Major Cybersecurity Incidents and Threat Trends of 2025
The cybersecurity landscape in 2025 was marked by a series of high-profile breaches, advanced persistent threat (APT) campaigns, and evolving tactics by both cybercriminals and state-linked actors. Notable incidents included the PornHub data breach, where the ShinyHunters group exfiltrated and extorted sensitive user activity data, and the Knownsec leak, which exposed the espionage tools and global targeting strategies of a major Chinese cybersecurity firm. Supply-chain attacks continued to proliferate, with attackers compromising widely used software libraries and cloud services, impacting thousands of organizations and individuals. The year also saw a surge in sophisticated social engineering campaigns, such as ClickFix attacks, and a significant number of APT operations targeting government and military institutions, particularly in South and East Asia.
Cloud service outages, such as the prolonged AWS disruption, highlighted the dependency of IoT and critical infrastructure on cloud reliability, causing widespread operational impacts. The threat actor ecosystem became more industrialized, leveraging AI, ransomware-as-a-service, and multi-stage attacks to increase scale and efficiency. Cryptocurrency platforms suffered major heists, and new vulnerabilities like MongoBleed were rapidly exploited in the wild. The cumulative effect of these incidents underscored the need for robust supply-chain security, improved cloud resilience, and enhanced detection and response capabilities against both opportunistic and targeted attacks.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
28 events from the most recent confirmed update back to the earliest known activity.
US lifts sanctions on three Intellexa executives
In early January 2026, the United States lifted sanctions on three Intellexa executives. The decision was reported alongside other major cybersecurity and spyware-related geopolitical developments.
Amazon moves to block North Korean IT worker infiltration
By January 2026, Amazon was reported to be taking action to prevent North Korean operatives from infiltrating organizations as IT workers. The move reflected growing industry concern over this persistent insider-enabled threat.
GlassWorm supply-chain attack expands to target Macs
By early January 2026, the GlassWorm supply-chain campaign was reported to have resurfaced with new targeting of macOS systems. The development marked an escalation in platform coverage for the attack.
Keenadu backdoor found pre-installed on Android tablets
By January 2026, researchers had discovered Keenadu malware pre-installed on Android tablets, indicating a supply-chain or manufacturing-stage compromise. The finding raised concerns about malicious software being embedded before devices reach users.
Coordinated exploitation campaign targets Adobe ColdFusion servers
By January 2026, reporting described an active coordinated campaign exploiting Adobe ColdFusion servers. The activity was presented as part of a broader trend toward precise exploitation of exposed enterprise systems.
Lithuanian national busted for distributing KMSAuto clipboard stealer
By early January 2026, authorities had busted a Lithuanian national accused of distributing clipboard-stealing malware disguised as KMSAuto. The case was highlighted as a notable law-enforcement success against malware distribution.
Authorities make multiple arrests tied to crypto theft and investment scams
In the final week of 2025, law enforcement actions in South Korea, the United States, India, and Pakistan led to arrests connected to cryptocurrency theft and investment fraud schemes. The arrests were reported as part of a broader set of international cybercrime enforcement actions.
Orange Poland suffers massive DDoS attack
In late December 2025, Orange Poland was targeted in a large distributed denial-of-service attack. The event was cited as one of the more prominent service-disruption incidents of the week.
CET Oltenia hit by ransomware attack
In late December 2025, Romanian energy company CET Oltenia was reported as the victim of a ransomware attack. The incident was included among the week's notable critical-sector cyber events.
Conde Nast, Goldman Sachs, Chipotle, Korean Air, and Apple supplier breaches disclosed
During the last week of December 2025, multiple organizations including Conde Nast, Goldman Sachs, Chipotle, Korean Air, and an unnamed Apple supplier were reported as victims of data breaches. The cluster of disclosures reflected a high volume of enterprise compromises at year end.
Ubisoft Rainbow Six Siege backend hacked via MongoBleed flaw
In late December 2025, attackers breached a backend server supporting Ubisoft's Rainbow Six Siege, with reporting linking the intrusion to the MongoBleed vulnerability, CVE-2025-14847. The case illustrated active exploitation of newly reported server-side flaws.
Flow blockchain exploit results in multimillion-dollar crypto theft
In the final week of 2025, the Flow ecosystem was reported as having been exploited for millions of dollars in stolen cryptocurrency. The incident was grouped with other major year-end crypto heists.
Unleash Protocol exploited for $3.9 million via smart contract upgrade
In late December 2025, Unleash Protocol suffered a crypto theft of about $3.9 million after attackers abused a smart contract upgrade mechanism. The attack was highlighted in multiple year-end security roundups.
