Monthly Wrap - January 2025

Overview

The cybersecurity landscape in January 2025 exhibited a rapid evolution of attack techniques, increased supply chain compromises, and advanced AI-powered threats. Major threat actors, including state-sponsored advanced persistent threat (APT) groups and financially motivated cybercriminals, continued to exploit vulnerabilities in critical infrastructure, enterprise networks, and cloud environments. One of the most significant trends observed this month was the escalation of AI-driven cyber threats, particularly through manipulated AI coding assistants, deepfake-based phishing, and AI-assisted malware generation. Security researchers uncovered vulnerabilities in GitHub Copilot and DeepSeek AI, demonstrating how adversaries could manipulate AI systems to produce malicious code or bypass content filtering mechanisms. Additionally, new AI-based phishing campaigns leveraged deepfake technology and advanced social engineering techniques, making them significantly harder to detect.

Large-scale botnet campaigns also made headlines, with Mirai and Aquabot leveraging unpatched vulnerabilities in IoT devices and enterprise routers to launch high-intensity distributed denial of service (DDoS) attacks exceeding 5.6 Tbps. These attacks targeted cloud providers, financial institutions, and telecommunications infrastructure, demonstrating the growing risks posed by compromised IoT ecosystems. Meanwhile, phishing-as-a-service (PhaaS) platforms continued to evolve, with the emergence of Tycoon 2FA and Sneaky 2FA, which enable attackers to bypass multi-factor authentication (MFA) protections. These services were actively used to steal Microsoft 365 credentials and compromise corporate networks, further complicating the already challenging landscape of identity security.

Finally, critical vulnerabilities in widely used platforms were actively exploited, including Windows CLFS (CVE-2024-49138), OpenSSH (CVE-2024-6387), Fortinet VPN (CVE-2024-41713), and AWS WorkSpaces (CVE-2025-0500). These vulnerabilities highlight the importance of rapid patching and proactive vulnerability management to prevent exploitation by both nation-state and financially motivated actors. The following sections analyze the most pressing cybersecurity threats, targeted industries, active threat actors, and emerging trends shaping the future attack landscape.

Key Trends Identified

• AI-Powered Attacks and AI Manipulation: DeepSeek AI suffered database exposure and botnet-driven cyberattacks. New LLM jailbreak techniques (Bad Likert Judge) bypassed security filters, enhancing AI-generated phishing and malware.[1]
• Supply Chain and Third-Party Vendor Exploits: PlushDaemon APT backdoored a South Korean VPN provider with SlowStepper malware. A WordPress supply chain attack compromised 5,000+ sites with rogue admin accounts and malicious plugins.[2]
• Ransomware Targeting Virtualization and Critical Infrastructure: STAC5777 and FIN7-affiliated groups used Microsoft Teams and Office 365 for ransomware deployment.[3]
• Large-Scale DDoS and Botnet Growth: Mirai botnet executed a record 5.6 Tbps DDoS attack. Aquabot exploited Mitel SIP phones (CVE-2024-41710), while Socks5Systemz expanded using compromised routers.[4]
• Phishing-as-a-Service Innovations: Sneaky 2FA phishing kit bypassed MFA for Microsoft 365. Tycoon 2FA stole session cookies to evade traditional phishing defenses.[5]
• Exploitation of Cloud and Enterprise Services: Fortinet SSL VPN zero-day enabled lateral movement. AWS vulnerabilities (CVE-2025-0500, CVE-2025-0501) exposed WorkSpaces to MITM attacks.[6]
• Advanced Side-Channel and Hardware-Based Attacks: Expect more speculative execution exploits (e.g., Spectre-style) targeting Intel, AMD, and ARM processors. UEFI vulnerabilities and Secure Boot bypasses could enable persistent bootkits.[7]
• Mobile Malware and Smishing Attacks: Smishing tactics are bypassing iMessage protections. FireScam malware targeting Android via Telegram clones signals increased distribution of fake apps and MFA-stealing Trojans.[8]

Industries Targeted

• Financial Sector: Targeted by Lazarus, DroidBot, and Tycoon 2FA for credential theft and fraud.
• Government & Defense: Attacks from APT29, Andariel, and RedCurl focused on espionage.
• Healthcare: Hellcat ransomware and botnet-driven DDoS attacks disrupted operations.
• Education: Hellcat ransomware stole 500,000+ student records, selling them on dark web marketplaces.
• Cloud & AI: DeepSeek AI cyberattacks highlighted AI security gaps.

Most Active Threat Actors and Recent Activities

• Lazarus Group: Used npm malware and fake job offers to steal cryptocurrency and credentials.
• Andariel (North Korea): Exploited RID hijacking for Windows privilege escalation.
• Hellcat Ransomware: Focused on government, energy, and financial institutions.
• Mirai Botnet Operators: Conducted 5.6 Tbps DDoS attacks, abusing IoT devices.
• PlushDaemon (China): Conducted supply chain attacks on VPN providers.
• Salt Typhoon (China): Exfiltrated telecom data for mass surveillance.

Future Predictions

• Supply Chain Attacks Will Continue to Surge: Software dependencies and third-party vendors will remain a major entry point for attackers.
• Ransomware Actors Will Target Virtualization, Cloud, and Industrial Systems: Attackers will likely expand their focus to include cloud-hosted workloads, enterprise SaaS platforms, and industrial control systems (ICS), leveraging wiper malware and triple extortion tactics (encryption, data exfiltration, and public shaming).
• Large-Scale IoT and Botnet Attacks Will Reach Unprecedented Levels: In 2025, DDoS-for-hire services will become more sophisticated, leveraging compromised routers, IoT devices, and industrial equipment to launch attacks.
• Cyber Espionage and Supply Chain Sabotage Will Escalate: Continuation of targeting government, telecom, and financial institutions with long-term espionage campaigns.
• Browser Extension and API Attacks Will Become a Major Threat Vector: With the compromise of 25+ Chrome extensions in early January, attackers have proven their ability to use malicious browser add-ons for credential theft and session hijacking.
• Underground Cybercrime-as-a-Service Will Become More Accessible: The continued rise of PhaaS platforms, malware-as-a-service, and ransomware affiliate programs will make sophisticated attacks available to less technically skilled cybercriminals.

Hunter Efforts

Hunter Strategy encourages our readers to look for updates in our daily CTI Trending Topics and on Twitter. 

REFERENCES 

[1] https://thehackernews.com/2025/01/new-ai-jailbreak-method-bad-likert.html

[2] https://thehackernews.com/2025/01/plushdaemon-apt-targets-south-korean.html

[3] https://news.sophos.com/en-us/2025/01/21/sophos-mdr-tracks-two-ransomware-campaigns-using-email-bombing-microsoft-teams-vishing/

[4] https://thehackernews.com/2025/01/new-aquabot-botnet-exploits-cve-2024.html

[5] https://thehackernews.com/2025/01/new-sneaky-2fa-phishing-kit-targets.html

[6] https://gbhackers.com/aws-warns-of-multiple-vulnerabilities/

[7] https://thehackernews.com/2025/01/new-uefi-secure-boot-vulnerability.html

[8] https://thehackernews.com/2025/01/firescam-android-malware-poses-as.html