Cybersecurity threatscape: Q4 2024 – Q1 2025

This report contains information on current global cybersecurity threats based on Positive Technologies own expertise, investigations by Positive Technologies Expert Security Center, and reputable sources.

We estimate that most cyberattacks are not made public due to reputational risks. As a consequence, even companies specializing in incident investigation and analysis of hacker activity are unable to quantify the precise number of threats. Our report seeks to draw the attention of companies and individuals to the key motives and methods of cyberattacks, as well as to highlight the main trends in the changing cyberthreat landscape.

This report considers each mass attack (for example, phishing emails sent to multiple addresses) as one attack, not several. For explanations of terms used in this report, please refer to the Positive Technologies glossary.

In Q4 2024, the number of incidents rose by 5% compared to Q3 and by 13% compared to Q4 2023. Malware remains the main method of attackers and was used in 66% of successful attacks against organizations and in 51% of attacks on individuals. The most commonly used types of malware were ransomware (42%), remote access trojans (38%), and spyware (20%). We have observed an increase in the use of spyware in attacks targeting organizations, which is 4 percentage points higher than in the previous quarter. Over the reporting period, 53% of successful attacks on organizations led to the exposure of confidential information, while 32% resulted in disruptions to core business operations. When it comes to attacks on individuals, 48% of successful incidents were financially motivated—a sharp increase of 18 percentage points compared to the same period last year. This trend suggests that financial losses among individuals are a defining characteristic of Q4.

Social engineering trends: corrupted malicious files and fake CAPTCHA

As of Q4 2024, social engineering remained one of the most popular methods of attacks on organizations (50%) and individuals (88%). Social engineering attacks against organizations and individuals were mainly conducted via email (84%) and websites (44%), respectively. Meanwhile, there was an increase in the use of social media (up 10 percentage points to 22%) and messengers (up 11 percentage points to 18%) in attacks on individuals. This is largely due to the broad opportunities these platforms offer attackers to deceive users. Communication on social media and messengers tends to occur quickly, making it easier for attackers to mislead their victims and prevent them from taking the time to think critically. In addition, attackers are using leaked personal data, hacked accounts of other users and organizations, and even creating deepfakes based on them.

Hidden threats in Microsoft Office documents

Microsoft Word documents are widely used in organizations around the world. The ubiquity of this file format provides attackers with ample opportunities to develop new attack methods. In Q4 2024, a new phishing campaign was identified that involved emails containing Microsoft Office attachments intentionally corrupted to evade security tools. These email attachments bypass antivirus software, prevent files from being uploaded to sandboxes, and evade Outlook spam filters, allowing malicious documents to reach recipients. When opened, the document displays a message claiming it is damaged and requires a recovery process to access its contents.

The ultimate goal of the attack is to trick users into opening infected documents with embedded QR codes. When scanned, these QR codes redirect victims to fraudulent websites where malicious software is installed on victim’s devices or to fake login pages designed to steal credentials. Quishing¹ (QR phishing) peaked in popularity during the first half of 2024, as we highlighted in our Q2 2024 report. This technique continued to see widespread use in H2 2024.

We anticipate that this new technique of corrupting documents may soon be adopted by other attackers who use Microsoft Office files as bait to deliver malware. Attackers often embed harmful macros, templates, and exploits within Microsoft Word documents. While these techniques are not new and are well-detected by security tools like secure email gateways, antivirus software, sandboxes, and EDR solutions, attackers are shifting towards more complex, multi-stage malware delivery schemes designed to evade detection. The newly identified file corruption technique may become an effective tool for launching such sophisticated campaigns in the coming months.

To prevent malicious macros from running, organizations should Configure the group policy setting «Block macros from running in Office files from the Internet». Organizations are also recommended to implement a whitelist of trusted websites to prevent employees from visiting phishing pages. To detect malicious email attachments, we advise that companies enforce sandbox checks for damaged or otherwise altered files. To detect malicious activity on workstations, organizations should use modern EDR solutions capable of identifying behavioral anomalies.
Employees should exercise caution when receiving damaged or unreadable Microsoft Word or PDF files, especially if they are prompted to recover the document. Documents sent via email from unknown senders should not be downloaded or opened hastily. We recommend contacting the sender through a trusted communication channel to verify the authenticity of the document. This simple step can help avoid potentially harmful consequences for the company.

