Biggest Cybersecurity and Cyberattack Stories of 2025 -

Post Views: 34

Biggest Cybersecurity and Cyberattack Stories of 2025

With significant assaults, data breaches, threat groups gaining unprecedented popularity, and, of course, zero-day vulnerabilities being used in incidents, 2025 was a significant year for cybersecurity. However, some pieces had a greater effect or were more well-liked by our readers than others.

Here are fifteen cybersecurity issues that News4Hackers thinks will have the biggest impact in 2025, along with an explanation of each. There is no set sequence for these tales.

1. AI-Powered Attacks

This year, attackers turned to AI as a useful weapon because they used large language models (LLMs) to create and distribute malware and conduct attacks.

Attacks using AI for quicker exploitation, adaptable malware, and increased attack numbers have been documented by security researchers and companies.

Google issued a warning on new AI-powered malware families that have been found in the wild, some of which dynamically modify their behavior to fit the victim’s surroundings.

Thousands of GitHub accounts were affected by the S1ngularity hack, which demonstrated how AI technologies might be misused to automate credential theft and spying.

AI LLMs were employed by proof-of-concept malware, like the ransomware PromptLock, to help with encryption, data theft, and attacks.

AI is increasingly being utilized to accelerate exploitation attempts in addition to malware. The time and expertise needed to exploit N-day vulnerabilities are decreased by using tools like HexStrike to quickly assess and exploit existing vulnerabilities.

Additionally, threat actors developed LLMs like WormGPT 4 and KawaiiGPT, which give hackers unrestricted access to AI-powered malware.

By the end of the year, AI had evolved from an experimental tool for attackers to a tool for accelerating development, automating attacks, and reducing the difficulty of carrying them out.

2. Zero-Day Attacks

Zero-day vulnerabilities were still a common way to enter business networks in 2025 for ransomware attacks, cyberespionage, and data theft.

Because they are situated between an internal network and the internet, network edge devices and internet-exposed services were the main targets for exploitation.

Zero-day vulnerabilities were extensively exploited in the wild in Cisco (ASA firewalls, IOS, AsyncOS, ISE), Fortinet (FortiWeb, FortiVoice), Citrix NetScaler, Ivanti Connect Secure, SonicWall, FreePBX, and CrushFTP.

One of the largest zero-day targets of the year was Microsoft SharePoint, and the ToolShell vulnerability was connected to ransomware gangs and Chinese threat actors. These vulnerabilities were exploited to sustain persistence within business networks, launch web shells, and steal private information.

Additionally, Windows vulnerabilities, such as those in shortcut processing and logging services, were frequently exploited.

Enterprise and consumer software also had an impact; phishing efforts used 7-Zip and WinRAR zero-day vulnerabilities to install malware and get around security measures.

Sample phishing email exploiting 7-Zip zero-day

Source: Trend Micro

In a number of cases, law enforcement and commercial spyware used hidden vulnerabilities to unlock mobile handsets.

3. The Salesforce Data-theft Attacks

Threat actors significantly targeted Salesforce and its expanding third-party services in 2025,

making it a common target of extensive data theft and extortion efforts.

Although Salesforce was not compromised, a number of high-profile breaches occurred as a result of attackers gaining access to customer data through compromised accounts, OAuth tokens, and third-party services.

These attacks affected businesses in a wide range of industries, including technology, aviation, cybersecurity, insurance, retail, and luxury goods, and were mostly associated with the ShinyHunters extortion gang.

Google, Cisco, Chanel, Pandora, Allianz Life, Farmers Insurance, Workday, and other businesses are among those affected by the Salesforce data theft assaults.

In order to extort businesses impacted by these attacks, the ShinyHunters extortion group eventually established a data-leak website.

ShinyHunters Salesforce leaks site

Breaking into third-party SaaS services that directly communicate with Salesforce was a major feature of these assaults.

Attackers gained access to linked Salesforce instances by breaking into services like Salesloft, Drift, and stealing OAuth tokens and passwords.

Numerous businesses, including Google, Cloudflare, Zscaler, Tenable, CyberArk, Elastic, BeyondTrust, Proofpoint, JFrog, Nutanix, Qualys, Rubrik, Cato Networks, Palo Alto Networks, and many more, were affected by these supply-chain hacks.

Additionally, Salesforce looked at customer data theft connected to a Gainsight breach that made use of OAuth credentials taken in the Salesloft Drift attacks.

4. Massive IT Outages

Global business has become increasingly reliant on cloud infrastructure, as seen by the catastrophic IT failures that affected services and platforms around the globe in 2025.