Trust Wallet browser extension compromise leads to $7 million theft
In late December 2025, attackers compromised Trust Wallet's browser extension, resulting in the theft of about $7 million in cryptocurrency. The incident was listed among the week's major crypto-related security events.
NSFOCUS records 28 global APT incidents in November 2025
NSFOCUS Fuying Lab reported detecting 28 APT attack activities worldwide in November 2025, concentrated in South Asia and East Asia with additional incidents in Eastern Europe and the Middle East. Sidewinder, APT36, Gamaredon, MuddyWater, Kimsuky, and Konni were identified as the most active groups, with spear-phishing dominating initial access.
SesameOp backdoor campaign abuses OpenAI Assistants API for C2
In November 2025, a previously unknown APT group was observed using a new backdoor called SesameOp that leveraged the OpenAI Assistants API as a command-and-control channel. The campaign was described as cyber espionage and an example of threat actors abusing legitimate AI services.
BITTER exploits WinRAR zero-day CVE-2025-6218 in phishing campaign
In November 2025, the Indian APT group BITTER used the WinRAR zero-day CVE-2025-6218 in a phishing campaign targeting Pakistan and Kashmir. The activity showed rapid operational adoption of a newly available vulnerability.
Mid-October AWS outage disrupts IoT and online services for nearly 15 hours
A mid-October 2025 AWS outage lasted nearly 15 hours and caused cascading disruptions across connected services, including Amazon's Ring and Alexa ecosystems. The incident was cited as a major example of cloud dependency affecting everyday life and IoT availability.
Salesforce ecosystem hit by repeated third-party data thefts
In 2025, Salesforce and connected third-party environments experienced repeated data theft incidents. The pattern highlighted the security risks created by interconnected SaaS ecosystems and partner access.
AI-powered attacks and prompt-injection abuse gain traction
During 2025, defenders observed attackers increasingly using large language models for malware development and exploiting prompt-injection weaknesses in AI systems. These developments were described as a new frontier in offensive cyber activity.
North Korean IT worker infiltration emerges as major threat
Throughout 2025, North Korean operatives were reported infiltrating companies by posing as remote IT workers, creating both insider and identity-based security risks. The tactic was identified as a growing and important threat trend.
Aisuru botnet drives record-breaking DDoS activity
The Aisuru botnet was reported in 2025 as a driver of record-setting distributed denial-of-service attacks. Its activity underscored the scale of modern botnet-enabled disruption campaigns.
ShinyHunters extorts PornHub using stolen Mixpanel data
In 2025, ShinyHunters used stolen Mixpanel data to extort PornHub, illustrating the year's broader trend of data-theft-driven extortion. The case was cited among the most significant cyber incidents of the year.
Clop steals data from Oracle E-Business Suite environments
During 2025, the Clop gang conducted widespread data thefts involving Oracle E-Business Suite environments. The activity was highlighted as one of the year's major enterprise-targeting cybercrime campaigns.
ByBit loses $1.5 billion in crypto heist attributed to Lazarus
A major 2025 cryptocurrency theft drained roughly $1.5 billion from ByBit, with reporting attributing the operation to North Korea's Lazarus Group. The heist became one of the year's defining cybercrime incidents.
Web3.js compromise enables theft from Solana ecosystem users
Attackers compromised the Web3.js library used in Solana blockchain applications, allowing theft of private keys and the siphoning of about $155,000 from smart-contract parties. The incident was one of the year's most notable software supply-chain attacks.
Knownsec insider leak exposes Chinese cyber-espionage operations
In 2025, a leak of more than 12,000 internal Knownsec documents exposed offensive tools, surveillance platforms, and evidence of large-scale state-linked cyber operations targeting multiple countries. The breach was described as likely insider-driven and prompted international scrutiny of the firm's government and military ties.
Supply-chain attacks intensify across software ecosystems in 2024 and early 2025
A series of supply-chain compromises hit open source and proprietary ecosystems, including typosquatting on a Google-run Go package mirror, malicious NPM package seeding, and compromises affecting Magento software providers. These attacks impacted downstream organizations ranging from enterprises to government agencies.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
8 references tracked. Mallory keeps watching after this page renders.