When fear drives the click

Throughout 2024, we observed phishing campaigns such as «Contagious interview,» which targeted developers by inviting them to fake interviews, ultimately tricking them into downloading malicious code onto their devices. By the end of the year, attackers devised a new scheme with the opposite motivation. This new phishing campaign targets organizations across various industries, using fear as a tactic to manipulate victims into action. The attack begins with an email designed to look like an official notification about legal proceedings and employee termination. Recipients are urged to download a document to access more details. Attached to the email is a RAR archive containing a malicious Visual Basic script. This script delivers the main payload, which is likely a banking trojan, indicating that the attackers are financially motivated. Experts predict that, in the future, this campaign may expand beyond email to platforms like LinkedIn or Facebook.

A virus disguised as a CAPTCHA: hackers’ new trick

In Q4 2024, attackers widely adopted a new phishing scheme involving fake CAPTCHA pages. Victims are directed to a malicious website displaying a fake CAPTCHA page. When the victim clicks the «I’m not a robot» button, an encrypted PowerShell command string is copied to the device’s clipboard. The attackers then prompt the user to paste the clipboard’s contents into the command line, which activates a script to download and install malware onto the victim’s device.

This scheme first appeared in Q3 2024, primarily targeting gamers with the distribution of the popular infostealer Lumma Stealer capable of stealing browser credentials and access to cryptocurrency wallets. In Q4 2024, this phishing tactic scaled up significantly. Attackers used the Monetag advertising network to serve pop-up ads promoting over 3,000 malicious websites offering fake software and pirate video platforms to spread Lumma Stealer via fake CAPTCHAs. In addition to Lumma Stealer, cybercriminals also distributed the Amadey malware, which steals browser credentials, replaces cryptocurrency wallet addresses in the clipboard with attacker-controlled addresses, and, in some cases, installs the Remcos RAT (remote access trojan). Moreover, fake CAPTCHA pages were massively deployed on compromised WordPress-based websites to distribute a new piece of malware called CoinLurker, designed to steal data from cryptocurrency wallets as well as applications like Telegram, Discord, and FileZilla. This fake CAPTCHA technique was found not only in attacks on individuals but also on organizations. For example, in December, a phishing campaign targeted the hospitality industry in the UK. Hotel managers received emails purportedly from a booking service, containing links to phishing pages. As a result of these attacks, the XWorm RAT malware was installed on employees’ devices.

Legitimate CAPTCHA checks never require entering commands in the operating system or within the web page itself. Real CAPTCHA methods involve simple tasks like arranging shapes, entering a sequence of 6–8 alphanumeric characters, or checking a box to confirm you’re human. Additionally, a genuine CAPTCHA will never ask for sensitive information such as login credentials, passwords, or credit card numbers. If a CAPTCHA prompts you to provide such details, it’s a clear red flag and should be treated with caution.

Malware: old and new tools in hackers’ arsenal

In Q4 2024, the most commonly used types of malware in successful attacks on organizations were ransomware (42%), remote access trojans (RATs) (38%), and spyware (20%). Ransomware continues to be a major threat to organizations worldwide, used not only for financial gain but also as a tool for hacktivists. During this period, RansomHub was the most active ransomware group, overtaking LockBit in terms of the number of victims. Another key player, the well-known Akira ransomware group, also demonstrated a significant rise in attacks. Akira is believed to have infiltrated organizational infrastructures through the exploitation of vulnerabilities such as CVE-2024-40766 (rated 9.8 on the CVSS 3.1 scale) in SonicWall VPNs and CVE-2024-40711 (also rated 9.8) in Veeam Backup & Replication servers. The last quarter of 2024 marked the emergence of several new ransomware groups, including Interlock, Termite, SafePay, and FunkSec. These groups quickly launched aggressive campaigns, targeting companies’ infrastructures and publishing statements on their data leak sites (DLS)².

As for attacks on individuals in Q4 2024, spyware remained the most frequently used malware, accounting for 48% of successful incidents. Banking trojans also saw a surge in usage, increasing to 19% of attacks—an 8 percentage point rise compared to Q3. According to Cyble Research and Intelligence Labs (CRIL), malicious actors started to distribute a modified version of the Cerberus banking trojan in October. This trojan was disguised as an installer for the Google Play Store. Banking trojans often masquerade as legitimate applications. In December, Dr.Web analysts uncovered new versions of the NGate banking trojan, which specifically targeted Russian users. NGate collects NFC chip data from compromised devices, enabling attackers to withdraw funds from victims’ accounts at ATMs without their involvement. This malware was distributed as an APK file via malicious links, disguised as apps for the Russian government services portal Gosuslugi or popular banking apps.

