious persistence. Traditional security measures are no match for these evolving threats—but a zero trust strategy can close these dangerous gaps before it’s too late.

Don’t wait for an attack to happen. Download the ThreatLabz 2025 Protocol Attack Surface Report and learn how to protect your business today.