Global Cyber Threat Trends and Major Incidents in Late 2025
Kaspersky reported that nearly half of Windows users and almost a third of macOS users encountered cyberthreats between November 2024 and October 2025, with significant increases in password stealer and spyware attacks. The highest rates of web threats were observed in the CIS region, while Africa saw the most local threats. Notably, password stealer detections surged by 132% in the Asia-Pacific region, and overall spyware attacks rose by 1.5 times compared to the previous year, highlighting a global escalation in both the volume and sophistication of cyberattacks.
In parallel, the cybersecurity landscape in late 2025 was marked by the emergence of new ransomware threats such as Kraken and Zorab, as well as high-profile incidents like the Korean Leaks operation, which targeted South Korea’s financial sector through a combination of ransomware-as-a-service and state-linked actors. Additionally, there were warnings about credential leaks via online code formatting tools and reports of cyberattacks on London councils, underscoring the diverse and evolving nature of cyber risks facing organizations worldwide.
Timeline
Dec 1, 2025
Korean Leaks campaign tied to Qilin and Moonstone Sleet
The 'Korean Leaks' operation was identified as a major hybrid campaign targeting South Korea's financial sector. Reporting connected the activity to the Qilin ransomware-as-a-service ecosystem and the North Korea-linked Moonstone Sleet group.
Dec 1, 2025
Researchers warn of credential leaks via online code-formatting tools
A warning was issued that users may expose credentials and other sensitive data by pasting them into online code-formatting tools, especially when those services allow content to be saved or shared. The issue highlighted a data-handling and supply-chain style risk in common web utilities.
Dec 1, 2025
Amazon reports Iranian intrusions supporting military operations
Amazon Threat Intelligence reported that Iranian state-linked cyber intrusions were being used to collect intelligence in support of real-world military actions, including missile strikes. The finding underscored the convergence of cyber activity and kinetic operations.
Dec 1, 2025
Three London councils disclose cyberattack and outages
Kensington & Chelsea, Westminster, and Hammersmith & Fulham councils disclosed a cyberattack that caused system outages. The UK NCSC and external cyber-incident specialists became involved in the response.
Nov 30, 2025
Zorab ransomware impersonates STOP Djvu decryptor
Zorab ransomware was reported using social engineering by posing as a decryptor for STOP Djvu infections. Victims who ran it had their files encrypted again with a .ZRB extension.
Nov 30, 2025
Kraken ransomware emerges as a major RaaS threat
Kraken was identified as a significant ransomware-as-a-service operation targeting Windows, Linux, and VMware ESXi environments with customized encryptors. Reporting linked the group to remnants of the HelloKitty cartel.
Nov 30, 2025
Google launches Unified Security Recommended Program
Google introduced its Unified Security Recommended Program to recognize leading ISVs integrating with its AI-driven security ecosystem. The initiative was aimed at simplifying and strengthening enterprise cloud security adoption.
Nov 30, 2025
OWASP releases Top 10 for 2025
OWASP published its 2025 Top 10 list, updating the most significant web application security risks to reflect the evolving threat landscape. The release provided a new benchmark for application security priorities.
Nov 18, 2025
Operation Endgame seizes 1,025+ servers tied to malware infrastructure
Europol and Eurojust coordinated Operation Endgame to dismantle more than 1,025 servers linked to the Rhadamanthys infostealer, Venom RAT, and Elysium botnet. The action represented a major law-enforcement disruption of criminal infrastructure.
