Over the past twelve months, SentinelLABS research revealed how threat actors have changed their operational approach in ways previously unseen. Among our many research publications during 2025, we exposed North Korean threat actors monitoring the same cyber threat intelligence platforms defenders use to share indicators of compromise, and revealed how a single cryptocurrency phishing operation deployed over 38,000 malicious subdomains across trusted free-tier platforms.
2025 also saw artificial intelligence transition from theoretical threat to practical reality, though not in the revolutionary ways many predicted. Instead, AI emerged as a force multiplier, with threat actors weaponizing large language models to scale attacks, generate convincing social engineering content, and automate previously manual processes.
These discoveries and others we will explore in this review, exemplify how adversaries have fundamentally changed their operational calculus, treating legitimate infrastructure—from Telegram to free-tier publishing platforms to commercial AI APIs—as essential criminal resources and actively surveilling the defender community’s intelligence-sharing mechanisms.
Throughout 2025, SentinelLABS tracked, identified, and disclosed information on these and other critical issues to help organizations and defenders stay ahead of threats to their business operations.
All our research and threat intelligence posts can be found on the SentinelLABS home page, but for a recap of the year’s main cybersecurity events, take a scroll through the main highlights below.
Key Trends from SentinelLABS Research in 2025
- AI Weaponization Across the Threat Spectrum: Artificial intelligence matured from a theoretical threat to an operational accelerator, used to automate existing capabilities from runtime code generation (MalTerminal) to CAPTCHA bypassing (AkiraBot), lowering barriers for both sophisticated and commodity attacks.
- Threat Actors Monitoring Defensive Intelligence: North Korean operators (Contagious Interview) began actively monitoring platforms like Validin and VirusTotal to detect their own infrastructure exposure in near real-time.
- Industrial-Scale Cryptocurrency & Credentials Theft: Highly organized, business-like criminal operations such as FreeDrain and PXA Stealer prove cryptocurrency and credential theft at scale has evolved into a professional sector with sophisticated infrastructure and monetization pipelines.
- Ransomware’s Relentless Business Model Evolution: The ransomware ecosystem saw innovations like DragonForce’s “white-label” branding service, the convergence of hacktivist and profit motivations, and the blurring of distinct ransomware families (HellCat/Morpheus deploying identical code).
- Exploitation of Legitimate Platforms: Threat actors have increasingly leveraged trusted infrastructure for malicious purposes: Telegram for C2 and data monetization, free-tier publishing platforms for phishing campaigns, and cloud services for hosting and evasion.
- China’s Hidden Offensive Capabilities: Research into Hafnium-linked companies and firms that provide Censorship as a Service to government customers reveal deep integration between China’s private cybersecurity sector and state offensive operations.
- Developments in Social Engineering: Through ClickFix techniques, fake CAPTCHA pages, and increasingly convincing fake job offers, threat actors have found new ways to exploit user psychology to deliver malware.
January
SentinelLABS researchers uncovered how HellCat and Morpheus ransomware operations were essentially two distinct brands deploying identical ransomware payloads, illustrating the commoditization and rebranding practices within the RaaS ecosystem. This discovery highlighted how affiliates could rebrand the same underlying malware to create the appearance of distinct threat groups, complicating attribution efforts.
Our research into a returning phishing campaign revealed the targeting of high-profile accounts on X (formerly Twitter) to promote cryptocurrency scams. The attacks demonstrated the persistent value of compromising social media accounts with large followings for financially motivated threat actors seeking to reach broad audiences with investment fraud schemes.
Key Takeaway: Understanding how common code is sourced and shared across ransomware groups can inform detection efforts and improve threat intelligence on their operations.
February
In early February, SentinelLABS reported on further variants of the FlexibleFerret DPRK malware family, continuing the Contagious Interview campaign that had been active since November 2023. The research uncovered new infection vectors and samples while also documenting persistent attempts to compromise developers through fake GitHub issues promoting malicious installer scripts.
Later in the month, analysis of leaked data from TopSec, a Beijing-based cybersecurity firm, revealed how China’s private sector provides Censorship as a Service to enforce government content monitoring. The leaked work logs showed TopSec delivering bespoke monitoring services to a state-owned enterprise precisely when a corruption investigation was announced, offering rare insight into public-private coordination for managing sensitive events and controlling public opinion in China.