The use of remote access trojans (RATs) in successful attacks on both organizations and individuals declined in Q4 2024, dropping by 6 percentage points compared to Q3. RATs accounted for 38% of attacks on organizations and 29% of attacks on individuals. This trend aligns with findings from Any.Run researchers who reported a 10.8% decline in the number of detected RATs during the quarter. However, this decrease is likely temporary and may reflect shifts in cybercriminal strategies or tool preferences. Despite this short-term decline, RATs remain a significant threat in 2024, with Q4 showing a 6 percentage point increase compared to Q1 2024 and a 16 percentage point increase compared to Q4 2023.

Invisible threats: evolving RATs use sophisticated infection chains and bypass techniques

During Q4 2024, we observed the emergence of updated remote access trojans (RATs) using increasingly sophisticated methods to evade detection. For example, attackers modified Remcos RAT, embedding multiple layers of obfuscation using JavaScript, VBScript, and PowerShell to bypass security tools. Another highly popular RAT, AsyncRAT, adopted an intricate infection chain in the final quarter of 2024. The attack began with a text file concealing an encrypted VBS script, which triggered a sequence of malicious commands designed to cover the infection traces. AhnLab’s Security Emergency Response Center (ASEC) uncovered a new delivery method for AsyncRAT using SVG files. These malicious files, sent via email, prompted users to download a PDF document, which covertly installed AsyncRAT onto compromised systems. Even developers were not spared. A malicious npm package, disguised as a tool for detecting vulnerabilities in Ethereum smart contracts, was discovered to be installing Quasar RAT onto devices. Published on December 18, 2024, this package would retrieve a script from a remote server after installation and execute it to deploy the RAT on Windows systems.

Spyware on the rise

In Q4 2024, the use of spyware in successful attacks on organizations increased by 4 percentage points compared to the previous quarter. Spyware, as noted earlier, remained the dominant malware type in attacks on individuals (48%), leading the list of malware types.

In attacks on Russian organizations, cybercriminals often employed well-known infostealers. In mid-November, experts at PT Expert Security Center Threat Intelligence observed a campaign distributing Lumma Stealer and NetSupport RAT. Attackers sent phishing emails containing LNK or DOCX file attachments to organizations. When opened, these attachments downloaded malicious programs either from GitHub repositories controlled by the attackers or their C2 servers. Additionally, a new wave of phishing campaigns targeting Russian organizations in industries such as manufacturing, agriculture, and energy was reported in Q4. These campaigns delivered the Snake keylogger, capable of intercepting keystrokes, taking screenshots, gathering clipboard data, and stealing credentials from popular browsers and email clients. Attackers sent phishing emails from spoofed or compromised addresses of Russian and international companies. The emails contained .bz archives with .exe files responsible for delivering and installing the malware on victims’ systems.

Both Lumma Stealer and Snake remain among the most popular tools for attackers and serve as foundations for creating new spyware strains. In Q4, two new malicious programs were observed in attacks on both individuals and organizations: LummApp and Nova. LummApp integrates Lumma Stealer components and is designed to covertly install malicious browser extensions for data theft. Nova is new variant of the Snake Keylogger malware, which uses a protector written in AutoIt.

Attackers also update older, specialized malware that has proven effective. According to PT Expert Security Center, a modified version of the infamous Owowa module was detected in attacks on Russian organizations. Owowa targets Microsoft IIS web servers running Outlook Web Access (OWA) and allows attackers to steal Exchange user credentials. Once attackers breach an infrastructure and locate a mail server, they integrate a malicious DLL into the targeted IIS server’s process, which complicates detection. Attackers then intercept OWA users’ web authentication, extracting credentials through HTTP requests. The updated version of Owowa stores compromised credentials in the server’s memory (using a HashSet data structure) rather than writing them to the file system, minimizing the digital footprint, bypassing EDR systems, and optimizing the reading and writing of stolen data.

Botnets unlimited: IoT devices, web servers, and network equipment under attack

In Q4 2024, botnet activity surged, successfully targeting network equipment, IoT devices, and web servers. Compromised devices and resources were used for DDoS attacks, cryptocurrency mining, and cyberespionage. According to Cloudflare, Q4 2024 saw the largest recorded DDoS attack in history, with a bandwidth of 5.6 Tbps.

Botnets exploited unpatched vulnerabilities in devices and software as their primary access vector. They also bruteforced weak or default passwords. For example, the Ficora botnet recorded increased activity during October and November, targeting popular D-Link routers used by individuals and organizations. It leveraged long-known exploits for vulnerabilities CVE-2015-2051, CVE-2019-10891, CVE-2022-37056, and CVE-2024-33112, for initial access. Another botnet, Androxgh0st, is exploiting vulnerabilities in Atlassian JIRA, GeoServer (CVE-2024-36401), and Laravel web servers, as well as in WordPress admin panels, to infiltrate critical infrastructure. The Gafgyt botnet, on the other hand, targeted publicly exposed, misconfigured Docker Remote API servers. Attackers created a Docker container using legitimate Alpine images and ran malicious code within it.

