Major Cybersecurity Incidents and Threat Trends in Late 2025
A surge of significant cybersecurity incidents and threat trends marked the end of 2025, with attackers exploiting both newly disclosed and longstanding vulnerabilities across diverse platforms. Notably, a critical vulnerability in MongoDB, tracked as CVE-2025-14847 and dubbed "MongoBleed," was actively exploited, putting over 87,000 instances at risk of data leakage. The year also saw the emergence of advanced Android malware like Frogblight, which targeted users through fraudulent apps to steal banking credentials and personal data, and a continued expansion of malware campaigns beyond Windows, affecting Android and macOS users with sophisticated banking Trojans and infostealers. Meanwhile, the fallout from the 2022 LastPass breach persisted, as attackers continued to crack stolen encrypted vaults and siphon cryptocurrency through 2025, leveraging Russian cybercrime infrastructure for laundering stolen funds.
The threat landscape was further shaped by large-scale DDoS campaigns, such as those orchestrated by the pro-Russian group NoName057(16), which targeted hundreds of domains across Europe, and by the exploitation of vulnerabilities in widely used devices like WatchGuard Firebox firewalls (CVE-2025-14733). High-profile breaches, including those involving Salesforce integrations and third-party contractors, exposed sensitive data from major organizations. The year also witnessed a record number of Microsoft vulnerabilities, with attackers rapidly exploiting zero-days and privilege escalation flaws, underscoring the shrinking window between disclosure and exploitation. These developments highlight the increasing sophistication, scale, and persistence of cyber threats facing organizations worldwide as 2025 concluded.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
21 events from the most recent confirmed update back to the earliest known activity.
Frogblight Android malware campaign is identified
Researchers identified a new Android malware strain called Frogblight that spreads through fraudulent apps impersonating legitimate services. Once installed, it steals banking credentials, personal information, and SMS data while maintaining persistent access.
UK ICO fines LastPass £1.2 million over security failures
The U.K. Information Commissioner's Office fined LastPass £1.2 million ($1.6 million) for inadequate security measures that failed to prevent the breach. The penalty was reported in late 2025 as fallout from the 2022 incident.
TRM links ongoing LastPass-related crypto theft to Russian laundering infrastructure
By late 2025, TRM Labs had traced more than $28 million in cryptocurrency theft enabled by cracked LastPass vault backups and linked laundering activity to Russian cybercrime infrastructure. The analysis showed the 2022 breach was still causing financial harm in 2025.
Russian scientist sentenced for cyber-related treason
A Russian scientist received a sentence in a cyber-related treason case during the final weeks of 2025. The case was cited alongside other notable law-enforcement and judicial actions.
Former Coinbase agent arrested in India over insider cybercrime case
Authorities arrested a former Coinbase agent in India in a cyber-related insider crime case. The arrest was reported among notable law-enforcement developments in the final weeks of 2025.
Evasive Panda uses DNS poisoning to deliver MgBot malware
APT group Evasive Panda was reported using DNS poisoning to deliver MgBot malware in late 2025. The campaign demonstrated continued use of network-level manipulation to deploy malware.
Trust Wallet Chrome extension compromise leads to $7 million theft
A compromised Trust Wallet Chrome extension was used to steal $7 million. The incident was highlighted in late-2025 reporting on wallet breaches and financially motivated attacks.
MongoBleed vulnerability CVE-2025-14847 is actively exploited
During the final weeks of 2025, attackers actively exploited MongoDB vulnerability CVE-2025-14847, also called MongoBleed. The activity was cited as part of a broader surge in rapid exploitation of both new and old flaws.
SOCRadar records major DDoS escalation by NoName057(16)
Between December 22 and 28, 2025, SOCRadar observed 6,567 DDoS attack entries attributed to NoName057(16) and its DDoSia project. The campaign targeted 158 domains and 161 IPs, with Finland and France among the main targets.
Webrat campaign targets infosec professionals with fake PoCs
Researchers highlighted malware such as Webrat being used against infosec enthusiasts through fake proof-of-concept exploits. The campaign showed how threat actors were weaponizing researcher interest in new vulnerabilities.
Researchers identify DIG AI as an uncensored darknet assistant
Researchers reported the emergence of DIG AI, an uncensored darknet AI assistant used by criminals and terrorists. The finding underscored the growing role of illicit AI tooling in cybercrime ecosystems.
African law enforcement arrests 574 suspects in cybercrime crackdown
Law enforcement agencies across 19 African countries arrested 574 suspects and recovered $3 million in a major cybercrime operation. The crackdown was reported as one of the significant developments of the week before December 28, 2025.
WatchGuard Firebox CVE-2025-14733 comes under active exploitation
Attackers began actively exploiting remote code execution vulnerability CVE-2025-14733 in more than 115,000 WatchGuard Firebox firewalls. The activity marked a major late-2025 firewall exploitation wave.
React2Shell vulnerability disclosed and exploited within hours
React2Shell (CVE-2025-55182), described as a CVSS 10 issue in React Server Components caused by unsafe deserialization, was publicly disclosed in 2025. Public proof-of-concept code and exploitation appeared within hours, with broad internet exposure reported.
Major universities disclose phishing-driven data breaches
The University of Pennsylvania, Harvard, and Princeton were among universities breached through phishing attacks in 2025. The incidents exposed personal and financial information belonging to students, alumni, donors, and staff.
Clop exploits Oracle E-Business flaw in mass extortion campaign
The Clop ransomware group exploited a vulnerability in Oracle's E-Business platform to steal sensitive data from hospitals, media companies, universities, and other organizations. The stolen data was then used for extortion.