February concluded with discovery of a new Ghostwriter campaign targeting both the Ukrainian government and, for the first time, Belarusian opposition groups. The long-running threat activity cluster deployed weaponized Excel documents with lures crafted to appeal to government officials and opposition activists, marking an expansion of the campaign’s targeting scope.
Key Takeaway: The TopSec leak reveals how China’s private cybersecurity sector directly enables state surveillance and censorship operations, highlighting the interconnected nature of commercial security firms and government offensive capabilities.
March
March was marked by several significant ransomware developments. Mid-month, SentinelLABS reported on Dragon RaaS, a pro-Russian hacktivist group attempting to build on the reputation of “The Five Families” cybercrime ecosystem. The group’s emergence reflected the continued fragmentation and rebranding within ransomware operations.
The month also saw publication of research on ReaderUpdate, a macOS malware loader that had been largely dormant since 2023. New samples showed the threat actors had expanded the loader’s capabilities by adding Go to its existing arsenal of Crystal, Nim, and Rust variants, creating a “melting pot” of macOS malware designed to evade detection through diverse implementation languages.
Key Takeaway: ReaderUpdate’s use of multiple programming languages (Crystal, Nim, Rust, Go) presents unique challenges for detection and analysis, necessitating detection strategies that focus on behavior and artifacts rather than language-specific signatures.
April
April brought the discovery of AkiraBot, an AI-powered Python framework using OpenAI to generate custom spam messages targeting website contact forms and chat widgets.
Since September 2024, the bot had targeted more than 400,000 websites and successfully spammed at least 80,000 sites promoting dubious SEO services. The framework’s sophistication, including multiple CAPTCHA bypass mechanisms and network detection evasion techniques, illustrated how AI lowers barriers for scaled attacks even when the underlying criminal objective remains straightforward.
Later in the month, SentinelLABS published research on what it takes to defend a top-tier cybersecurity company from today’s adversaries. Drawing on SentinelOne’s own experiences as a target of advanced persistent threats, the research provided insight into the resources and capabilities required to protect organizations that themselves represent high-value targets for nation-state actors seeking to compromise security vendors.
Key Takeaway: AI-generated content in AkiraBot bypasses traditional spam filters by creating unique messages for each target, exposing the challenges AI poses to traditional website spam defenses.
May
May opened with our reporting on DragonForce, a ransomware gang that had completed its transformation from Pro-Palestine hacktivist operation to profit-driven extortion enterprise. The group introduced a “white-label” branding service in early 2025, allowing affiliates to rebrand DragonForce ransomware as different strains for additional fees, marking a new level of commercialization within the RaaS ecosystem.
Shortly afterward, SentinelLABS and Validin unveiled FreeDrain at PIVOTcon. Our collaboration exposed an industrial-scale cryptocurrency phishing operation using SEO manipulation and over 38,000 distinct subdomains across free publishing platforms. The investigation began with a victim who lost approximately $500,000 worth of Bitcoin and expanded to reveal a professional criminal enterprise operating during standard business hours from the UTC+05:30 timezone, systematically stealing digital assets through multilayered redirection techniques.
Anti-Ransomware Day 2025 marked the sobering milestone of ten years of Ransomware-as-a-Service, now a billion-dollar criminal industry. SentinelLABS’ retrospective examined how RaaS operations had evolved from early experiments into sophisticated criminal enterprises with mature business models, customer service, and ongoing innovation.
A busy month for our researchers concluded with documentation of ClickFix techniques embedding fraudulent CAPTCHA images on compromised websites. We shared original findings from SentinelOne investigations, including infection chains and technical artifacts not previously reported.
Key Takeaway: FreeDrain’s abuse of thousands of subdomains on trusted free-tier platforms demonstrates that without stronger default safeguards, identity verification, or proper abuse response infrastructure, free publishing platforms will continue to be abused, undermining user trust and inflicting real-world financial harm.
June
SentinelLABS expanded on its earlier research on adversaries targeting top-tier organizations, detailing a China-nexus threat actor’s reconnaissance operation against SentinelOne itself that had occurred in October 2024 and extended into 2025. The research highlighted adversaries’ persistent focus on compromising cybersecurity vendors and high-value targets.
Also in June, we reported on Katz Stealer, an emerging Malware-as-a-Service platform targeting credentials and crypto assets. Advertised on BreachForums in April 2025, Katz Stealer followed the established RaaS business model, offering services to affiliates for upfront fees and demonstrating the continued commercialization of information stealer operations.