The biggest cybersecurity and cyberattack stories of 2025
bleepingcomputer.com
Open sourceThreatsDay Bulletin: GhostAd Drain, macOS Attacks, Proxy Botnets, Cloud Exploits, and 12+ Stories
thehackernews.com
Open sourceRisky Bulletin: US lifts sanctions on three Intellexa execs
news.risky.biz
Open sourceSupply chains, AI, and the cloud: The biggest failures (and one success) of 2025
arstechnica.com
Open sourceNSFOCUS Monthly APT Insights – November 2025
nsfocusglobal.com
Open sourceWhen the Cloud Rains on Everyone's IoT Parade
darkreading.com
Open sourceKnownsec Data Breach: A Trove of Espionage Tradecraft with an Insider Narrative
resecurity.com
Open sourceTop 10 Threat Actor Trends from 2025 — and What They Signal for 2026
cyble.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Major Cybersecurity Trends and Incidents in 2025
The cybersecurity landscape in 2025 was marked by a series of high-impact incidents and evolving threat trends, with identity-driven intrusions, large-scale breaches, and record-breaking DDoS attacks dominating the year. Notable breaches at organizations such as Ingram Micro, Conduent, and Kettering Health resulted in hundreds of millions of dollars in losses, with regulatory filings and industry analyses highlighting the significant operational and financial impacts. Attackers increasingly exploited known vulnerabilities, with the CISA Known Exploited Vulnerabilities (KEV) catalog serving as a critical indicator of attacker intent, and legacy flaws resurfacing as major risk factors. The year also saw a strategic shift in security operations, with organizations prioritizing risk-based decision-making over exhaustive control coverage, and automation and real-time intelligence becoming essential for defense. DDoS attacks reached unprecedented scales, with Cloudflare reporting attacks peaking at 31 Tbps and the emergence of massive botnets like Aisuru. These attacks were often used as smokescreens for deeper intrusions, and the growing sophistication and speed of DDoS campaigns rendered traditional scrubbing-center defenses increasingly obsolete. Geopolitical tensions further shaped the threat landscape, with critical infrastructure and sectors such as gaming and gambling frequently targeted. The industry’s response emphasized the need for adaptive, globally distributed mitigation strategies and highlighted the importance of governance, consent management, and just-in-time administration to separate resilient organizations from those more vulnerable to systemic risk.
Mar 21, 2026
Major Cyber Threat Trends and Shifts in 2025
Cybersecurity research throughout 2025 revealed significant changes in the threat landscape, with both SentinelLABS and KrakenLabs reporting a marked evolution in attacker tactics and the professionalization of cybercrime. Threat actors increasingly leveraged artificial intelligence to automate attacks, generate convincing social engineering content, and bypass security controls, making AI a practical tool for both sophisticated and commodity threats. The exploitation of legitimate infrastructure, such as free-tier publishing platforms and commercial AI APIs, became commonplace, while adversaries also began monitoring defender intelligence-sharing platforms to stay ahead of detection. The rise of crimeware-as-a-service (CaaS) further industrialized cybercrime, enabling a broader range of actors to access advanced capabilities and monetize initial access to corporate networks. Geopolitical tensions and the convergence of organized cybercrime with emerging technologies accelerated the pace and scale of attacks, with threat actors blending ideological motives with financially driven ransomware and extortion campaigns. Traditional carding fraud declined due to regulatory and law enforcement efforts, but attackers shifted focus to abusing trusted third-party platforms and exploiting identity and access management weaknesses. These developments defined the cyber threat environment in 2025 and set the stage for ongoing risks into 2026, as organizations faced increasingly sophisticated and industrialized adversaries.
Mar 21, 2026
Major Cyberattack and Malware Trends in 2025
Cybersecurity threats in 2025 were marked by a surge in sophisticated attacks targeting both enterprises and critical infrastructure. Notable incidents included the exploitation of a zero-day vulnerability (`CVE-2025-61882`) in Oracle E-Business Suite by the Clop ransomware group, leading to data theft and extortion campaigns against multiple organizations. Ransomware activity overall increased, with Akira and Qilin dominating the ransomware-as-a-service market, and new strains like Warlock and HybridPetya introducing advanced evasion and destructive capabilities. The year also saw a significant rise in software supply chain attacks and the emergence of AI-powered malware such as PromptLock, which can generate malicious scripts dynamically. State-sponsored campaigns remained a persistent threat, exemplified by the BRICKSTORM malware attributed to Chinese actors, which targeted VMware and Windows systems in government and IT sectors. Data breaches, such as the API compromise at 700Credit affecting over 5.6 million individuals, highlighted ongoing risks in third-party integrations and API security. Malware-as-a-service platforms like CloudEyE (GuLoader) surged in prevalence, facilitating the distribution of infostealers and ransomware. The threat landscape was further complicated by the proliferation of EDR killers and the rapid evolution of Android NFC-based threats, underscoring the need for robust detection and response strategies across all platforms.
Mar 21, 2026