Nov 17, 2025
Cloudflare outage disrupts global internet services
A major Cloudflare outage on November 17–18 caused widespread disruption to internet services globally. The incident was highlighted as one of the most significant cybersecurity-related operational events of the month.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Sources
Related Stories
Major Cyberattack and Malware Trends in 2025
Cybersecurity threats in 2025 were marked by a surge in sophisticated attacks targeting both enterprises and critical infrastructure. Notable incidents included the exploitation of a zero-day vulnerability (`CVE-2025-61882`) in Oracle E-Business Suite by the Clop ransomware group, leading to data theft and extortion campaigns against multiple organizations. Ransomware activity overall increased, with Akira and Qilin dominating the ransomware-as-a-service market, and new strains like Warlock and HybridPetya introducing advanced evasion and destructive capabilities. The year also saw a significant rise in software supply chain attacks and the emergence of AI-powered malware such as PromptLock, which can generate malicious scripts dynamically. State-sponsored campaigns remained a persistent threat, exemplified by the BRICKSTORM malware attributed to Chinese actors, which targeted VMware and Windows systems in government and IT sectors. Data breaches, such as the API compromise at 700Credit affecting over 5.6 million individuals, highlighted ongoing risks in third-party integrations and API security. Malware-as-a-service platforms like CloudEyE (GuLoader) surged in prevalence, facilitating the distribution of infostealers and ransomware. The threat landscape was further complicated by the proliferation of EDR killers and the rapid evolution of Android NFC-based threats, underscoring the need for robust detection and response strategies across all platforms.
1 months ago
Major Cybersecurity Incidents and Threat Trends in Late 2025
A surge of significant cybersecurity incidents and threat trends marked the end of 2025, with attackers exploiting both newly disclosed and longstanding vulnerabilities across diverse platforms. Notably, a critical vulnerability in MongoDB, tracked as CVE-2025-14847 and dubbed "MongoBleed," was actively exploited, putting over 87,000 instances at risk of data leakage. The year also saw the emergence of advanced Android malware like Frogblight, which targeted users through fraudulent apps to steal banking credentials and personal data, and a continued expansion of malware campaigns beyond Windows, affecting Android and macOS users with sophisticated banking Trojans and infostealers. Meanwhile, the fallout from the 2022 LastPass breach persisted, as attackers continued to crack stolen encrypted vaults and siphon cryptocurrency through 2025, leveraging Russian cybercrime infrastructure for laundering stolen funds. The threat landscape was further shaped by large-scale DDoS campaigns, such as those orchestrated by the pro-Russian group NoName057(16), which targeted hundreds of domains across Europe, and by the exploitation of vulnerabilities in widely used devices like WatchGuard Firebox firewalls (CVE-2025-14733). High-profile breaches, including those involving Salesforce integrations and third-party contractors, exposed sensitive data from major organizations. The year also witnessed a record number of Microsoft vulnerabilities, with attackers rapidly exploiting zero-days and privilege escalation flaws, underscoring the shrinking window between disclosure and exploitation. These developments highlight the increasing sophistication, scale, and persistence of cyber threats facing organizations worldwide as 2025 concluded.
1 months ago
Major Cyber Threat Trends and Shifts in 2025
Cybersecurity research throughout 2025 revealed significant changes in the threat landscape, with both SentinelLABS and KrakenLabs reporting a marked evolution in attacker tactics and the professionalization of cybercrime. Threat actors increasingly leveraged artificial intelligence to automate attacks, generate convincing social engineering content, and bypass security controls, making AI a practical tool for both sophisticated and commodity threats. The exploitation of legitimate infrastructure, such as free-tier publishing platforms and commercial AI APIs, became commonplace, while adversaries also began monitoring defender intelligence-sharing platforms to stay ahead of detection. The rise of crimeware-as-a-service (CaaS) further industrialized cybercrime, enabling a broader range of actors to access advanced capabilities and monetize initial access to corporate networks. Geopolitical tensions and the convergence of organized cybercrime with emerging technologies accelerated the pace and scale of attacks, with threat actors blending ideological motives with financially driven ransomware and extortion campaigns. Traditional carding fraud declined due to regulatory and law enforcement efforts, but attackers shifted focus to abusing trusted third-party platforms and exploiting identity and access management weaknesses. These developments defined the cyber threat environment in 2025 and set the stage for ongoing risks into 2026, as organizations faced increasingly sophisticated and industrialized adversaries.
1 months ago