The impact of these catastrophes was so great that they should be included in this year’s top stories, even though none of them were brought on by cybersecurity breaches.

News4Hackers was impacted by the Cloudflare outage as well

Among the most notable outages in 2025 were:

Hundreds of online apps were taken offline by a worldwide Heroku outage, impacting both internal tools and websites.
Many enterprises experienced disruptions to Microsoft 365, Azure services, and applications due to a Microsoft DNS outage.
One of the worst cloud platform interruptions of the year, according to Google, was triggered by an API management issue that resulted in widespread failures across services that depend on its cloud infrastructure.
Amazon Prime Video, Fortnite, Perplexity, and numerous other services that rely on Amazon’s cloud were all affected by an AWS outage.
Cloudflare’s worldwide network services were momentarily interrupted by a number of problems, one of which was linked to an emergency fix release for the actively exploited React2Shell vulnerability.

5. Insider Threats

Insider threats had a massive impact in 2025, with multiple high-profile incidents showing how employees or consultants with trusted access, whether intentionally abused or not revoked after termination, led to large-scale damage.

Coinbase disclosed a data breach affecting 69,461 customers, which later led to the arrest of a former Coinbase support agent who allegedly helped hackers access their systems.

CrowdStrike disclosed that it detected an insider feeding information to hackers, including screenshots of internal systems. The insider was reportedly paid $25,000 by a group calling itself the “Scattered Lapsus$ Hunters,” a name referring to overlapping threat actors associated with Scattered Spider, Lapsus$, and ShinyHunters.

News4Hackers was informed that the activity was discovered prior to the insider gaining access to CrowdStrike’s network.

Financial institutions were also affected by insider activity; FinWise Bank revealed that about 689,000 American First Finance clients were compromised by an insider-related hack. In another instance, a bank employee allegedly sold their credentials for a little $920, which were then utilized in a $140 million bank heist at the Central Bank of Brazil.

The threat presented by dissatisfied or former employees was also illustrated by a number of cases.

For developing a “kill switch” intended to compromise systems at a previous job, a developer was sentenced to four years in prison. An ex-employee of Coupang who kept system access after leaving the company was identified as the source of another breach.

In the end, a ransomware gang tried to enlist a journalist from the BBC to assist in compromising the media outlet.

6. Targeting Help Desks in Social Engineering Attacks

Threat actors concentrated on social engineering campaigns in 2025 in order to enter corporate networks by targeting IT help desks and business process outsourcing (BPO) providers.

Instead of using malware or software flaws, attackers deceived help desks into letting staff members access their accounts by getting over security measures.

According to reports, hackers connected to Scattered Spider pretended to be employees and tricked a Cognizant support desk into giving them access to the account. A $380 million lawsuit against Cognizant was based on this social engineering attack.

Transcript of call between hacker and service desk

Source: Clorox complaint against Cognizant

These kinds of assaults were also used by other threat actors. For example, a group called “Luna Moth,” sometimes known as the Silent Ransom Group, impersonated IT help to compromise several American businesses.

According to Google, Scattered Spider exploited outsourced service desks to gain access to internal systems while targeting American insurance companies.

Retail businesses have admitted that significant ransomware and data theft breaches were made possible by social engineering assaults against support desks.

Marks & Spencer (M&S) acknowledged that a ransomware attack was carried out by hackers who gained access to the company’s networks through social engineering. After a ransomware outbreak that mistreated support staff, Co-op also revealed data theft.

The UK government released guidelines on social engineering assaults against help desks and BPOs in response to the attacks on M&S and Co-op retail businesses.

7. AI Prompt-Injection Attacks

In 2025, researchers discovered a new class of vulnerabilities called quick injection attacks since AI systems are already integrated into nearly every productivity tool, browser, and developer environment.

Prompt injection, in contrast to conventional software faults, takes advantage of the way AI models understand instructions, enabling attackers to control an AI’s behavior by providing it with carefully constructed or concealed inputs that contradict or circumvent its initial guidance and defenses.

By tricking AI systems into interpreting untrusted input as instructions, prompt injection attacks can cause models to disclose private information, produce malicious output, or carry out unexpected activities without taking advantage of coding weaknesses.

