top of page
Search

Cybercriminals Trade Brawn for Brains: LevelBlue Warns of Alarming Shift to Hyper-Sophisticated Social Engineering Attacks

Cybercriminals aren’t just breaking in—they’re being invited.


In its newly released second edition of the 2025 Threat Trends Report, LevelBlue paints a disturbing picture of a digital threat landscape dominated not by brute-force hacks or zero-day exploits, but by nuanced, targeted, and manipulative social engineering. Titled “Fool Me Once: How Cybercriminals are Mastering the Art of Deception,” the report draws from a deep analysis of real-world incidents handled by LevelBlue’s Security Operations Center (SOC) and threat intel team, LevelBlue Labs, between January and May 2025.


The top-line numbers are stark: cybersecurity incidents nearly tripled compared to the previous half-year, and 17% of LevelBlue customers were affected, up from just 6% in late 2024. But beneath the surface, the real story is how adversaries are evolving—not just getting faster, but more manipulative.


Deception as a Service


“The most striking development in the first half of 2025 is how much more sophisticated threat actors have become at deception,” said Fernando Martinez Sidera, Lead Threat Researcher at LevelBlue. “They’re moving beyond traditional BEC schemes and using targeted social engineering to manipulate users into opening the door.”


Indeed, business email compromise (BEC) still leads in initial access vectors—but non-BEC incidents skyrocketed by 214%, signaling a dramatic behavioral pivot. Once inside a network, attackers aren’t wasting time. The report cites breakout times under 60 minutes, with some intrusions progressing laterally in less than 15 minutes—barely enough time to pour a cup of coffee, let alone launch a containment response.


The Rise of the CAPTCHA Con


Much of this shift is being driven by an explosion in fake CAPTCHA attacks—specifically ClickFix campaigns, which have increased by a jaw-dropping 1,450% since late 2024. These attacks mimic browser security popups, tricking users into downloading remote access trojans (RATs) or granting external access under the guise of tech support.


“These aren’t amateurish phish attempts,” Martinez Sidera warned. “They’re polished, professional, and highly personalized.”


Remote Control in Disguise


ClickFix and similar social engineering schemes are often followed by the deployment of remote access tools. In many cases, attackers persuade victims to install tools like Microsoft Quick Assist—or alternatives—disguised as IT troubleshooting help. Once access is granted, adversaries move quickly to disable logging, elevate privileges, and fan out across the network.


And unlike traditional malware campaigns that might linger for days or weeks, today’s attacks are built for speed and stealth. They're low-cost, high-reward, and often require minimal infrastructure—just a convincing message and a vulnerable human.


Defensive Playbook for 2025 and Beyond


As attackers lean into deception, LevelBlue’s recommendations lean heavily into user education and proactive restriction:


  • Train employees to recognize fake CAPTCHA pages and help desk scams.


  • Restrict administrative tools like PowerShell for non-admin users.


  • Remove Quick Assist from endpoints unless explicitly needed.


  • Lock down VPN access with certificates and MFA.


  • Patch aggressively—especially when exploits are publicly available.


  • Use jump boxes for RDP instead of direct access.


The broader implication? Cybersecurity is no longer just a technical discipline—it’s psychological warfare. And organizations that fail to account for the human element are increasingly being outplayed.


The Battlefront Shifts Again


The LevelBlue SOC and Labs teams warn that the deception-centric approach will likely continue into 2026 and beyond, fueled by generative AI, easy-to-deploy RATs, and a growing marketplace for pre-built scam kits.


As attackers become actors—skilled in roleplay, impersonation, and manipulation—the battleground has shifted from firewalls and SIEM logs to browser windows, inboxes, and chat boxes. The question now isn't whether your tech stack is secure—it's whether your people are.


For more insights, the full 2025 LevelBlue Threat Trends Report, Edition Two is available now.

bottom of page