Major Cyberattack and Malware Trends in 2025
Cybersecurity threats in 2025 were marked by a surge in sophisticated attacks targeting both enterprises and critical infrastructure. Notable incidents included the exploitation of a zero-day vulnerability (CVE-2025-61882) in Oracle E-Business Suite by the Clop ransomware group, leading to data theft and extortion campaigns against multiple organizations. Ransomware activity overall increased, with Akira and Qilin dominating the ransomware-as-a-service market, and new strains like Warlock and HybridPetya introducing advanced evasion and destructive capabilities. The year also saw a significant rise in software supply chain attacks and the emergence of AI-powered malware such as PromptLock, which can generate malicious scripts dynamically.
State-sponsored campaigns remained a persistent threat, exemplified by the BRICKSTORM malware attributed to Chinese actors, which targeted VMware and Windows systems in government and IT sectors. Data breaches, such as the API compromise at 700Credit affecting over 5.6 million individuals, highlighted ongoing risks in third-party integrations and API security. Malware-as-a-service platforms like CloudEyE (GuLoader) surged in prevalence, facilitating the distribution of infostealers and ransomware. The threat landscape was further complicated by the proliferation of EDR killers and the rapid evolution of Android NFC-based threats, underscoring the need for robust detection and response strategies across all platforms.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
12 events from the most recent confirmed update back to the earliest known activity.
Authorities arrest suspects after UK retail cyber incidents
Arrests were reported following the UK retail attacks associated with Scattered Spider. The law enforcement action marked a significant response to one of the year's most disruptive criminal cyber campaigns.
UK retail disruptions linked to Scattered Spider
Major disruptions affecting UK retailers were linked to Scattered Spider. The incidents demonstrated the group's ability to cause significant business interruption in consumer-facing industries.
Scattered Spider-linked attacks target airlines
A wave of attacks against airlines was associated with Scattered Spider. The campaign underscored the group's continued focus on high-profile sectors through social engineering and account compromise tactics.
Jaguar Land Rover hit by ransomware and data theft
Jaguar Land Rover was reported to have suffered a significant ransomware and data theft incident. The attack drew attention because of its impact on a major automotive brand and the broader trend of double-extortion operations.
Asahi suffers major ransomware and data-theft incident
Asahi was identified as a victim of a major ransomware and data theft attack in 2025. The incident was notable for combining operational disruption with extortion pressure based on stolen data.
China-aligned groups linked to SharePoint 'ToolShell' attacks
Reporting later attributed part of the SharePoint 'ToolShell' exploitation activity to multiple China-aligned threat groups. This attribution elevated the incident from a broad exploitation wave to one with nation-state implications.
Microsoft SharePoint on-prem 'ToolShell' exploitation emerges
Attackers began exploiting Microsoft SharePoint on-premises vulnerabilities dubbed 'ToolShell,' including CVE-2025-53770 and CVE-2025-53771. The activity affected widely used enterprise systems and became one of the year's most significant vulnerability exploitation stories.
Salesforce customer data thefts tied to third-party integrations
Multiple data theft incidents affecting Salesforce customers were linked to compromised third-party integrations and OAuth tokens. The campaign illustrated how attackers abused trusted cloud connections to reach downstream victims at scale.
Clop allegedly exploits Oracle E-Business Suite zero-day
Clop was reported to have exploited an Oracle E-Business Suite zero-day tracked as CVE-2025-61882. The alleged exploitation led to data theft and extortion activity affecting organizations using the enterprise software.
Coinbase discloses support-agent bribery and customer data theft
Coinbase reported an intrusion in which support agents were bribed, enabling attackers to access and steal customer data. The incident highlighted insider-enabled compromise and social engineering risks in the crypto sector.
Lazarus-linked attackers steal funds in the Bybit heist
A major cryptocurrency theft targeting Bybit was attributed to North Korea's Lazarus Group. The incident stood out for its financial impact and its geopolitical significance as a state-linked cybercrime operation.