Salesforce customer environments hit via third-party contractor integrations
Attackers compromised Salesforce customer data by breaching third-party contractor integrations, affecting organizations including Cloudflare, Docusign, and Verizon. Reporting attributed the activity to the Scattered Lapsus$ Hunters group and highlighted third-party risk in SaaS ecosystems.
Salesloft GitHub breach enables theft of Salesforce OAuth tokens
A breach involving Salesloft's GitHub environment enabled attackers to steal OAuth tokens tied to a Salesforce integration. This access later supported attacks against hundreds of Salesforce instances and multiple major companies.
Fortinet CVE-2020-12812 exploitation resurfaces in later campaigns
Attackers renewed exploitation of Fortinet's older vulnerability CVE-2020-12812 during the final weeks of 2025, showing continued abuse of legacy flaws that remain unpatched in some environments.
Shai-Hulud open-source infostealer worm emerges
In September 2025, researchers highlighted Shai-Hulud, a self-propagating infostealer worm that poisoned open-source packages by abusing maintainers' automation. GitHub said it would take action to limit similar incidents.
LastPass suffers breach that exposes encrypted customer vault backups
In 2022, LastPass was breached and encrypted vault backups were stolen. Those backups later became the basis for long-term password cracking and cryptocurrency theft against users with weak master passwords.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
10 references tracked. Mallory keeps watching after this page renders.
⚡ Weekly Recap: MongoDB Attacks, Wallet Breaches, Android Spyware, Insider Crime & More
thehackernews.com
Open source“Frogblight” Malware Expands Android Banking and Identity Theft Risks
zimperium.com
Open sourceThe Worst Hacks of 2025
wired.com
Open source7 major IT disasters of 2025
cio.com
Open sourceCyberattacks Targeting International Domains: Weekly DDoS Threat Intelligence Analysis
socradar.io
Open sourceStolen LastPass backups enable crypto theft through 2025
securityaffairs.com
Open sourceWeek in review: WatchGuard Firebox firewalls attacked, infosec enthusiasts targeted with fake PoCs
helpnetsecurity.com
Open sourcePatching Became A Race in 2025: Microsoft Security Reckoning
thecyberthrone.in
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Major Cybersecurity Incidents and Threat Trends of 2025
The cybersecurity landscape in 2025 was marked by a series of high-profile breaches, advanced persistent threat (APT) campaigns, and evolving tactics by both cybercriminals and state-linked actors. Notable incidents included the PornHub data breach, where the ShinyHunters group exfiltrated and extorted sensitive user activity data, and the Knownsec leak, which exposed the espionage tools and global targeting strategies of a major Chinese cybersecurity firm. Supply-chain attacks continued to proliferate, with attackers compromising widely used software libraries and cloud services, impacting thousands of organizations and individuals. The year also saw a surge in sophisticated social engineering campaigns, such as ClickFix attacks, and a significant number of APT operations targeting government and military institutions, particularly in South and East Asia. Cloud service outages, such as the prolonged AWS disruption, highlighted the dependency of IoT and critical infrastructure on cloud reliability, causing widespread operational impacts. The threat actor ecosystem became more industrialized, leveraging AI, ransomware-as-a-service, and multi-stage attacks to increase scale and efficiency. Cryptocurrency platforms suffered major heists, and new vulnerabilities like MongoBleed were rapidly exploited in the wild. The cumulative effect of these incidents underscored the need for robust supply-chain security, improved cloud resilience, and enhanced detection and response capabilities against both opportunistic and targeted attacks.
Mar 21, 2026
Global Cyber Threat Trends and Major Incidents in Late 2025
Kaspersky reported that nearly half of Windows users and almost a third of macOS users encountered cyberthreats between November 2024 and October 2025, with significant increases in password stealer and spyware attacks. The highest rates of web threats were observed in the CIS region, while Africa saw the most local threats. Notably, password stealer detections surged by 132% in the Asia-Pacific region, and overall spyware attacks rose by 1.5 times compared to the previous year, highlighting a global escalation in both the volume and sophistication of cyberattacks. In parallel, the cybersecurity landscape in late 2025 was marked by the emergence of new ransomware threats such as Kraken and Zorab, as well as high-profile incidents like the Korean Leaks operation, which targeted South Korea’s financial sector through a combination of ransomware-as-a-service and state-linked actors. Additionally, there were warnings about credential leaks via online code formatting tools and reports of cyberattacks on London councils, underscoring the diverse and evolving nature of cyber risks facing organizations worldwide.
Mar 21, 2026
Major Cyberattack and Malware Trends in 2025
Cybersecurity threats in 2025 were marked by a surge in sophisticated attacks targeting both enterprises and critical infrastructure. Notable incidents included the exploitation of a zero-day vulnerability (`CVE-2025-61882`) in Oracle E-Business Suite by the Clop ransomware group, leading to data theft and extortion campaigns against multiple organizations. Ransomware activity overall increased, with Akira and Qilin dominating the ransomware-as-a-service market, and new strains like Warlock and HybridPetya introducing advanced evasion and destructive capabilities. The year also saw a significant rise in software supply chain attacks and the emergence of AI-powered malware such as PromptLock, which can generate malicious scripts dynamically. State-sponsored campaigns remained a persistent threat, exemplified by the BRICKSTORM malware attributed to Chinese actors, which targeted VMware and Windows systems in government and IT sectors. Data breaches, such as the API compromise at 700Credit affecting over 5.6 million individuals, highlighted ongoing risks in third-party integrations and API security. Malware-as-a-service platforms like CloudEyE (GuLoader) surged in prevalence, facilitating the distribution of infostealers and ransomware. The threat landscape was further complicated by the proliferation of EDR killers and the rapid evolution of Android NFC-based threats, underscoring the need for robust detection and response strategies across all platforms.
Mar 21, 2026