These new attacks were demonstrated in a number of well-publicized incidents:

Researchers discovered zero-click data leakage in Microsoft 365 Copilot, where sensitive information was exposed without user involvement through carefully constructed emails with concealed prompt injection.
It was discovered that Google Gemini was susceptible to prompt injection through calendar invites and email summaries, which allowed for data exfiltration and phishing.
Injected prompts were used to trick AI coding assistants and IDE tools into running or recommending dangerous code.
Prompt injection in Perplexity’s Comet AI browser was exploited in a “CometJacking” attack to fool the system into obtaining private information from connected services like calendars and email.

In other prompt injection attacks, downscaled graphics contained concealed instructions that AI systems could perceive but humans couldn’t.

8. The Continued Salt Typhoon Telco Attacks

The Salt Typhoon attacks, which were first made public in 2024, persisted into 2025 and turned into one of the most destructive cyber-espionage campaigns that targeted international telecommunications infrastructure.

The attacks are associated with Salt Typhoon, a group of Chinese state-aligned attackers that prioritized long-term, continuous access to telecommunication networks.

Additional intrusions across several major providers in the US, Canada, and other countries were linked to the effort throughout the year.

In order to gather network configurations, track traffic, and perhaps intercept communications, the threat actors used unpatched Cisco network devices, misused privileged access, and installed specialized malware made for telecom environments.

In order to obtain network information, configuration files, and administrator passwords, the threat actors were even connected to breaches of military networks, such as those of the U.S. National Guard. This data might have been utilized to compromise other private networks.

Three Chinese technology companies were officially blamed by governments and security organizations for these Salt Typhoon breaches.

The Federal Communications Commission advised providers to fortify networks and keep an eye out for attacks. The FCC later reversed planned cybersecurity regulations despite the dangers of state-hacking.

9. North Korean IT Workers

In 2025, North Korean IT personnel began to infiltrate Western businesses, posing a serious threat to their identities.

According to the US government, the DPRK dictatorship uses these workers’ wages to finance its weapons development and other projects.

Instead of taking advantage of software flaws, North Korean actors are increasingly gaining access to Western businesses by using false identities, middlemen, and real jobs, frequently going unnoticed over extended periods of time.

In at least 16 states, US investigators discovered “laptop farm” operations where local assistants were given company-issued laptops on behalf of North Korean agents, allowing them to access corporate environments remotely.

Additionally, investigators uncovered campaigns that hired engineers to rent or sell their identities, enabling agents to obtain employment, get past background checks, and gain access to internal systems using fictitious identities. Afterwards, five people were admitted to aiding in these schemes.

In 2025, the US Treasury imposed a number of restrictions on North Korean people, bankers, and front organizations engaged in the IT worker schemes.

Increased “Contagious Interview” operations that exploited hiring and interview procedures as a means of spreading malware were also observed in 2025, though they had nothing to do with the North Korean IT worker program.

In one campaign, North Korean hackers tricked users into installing macOS malware by posing as business executives over deepfake Zoom sessions. In another, malicious npm packages deployed by developers as part of “assessments” were leveraged by attackers to spread malware through phony technical interviews.

10. Rise in Developer Supply Chain Attacks

Developers are increasingly being targeted by cybercriminals who exploit open-source package and extension repositories to distribute malware.

Attackers frequently demonstrated how npm might be used to promote malicious packages.

Hundreds of thousands of spam and malware packages were sent to npm by the IndonesianFoods campaign. Legitimate packages with millions of weekly downloads were taken over by more focused supply-chain attacks.

The Shai-Hulud malware campaign, which affected hundreds of npm packages and was used for stealing API keys and developer secrets, was one of the most destructive initiatives.

GitHub repositories with secrets stolen in the new Shai-Hulud campaign

Additionally, attackers frequently targeted IDE extension marketplaces like OpenVSX and Microsoft’s VSCode Marketplace.

Using VSCode extensions to distribute malware, steal bitcoin, install cryptocurrency, and download other payloads, including early-stage ransomware, one campaign known as Glassworm repeatedly appeared.

Additionally, the Python Package Index (PyPi) was attacked, with phishing campaigns and malicious PyPi packages collecting cloud credentials or backdooring developer systems. As a result, PyPI implemented additional safeguards to prevent fraudulent upgrades.

11. DDoS Attacks Increase in Strength

Record-breaking distributed denial-of-service (DDoS) assaults targeted businesses all around the world in 2025.

Attacks peaked at 5.6 Tbps, 7.3 Tbps, 11.5 Tbps, and later 22.2 Tbps in a number of incidents that Cloudflare mitigated, demonstrating the growing strength of DDoS platforms.

The Aisuru botnet, which became a major force behind some of the biggest DDoS attacks ever recorded, was largely responsible for this expansion.