We reported on two separate Mac-focused campaigns in June, attributed in turn to China and North Korean threat actors. Our researchers found evidence of macOS.ZuRu’s re-emergence with a modified Khepri C2 framework concealed inside a trojanized version of the legitimate Termius SSH client. We also detailed intrusions attributed to DPRK activity and the macOS NimDoor malware family: a Nim-based backdoor specifically designed to target Web3 and crypto platforms. The research extended understanding of North Korean threat actors’ evolving macOS malware playbook and their persistent focus on the cryptocurrency sector.
Key Takeaway: DPRK’s exploration of lesser-known languages in order to introduce analysis complexity requires security engineers to invest equal effort in understanding the affordances such languages offer threat actors.
July
One of the year’s most significant zero-day disclosures was revealed when Microsoft confirmed active exploitation of SharePoint ToolShell (CVE-2025-53770) on July 19th, two days after SentinelOne first observed ToolShell exploitation. SentinelLABS researchers subsequently documented targeted exploitation against high-value organizations in technology consulting, manufacturing, critical infrastructure, and professional services.
The vulnerability enabled unauthenticated remote code execution through crafted POST requests, with attacks occurring before public disclosure spurred mass exploitation. Further research found multiple state-aligned threat actors beginning reconnaissance and early-stage exploitation activities.
Later in July, following Department of Justice indictments of two hackers working for China’s Ministry of State Security, SentinelLABS identified more than ten patents for highly intrusive forensics and data collection technologies registered by companies linked to the Hafnium (Silk Typhoon) threat actor group.
The patents revealed previously unreported offensive capabilities including encrypted endpoint data acquisition, mobile forensics, and network traffic collection, exposing the sophisticated technical infrastructure supporting China’s APT operations and highlighting critical gaps in traditional campaign-focused attribution.
Key Takeaway: Campaign-focused attribution misses the full picture. Understanding the companies behind attacks and their documented capabilities, not just observed behavior, is essential for comprehensive threat intelligence.
August
In early August, SentinelLABS and Beazley Security exposed the PXA Stealer campaign, a Python-based operation that had infected more than 4,000 unique victims across 62 countries. The stolen data included over 200,000 passwords, hundreds of credit card records, and more than 4 million browser cookies, and was monetized through a Vietnamese-speaking cybercriminal ecosystem using Telegram APIs. The campaign demonstrated increasingly advanced tradecraft with nuanced anti-analysis techniques, non-malicious decoy content, and hardened command-and-control infrastructure.
This month, SentinelLABS also exposed widespread smart contract scams, where actors advertised crypto trading bots concealing malicious contracts designed to drain user wallets. Promoted through fake YouTube channels and AI-generated videos, the scams demonstrated how threat actors leverage social media and emerging technologies to lend legitimacy to financial fraud schemes.
Key Takeaway: Stealer campaigns have become increasingly automated and supply-chain integrated. PXA Stealer exemplifies a growing trend in which legitimate infrastructure is weaponized at scale.
September
SentinelLABS, in collaboration with Validin, exposed how North Korean threat actors behind the Contagious Interview campaign were actively monitoring cyber threat intelligence platforms to detect infrastructure exposure.
The research revealed coordinated teams using Slack for real-time collaboration and rapidly deploying replacement infrastructure when services took down their assets. Between January and March 2025 alone, our efforts identified more than 230 victims, predominantly cryptocurrency professionals, with the actual number likely significantly higher.
Later in September, SentinelLABS published groundbreaking research on hunting for LLM-enabled malware. Facing the challenge that malware offloading functionality to AI could generate unique code at runtime and evade traditional detection, our researchers developed novel methodologies based on embedded API key detection and specific prompt structure patterns.
This approach successfully identified previously unknown samples including MalTerminal, potentially the earliest known example of LLM-enabled malware. Despite initial concerns about detection challenges, the research showed how defenders could reliably hunt for and detect these emerging threats.
Key Takeaway: LLM-enabled malware is still in a nascent stage, giving defenders an opportunity to learn from attackers’ mistakes and adjust their approaches accordingly.
