Major Cybersecurity Incidents and Threat Trends in Late 2025
A surge of significant cybersecurity incidents and threat trends marked the end of 2025, with attackers exploiting both newly disclosed and longstanding vulnerabilities across diverse platforms. Notably, a critical vulnerability in MongoDB, tracked as CVE-2025-14847 and dubbed "MongoBleed," was actively exploited, putting over 87,000 instances at risk of data leakage. The year also saw the emergence of advanced Android malware like Frogblight, which targeted users through fraudulent apps to steal banking credentials and personal data, and a continued expansion of malware campaigns beyond Windows, affecting Android and macOS users with sophisticated banking Trojans and infostealers. Meanwhile, the fallout from the 2022 LastPass breach persisted, as attackers continued to crack stolen encrypted vaults and siphon cryptocurrency through 2025, leveraging Russian cybercrime infrastructure for laundering stolen funds.
The threat landscape was further shaped by large-scale DDoS campaigns, such as those orchestrated by the pro-Russian group NoName057(16), which targeted hundreds of domains across Europe, and by the exploitation of vulnerabilities in widely used devices like WatchGuard Firebox firewalls (CVE-2025-14733). High-profile breaches, including those involving Salesforce integrations and third-party contractors, exposed sensitive data from major organizations. The year also witnessed a record number of Microsoft vulnerabilities, with attackers rapidly exploiting zero-days and privilege escalation flaws, underscoring the shrinking window between disclosure and exploitation. These developments highlight the increasing sophistication, scale, and persistence of cyber threats facing organizations worldwide as 2025 concluded.
Timeline
Dec 29, 2025
Frogblight Android malware campaign is identified
Researchers identified a new Android malware strain called Frogblight that spreads through fraudulent apps impersonating legitimate services. Once installed, it steals banking credentials, personal information, and SMS data while maintaining persistent access.
Dec 28, 2025
UK ICO fines LastPass £1.2 million over security failures
The U.K. Information Commissioner's Office fined LastPass £1.2 million ($1.6 million) for inadequate security measures that failed to prevent the breach. The penalty was reported in late 2025 as fallout from the 2022 incident.
Dec 28, 2025
TRM links ongoing LastPass-related crypto theft to Russian laundering infrastructure
By late 2025, TRM Labs had traced more than $28 million in cryptocurrency theft enabled by cracked LastPass vault backups and linked laundering activity to Russian cybercrime infrastructure. The analysis showed the 2022 breach was still causing financial harm in 2025.
Dec 22, 2025
Russian scientist sentenced for cyber-related treason
A Russian scientist received a sentence in a cyber-related treason case during the final weeks of 2025. The case was cited alongside other notable law-enforcement and judicial actions.
Dec 22, 2025
Former Coinbase agent arrested in India over insider cybercrime case
Authorities arrested a former Coinbase agent in India in a cyber-related insider crime case. The arrest was reported among notable law-enforcement developments in the final weeks of 2025.
Dec 22, 2025
Evasive Panda uses DNS poisoning to deliver MgBot malware
APT group Evasive Panda was reported using DNS poisoning to deliver MgBot malware in late 2025. The campaign demonstrated continued use of network-level manipulation to deploy malware.
Dec 22, 2025
Trust Wallet Chrome extension compromise leads to $7 million theft
A compromised Trust Wallet Chrome extension was used to steal $7 million. The incident was highlighted in late-2025 reporting on wallet breaches and financially motivated attacks.
Dec 22, 2025
MongoBleed vulnerability CVE-2025-14847 is actively exploited
During the final weeks of 2025, attackers actively exploited MongoDB vulnerability CVE-2025-14847, also called MongoBleed. The activity was cited as part of a broader surge in rapid exploitation of both new and old flaws.
Dec 22, 2025
SOCRadar records major DDoS escalation by NoName057(16)
Between December 22 and 28, 2025, SOCRadar observed 6,567 DDoS attack entries attributed to NoName057(16) and its DDoSia project. The campaign targeted 158 domains and 161 IPs, with Finland and France among the main targets.
Dec 21, 2025
Webrat campaign targets infosec professionals with fake PoCs
Researchers highlighted malware such as Webrat being used against infosec enthusiasts through fake proof-of-concept exploits. The campaign showed how threat actors were weaponizing researcher interest in new vulnerabilities.
Dec 21, 2025
Researchers identify DIG AI as an uncensored darknet assistant
Researchers reported the emergence of DIG AI, an uncensored darknet AI assistant used by criminals and terrorists. The finding underscored the growing role of illicit AI tooling in cybercrime ecosystems.
Dec 21, 2025
African law enforcement arrests 574 suspects in cybercrime crackdown
Law enforcement agencies across 19 African countries arrested 574 suspects and recovered $3 million in a major cybercrime operation. The crackdown was reported as one of the significant developments of the week before December 28, 2025.
Dec 21, 2025
WatchGuard Firebox CVE-2025-14733 comes under active exploitation
Attackers began actively exploiting remote code execution vulnerability CVE-2025-14733 in more than 115,000 WatchGuard Firebox firewalls. The activity marked a major late-2025 firewall exploitation wave.
Dec 1, 2025
React2Shell vulnerability disclosed and exploited within hours
React2Shell (CVE-2025-55182), described as a CVSS 10 issue in React Server Components caused by unsafe deserialization, was publicly disclosed in 2025. Public proof-of-concept code and exploitation appeared within hours, with broad internet exposure reported.
Dec 1, 2025
Major universities disclose phishing-driven data breaches
The University of Pennsylvania, Harvard, and Princeton were among universities breached through phishing attacks in 2025. The incidents exposed personal and financial information belonging to students, alumni, donors, and staff.