PowerSchool pays ransom after student and teacher data theft
PowerSchool was reported to have paid a ransom following a data theft incident involving student and teacher information. The case became one of the notable education-sector cyber incidents of 2025 due to the sensitivity and scale of the exposed data.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Top 10 Cyber-Attacks of 2025 - Infosecurity Magazine
infosecurity-magazine.com
Open sourceSWK Cybersecurity News Recap December 2025
swktech.com
Open sourceESET Threat Report H2 2025
welivesecurity.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Major Cybercrime and Malware Trends in December 2025
Cybersecurity agencies and researchers reported a surge in sophisticated cybercrime operations and malware campaigns in December 2025. Notable law enforcement actions included the takedown of major cybercriminal forums such as Cracked and Nulled, and the disruption of ransomware networks like Phobos/8Base, as highlighted in SOCRadar's review of top law enforcement operations. Concurrently, threat intelligence sources documented a rise in ransomware attacks, with LockBit 5.0 targeting 25 companies globally, and agencies intensifying pressure on pro-Russian hacktivist groups. The month also saw a significant malware incident in New Zealand, where the national cyber security agency warned 26,000 citizens about infections by Lumma Stealer, a credential-harvesting malware. Technical research revealed the continued evolution of information-stealing malware, such as Stealc and Phantom Stealer, which leverage new delivery methods including Discord-hosted payloads and fake software updates. The Mirai botnet family demonstrated renewed activity, with new variants like Broadside and Jackskid exploiting IoT vulnerabilities and targeting sectors such as maritime logistics. Reports also underscored the growing threat of browser-based attacks, with critical vulnerabilities being disclosed throughout the year, and the increasing use of social engineering tactics to bypass security controls. These developments reflect a rapidly shifting threat landscape, with attackers adopting advanced techniques and law enforcement responding with coordinated global operations.
Mar 21, 2026
Major Cybersecurity Incidents and Threat Trends of 2025
The cybersecurity landscape in 2025 was marked by a series of high-profile breaches, advanced persistent threat (APT) campaigns, and evolving tactics by both cybercriminals and state-linked actors. Notable incidents included the PornHub data breach, where the ShinyHunters group exfiltrated and extorted sensitive user activity data, and the Knownsec leak, which exposed the espionage tools and global targeting strategies of a major Chinese cybersecurity firm. Supply-chain attacks continued to proliferate, with attackers compromising widely used software libraries and cloud services, impacting thousands of organizations and individuals. The year also saw a surge in sophisticated social engineering campaigns, such as ClickFix attacks, and a significant number of APT operations targeting government and military institutions, particularly in South and East Asia. Cloud service outages, such as the prolonged AWS disruption, highlighted the dependency of IoT and critical infrastructure on cloud reliability, causing widespread operational impacts. The threat actor ecosystem became more industrialized, leveraging AI, ransomware-as-a-service, and multi-stage attacks to increase scale and efficiency. Cryptocurrency platforms suffered major heists, and new vulnerabilities like MongoBleed were rapidly exploited in the wild. The cumulative effect of these incidents underscored the need for robust supply-chain security, improved cloud resilience, and enhanced detection and response capabilities against both opportunistic and targeted attacks.
Mar 21, 2026
Major Cyber Threat Trends and Shifts in 2025
Cybersecurity research throughout 2025 revealed significant changes in the threat landscape, with both SentinelLABS and KrakenLabs reporting a marked evolution in attacker tactics and the professionalization of cybercrime. Threat actors increasingly leveraged artificial intelligence to automate attacks, generate convincing social engineering content, and bypass security controls, making AI a practical tool for both sophisticated and commodity threats. The exploitation of legitimate infrastructure, such as free-tier publishing platforms and commercial AI APIs, became commonplace, while adversaries also began monitoring defender intelligence-sharing platforms to stay ahead of detection. The rise of crimeware-as-a-service (CaaS) further industrialized cybercrime, enabling a broader range of actors to access advanced capabilities and monetize initial access to corporate networks. Geopolitical tensions and the convergence of organized cybercrime with emerging technologies accelerated the pace and scale of attacks, with threat actors blending ideological motives with financially driven ransomware and extortion campaigns. Traditional carding fraud declined due to regulatory and law enforcement efforts, but attackers shifted focus to abusing trusted third-party platforms and exploiting identity and access management weaknesses. These developments defined the cyber threat environment in 2025 and set the stage for ongoing risks into 2026, as organizations faced increasingly sophisticated and industrialized adversaries.
Mar 21, 2026