October
In late October, following intelligence shared by the Digital Security Lab of Ukraine, SentinelLABS investigated PhantomCaptcha, a coordinated single-day spearphishing operation launched on October 8th targeting organizations critical to Ukraine’s war relief efforts.
The threat actors used emails impersonating the Ukrainian President’s Office carrying weaponized PDFs, luring victims into executing malware via a ‘ClickFix’-style fake Cloudflare captcha page. The final payload was a multi-stage WebSocket RAT, hosted on Russian-owned infrastructure, with an array of offensive features including arbitrary remote command execution, data exfiltration, and the potential deployment of additional malware.
The campaign reflects a highly capable adversary with extensive operational planning, compartmentalized infrastructure, and deliberate exposure control. The six-month period between initial infrastructure registration and attack execution, followed by the swift takedown of user-facing domains while maintaining backend command-and-control, indicates an operator well-versed in both offensive tradecraft and defensive detection evasion.
Key Takeaway: User awareness training on “ClickFix”-style social engineering techniques can help prevent attacks using this infection vector. PowerShell logging provides visibility into commands using hidden window styles, execution policy bypasses, or attempts to disable command history logging, while network security teams can monitor for WebSocket connections to recently-registered or suspicious domains.
November
As part of our efforts to empower the community at large through research and adversary exposure, SentinelLABS also develops and releases open source tooling. In November, we released a Synapse Rapid Power Up for Validin to improve campaign discovery at scale. Our research showed how modern intelligence platforms could accelerate identification of threat campaigns through infrastructure correlation and automated discovery techniques.
Using the LaundryBear and FreeDrain campaigns as case studies, we explored how the sentinelone-validin power-up leverages Validin’s multi-source enrichment and HTTP fingerprinting to reveal wider campaign infrastructure within Synapse from just a handful of indicators.
The tool makes it easier to follow how infrastructure changes over time, trace shared resources across campaigns, and connect what might first appear as isolated indicators. With this richer context available directly in Synapse, analysts can move from collection to understanding with greater speed and confidence in their conclusions.
Key Takeaway: Modern adversaries rotate domains and replicate infrastructure templates, which can limit the value of isolated indicators. Analysts need time-aware, cross-source analysis to identify shared traits and connect related assets.
December
Early in December, SentinelLABS released its forward-looking “Cybersecurity 2026” forecast, examining the year ahead in AI, adversaries, and global change. The analysis drew on trends observed throughout 2025 to project how the threat landscape would continue evolving.
This month we also traced how two hackers progressed from Cisco Academy students to orchestrating Salt Typhoon attacks, providing rare insight into how technical education can be perverted toward malicious ends and highlighting the danger of threat actors emerging from legitimate training programs.
December also saw reporting on CyberVolk’s return with VolkLocker. The pro-Russian hacktivist collective continued its pattern of reusing, tweaking, and rebranding leaked ransomware source code.
The year concluded with comprehensive research on how large language models impact ransomware operations. The analysis found that while LLMs are being adopted by crimeware actors, they serve as operational accelerators rather than revolutionary tools, streamlining reconnaissance, improving phishing, and speeding up attack stages without fundamentally changing ransomware methodology.
Key Takeaway: With today’s LLMs, the risk is not superintelligent malware but industrialized extortion, requiring defenders to adapt to faster operational tempo rather than novel capabilities.
Conclusion
2025 saw the cybersecurity landscape defined not by revolutionary changes but by the acceleration of existing threats. AI has emerged not as a game-changer but as a force multiplier, amplifying attacks across the spectrum.
Meanwhile, cybercriminals operate industrial-scale operations with professional infrastructure, business hours, and customer service models much like legitimate enterprises, and nation-state actors monitor the same intelligence platforms defenders use, turning the information security community’s own tools into reconnaissance resources.
Our research over the last 12 months has also found an adversary landscape in which attribution has become increasingly complex, and the line between hacktivist and profit-motivated operations continues to blur. From the 38,000 phishing subdomains of FreeDrain to the coordinated teams behind Contagious Interview monitoring threat intelligence platforms, threat actors have shown both adaptability and operational maturity.
SentinelLABS’ discoveries throughout 2025 underscore the critical need for a collaborative, intelligence-driven approach to cybersecurity. As we move into 2026, defenders will find themselves in an environment where trust models require reevaluation, adversaries demonstrate sophisticated awareness of defensive operations, and the weaponization of legitimate services demands new detection paradigms.