Dec 1, 2025
Clop exploits Oracle E-Business flaw in mass extortion campaign
The Clop ransomware group exploited a vulnerability in Oracle's E-Business platform to steal sensitive data from hospitals, media companies, universities, and other organizations. The stolen data was then used for extortion.
Dec 1, 2025
Salesforce customer environments hit via third-party contractor integrations
Attackers compromised Salesforce customer data by breaching third-party contractor integrations, affecting organizations including Cloudflare, Docusign, and Verizon. Reporting attributed the activity to the Scattered Lapsus$ Hunters group and highlighted third-party risk in SaaS ecosystems.
Dec 1, 2025
Salesloft GitHub breach enables theft of Salesforce OAuth tokens
A breach involving Salesloft's GitHub environment enabled attackers to steal OAuth tokens tied to a Salesforce integration. This access later supported attacks against hundreds of Salesforce instances and multiple major companies.
Dec 1, 2025
Fortinet CVE-2020-12812 exploitation resurfaces in later campaigns
Attackers renewed exploitation of Fortinet's older vulnerability CVE-2020-12812 during the final weeks of 2025, showing continued abuse of legacy flaws that remain unpatched in some environments.
Sep 1, 2025
Shai-Hulud open-source infostealer worm emerges
In September 2025, researchers highlighted Shai-Hulud, a self-propagating infostealer worm that poisoned open-source packages by abusing maintainers' automation. GitHub said it would take action to limit similar incidents.
Jan 1, 2022
LastPass suffers breach that exposes encrypted customer vault backups
In 2022, LastPass was breached and encrypted vault backups were stolen. Those backups later became the basis for long-term password cracking and cryptocurrency theft against users with weak master passwords.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Threat Actors
Malware
Sources
5 more from sources like malwarebytes labs, socradar blog, securityaffairs, help net security and cyberthrone
Related Stories
Major Cybersecurity Incidents and Threat Trends of 2025
The cybersecurity landscape in 2025 was marked by a series of high-profile breaches, advanced persistent threat (APT) campaigns, and evolving tactics by both cybercriminals and state-linked actors. Notable incidents included the PornHub data breach, where the ShinyHunters group exfiltrated and extorted sensitive user activity data, and the Knownsec leak, which exposed the espionage tools and global targeting strategies of a major Chinese cybersecurity firm. Supply-chain attacks continued to proliferate, with attackers compromising widely used software libraries and cloud services, impacting thousands of organizations and individuals. The year also saw a surge in sophisticated social engineering campaigns, such as ClickFix attacks, and a significant number of APT operations targeting government and military institutions, particularly in South and East Asia. Cloud service outages, such as the prolonged AWS disruption, highlighted the dependency of IoT and critical infrastructure on cloud reliability, causing widespread operational impacts. The threat actor ecosystem became more industrialized, leveraging AI, ransomware-as-a-service, and multi-stage attacks to increase scale and efficiency. Cryptocurrency platforms suffered major heists, and new vulnerabilities like MongoBleed were rapidly exploited in the wild. The cumulative effect of these incidents underscored the need for robust supply-chain security, improved cloud resilience, and enhanced detection and response capabilities against both opportunistic and targeted attacks.
1 months ago
Global Cyber Threat Trends and Major Incidents in Late 2025
Kaspersky reported that nearly half of Windows users and almost a third of macOS users encountered cyberthreats between November 2024 and October 2025, with significant increases in password stealer and spyware attacks. The highest rates of web threats were observed in the CIS region, while Africa saw the most local threats. Notably, password stealer detections surged by 132% in the Asia-Pacific region, and overall spyware attacks rose by 1.5 times compared to the previous year, highlighting a global escalation in both the volume and sophistication of cyberattacks. In parallel, the cybersecurity landscape in late 2025 was marked by the emergence of new ransomware threats such as Kraken and Zorab, as well as high-profile incidents like the Korean Leaks operation, which targeted South Korea’s financial sector through a combination of ransomware-as-a-service and state-linked actors. Additionally, there were warnings about credential leaks via online code formatting tools and reports of cyberattacks on London councils, underscoring the diverse and evolving nature of cyber risks facing organizations worldwide.
1 months ago
Major Cyberattack and Malware Trends in 2025
Cybersecurity threats in 2025 were marked by a surge in sophisticated attacks targeting both enterprises and critical infrastructure. Notable incidents included the exploitation of a zero-day vulnerability (`CVE-2025-61882`) in Oracle E-Business Suite by the Clop ransomware group, leading to data theft and extortion campaigns against multiple organizations. Ransomware activity overall increased, with Akira and Qilin dominating the ransomware-as-a-service market, and new strains like Warlock and HybridPetya introducing advanced evasion and destructive capabilities. The year also saw a significant rise in software supply chain attacks and the emergence of AI-powered malware such as PromptLock, which can generate malicious scripts dynamically. State-sponsored campaigns remained a persistent threat, exemplified by the BRICKSTORM malware attributed to Chinese actors, which targeted VMware and Windows systems in government and IT sectors. Data breaches, such as the API compromise at 700Credit affecting over 5.6 million individuals, highlighted ongoing risks in third-party integrations and API security. Malware-as-a-service platforms like CloudEyE (GuLoader) surged in prevalence, facilitating the distribution of infostealers and ransomware. The threat landscape was further complicated by the proliferation of EDR killers and the rapid evolution of Android NFC-based threats, underscoring the need for robust detection and response strategies across all platforms.
1 months ago