Aisuru used almost 500,000 IP addresses in a 15 Tbps attack against Azure, according to Microsoft. Cloudflare subsequently revealed that the botnet was in charge of an even bigger 29.7 Tbps DDoS attack

Graph from the record-breaking Aisuru attack

Source: Cloudflare

In recent years, international law enforcement organizations have turned their attention to DDoS attacks. Several DDoS-for-hire services were taken down in unison by the government in 2025, and the site administrators were detained.

Additionally, Europol declared that the pro-Russian hacktivist organization NoName057(16), which had previously been connected to DDoS attacks, had been disrupted.

12. Oracle Data Theft Attacks

Following the Clop extortion group’s exploitation of many zero-day vulnerabilities in Oracle E-Business Suite (EBS), Oracle was the victim of a massive data theft campaign.

Clop gained access to servers and stole data by taking advantage of an unpatched zero-day vulnerability in Oracle E-Business Suite, known as CVE-2025-61882. CrowdStrike and Mandiant claim that data theft peaked in August, with exploitation starting as early as July.

The Clop extortion ring started emailing affected companies in October, threatening to disclose the data if a ransom was not paid.

Clop extortion email sent to Oracle E-Business Suite customers

The ShinyHunters extortion organization posted a proof-of-concept hack on Telegram, which led to the discovery of a second Oracle zero-day vulnerability known as CVE-2025-61884. Although Oracle quietly closed this vulnerability, it’s still unknown if ShinyHunters were able to use it to steal data.

Harvard University, Dartmouth College, the University of Pennsylvania, the University of Phoenix, Logitech, GlobalLogic, Korean Air, and Envoy are among the institutions that revealed Oracle assaults linked to Clop.

13. The $1.5 billion ByBit Crypto Heist

Attackers took almost $1.5 billion in Ethereum from ByBit’s cold wallet in February, one of the biggest cryptocurrency thefts ever documented.

The FBI subsequently verified that North Korea’s Lazarus cyber cell was behind the heist after an investigation connected the group to the theft. Researchers discovered that a Safe{Wallet} developer’s compromised development computer, which was utilized for Bybit’s wallet operations, was the source of the breach.

Attackers drained the cold wallet by manipulating transaction approvals using their access to the developer device.

Apart from Bybit, other cryptocurrency thefts that targeted wallets and exchanges included an $85 million theft from Phemex, a $223 million heist from Cetus Protocol, a $27 million breach at BigONE, and a $7 million attack that affected thousands of Trust Wallet customers.

Another well-known incident had pro-Israel hackers breaking into Iran’s Nobitex exchange and destroying almost $90 million worth of cryptocurrencies.

14. ClickFix Social Engineering Attacks

Many threat actors, such as ransomware gangs and state-sponsored hacking groups, began using ClickFix attacks around 2025. Attacks that installed infostealers, RATs, and other malware swiftly spread from a Windows malware campaign to Linux and macOS.

Websites created to show a problem or error and then provide “fixes” to repair it are known as ClickFix social engineering assaults. Fake error messages, security alerts, CAPTCHA challenges, or update notifications telling users to use PowerShell or shell commands to fix the problem could all be examples of these problems.

By executing malicious PowerShell or shell commands included in the attacker’s instructions, victims ultimately infect their own computers.

ClickFix campaigns employ a variety of lures, such as phony Windows Update windows, phony TikTok product activation videos, and phony CAPTCHA challenges with video instructions that tell victims to copy and paste commands that download and run malware.

Researchers found ClickFix versions that targeted macOS and misled victims into installing infostealers by using malicious shell instructions in Terminal. An APT36 phishing campaign explicitly targeted Linux users; therefore, they were also not exempt.

Over the course of the year, ClickFix attacks kept changing as researchers and threat actors developed new social engineering attack variations.

By manipulating the Azure CLI OAuth flow and deceiving victims into completing an OAuth consent process that results in access tokens, a recently discovered variation known as ConsentFix takes control of Microsoft accounts. Another variation, known as FileFix, deceives users into running malicious PowerShell instructions by using the Windows File Explorer address bar.

A new paid platform called “ErrTraffic” that automates the transmission of ClickFix-powered malware attacks was introduced this month, further commercializing ClickFix attacks.

About The Author:

Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space. Besides writing for the News4Hackers blogs, he also writes for brands including Craw Security, Bytecode Security, and NASSCOM.

New RAT Attacks Against the Indian Government and Academic Institutions by Transparent Tribe or APT36