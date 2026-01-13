As 2025 draws to a close, the cybersecurity community is taking stock of a year defined more by the relentless refinement of old tactics than by novel malware. Threat actors did not reinvent cybercrime this year—they optimized it. Social engineering became more convincing, infrastructure vulnerabilities more consequential, and legitimate tools more dangerous when placed in the wrong hands.

According to a year-end threat trends analysis compiled by Stroz Friedberg, now part of LevelBlue, attackers throughout 2025 consistently blended human manipulation with technical exploitation. Coordinated campaigns targeting U.S.-based organizations relied on impersonation, remote access abuse, and the exploitation of widely deployed VPN and firewall technologies. The result was a threat environment where traditional perimeter defenses proved increasingly inadequate.

LevelBlue investigators identified sustained activity from well-known threat groups, including Luna Moth and Akira, alongside a sharp increase in attacks leveraging trusted enterprise tools such as Microsoft Quick Assist. Across these campaigns, a common pattern emerged: gain trust first, access systems second, and only then deploy malware or ransomware.

Social Engineering as the Primary Entry Point

In the first half of 2025, LevelBlue’s Incident Readiness and Response team observed a notable shift toward stealthy, human-centric intrusion methods. Rather than relying solely on exploit kits or brute-force attacks, threat actors increasingly impersonated internal IT staff, abused collaboration platforms, and even recruited individuals to secure legitimate IT roles inside target organizations.

These tactics consistently exploited human error and organizational trust, allowing attackers to bypass traditional security controls and remain undetected for extended periods. Three dominant trends shaped this activity throughout the year.

Luna Moth: Data Theft and Extortion Without Ransomware

The Luna Moth threat actor group remained highly active in 2025, particularly against professional services organizations such as law firms and financial institutions. LevelBlue linked Luna Moth to numerous data-theft incidents, followed by aggressive extortion campaigns.

Luna Moth attacks typically began with phishing emails impersonating internal IT or security personnel. Victims were instructed to call a fraudulent help desk number, where attackers posed as support staff and directed them to install legitimate remote access tools, such as Zoho Assist or Atera. Once access was granted, attackers exfiltrated sensitive data using tools such as WinSCP or by renaming files with Rclone.