Some botnets exploited vulnerabilities that lack official patches or CVE identifiers. For instance, the new Mirai-based botnet Hail Cock began exploiting an RCE vulnerability in DigiEver DS-2105 Pro NVRs in November 2024. This vulnerability, disclosed by a researcher at a 2023 DefCamp security conference, remained unregistered and unpatched.

Among the most prominent threats to network equipment and IoT devices is XorBot, equipped with at least 12 exploits targeting devices from various manufacturers. This malware family has shown high activity recently, and its scripts demonstrate a wide compatibility with various CPU architectures, including MIPS, PowerPC, ARM, and x86_64, among others. IoT devices used by individuals are also heavily targeted by attackers. In December 2024, the Android-focused BadBox botnet expanded to more than 192,000 devices globally, despite a recent takedown operation. According to BitSight Technologies, BadBox infects devices through supply chain attacks during or shortly after manufacturing, though the exact infection vector remains unknown.

Legitimate but dangerous: AutoIt in attackers’ hands

Both AhnLab (ASEC) and Symantec Security Center independently reported a significant increase in malware distributed via AutoIt scripts in the second half of 2024. AutoIt is a programming language designed for automating tasks in Windows, making it easy to create .exe files. With minimal dependencies on system configurations or runtime environments and no need for additional libraries, it’s a more straightforward alternative to development in the .NET framework. The discovered trend persisted throughout Q4 2024, with only a slight decline in December. Throughout Q4 2024, AutoIt was used in the attack chains of the DarkGate and Snake campaigns. As mentioned earlier, the Nova variant of the Snake Keylogger, which uses a protector written in AutoIt, was detected.

To protect themselves from advanced malware, organizations should use sandboxes that allow programs to be run in an isolated virtualized environment to detect malicious activity. To evaluate how well employees are protected against phishing, we recommend using services that test the security of corporate email systems. To detect malicious activity within the infrastructure early and prevent data exfiltration via C2 channels, we recommend implementing network traffic analysis systems.
To secure cloud infrastructure, we recommend using container security solutions and web application firewalls to prevent unauthorized access to client data. For efficient network perimeter protection, we recommend using next-generation firewalls. To strengthen their security operations centers (SOC), we recommend that companies implement metaproducts that provide a high level of automation for incident detection and response.

Criminal innovations: how AI speeds up security evasion and fuels ransomware development

Throughout 2024, attackers refined their techniques and tools by leveraging artificial intelligence (AI)—and the final quarter was no exception.

Anti-bot services supporting PHaaS

For several quarters now, we have been witnessing the use of evolving phishing-as-a-service (PHaaS)³ platforms. To ensure phishing pages reach end users, cybercriminals must devise effective ways to bypass detection filters in antivirus solutions and modern browsers. Recently, dark web forums have introduced new anti-bot services designed to help phishing pages evade Google Safe Browsing security mechanisms. Services like Otus Anti-Bot, Remove Red, and Limitless Anti-Bot help attackers to keep malicious websites hidden and functional for extended periods. Limitless Anti-Bot stands out for its use of AI and traffic filtering based on geolocation and internet service provider data. These tools are capable of distinguishing genuine users from automated scanners, reducing the likelihood of phishing sites being discovered.

Vulnerabilities: from discovery to exploitation in just a few clicks

Advancements in AI have given rise to new tools that automate and speed up the process of identifying vulnerable devices and exploiting their weaknesses. In Q4 2024, a research project called Burpference was published on GitHub. This extension for Burp Suite collects all in-scope links from HTTP request history and sends them to a remote LLM API in JSON format to automate vulnerability discovery in analyzed resources. The use of such tools allows attackers to identify vulnerabilities faster and shorten the time between discovery and exploitation.

Want a custom ransomware? Just ask AI

At the end of Q4 2024, a new ransomware group called FunkSec made its mark on the cybercrime scene, claiming responsibility for attacks on more than 80 victims. According to research by Check Point, FunkSec members appear to have low technical skills but likely created their Rust-based ransomware variant with the help of AI. The group demands relatively small ransoms, sometimes as low as $10,000, and shows tendencies toward hacktivism. However, in January 2025, FunkSec announced plans for an updated ransomware version to be distributed as a subscription-based service (Ransomware-as-a-Service, RaaS). Additionally, the group intends to organize training courses for novice hackers, teaching them phishing and vulnerability exploitation techniques. After these updates, the ransom amounts are expected to increase to as much as $1 million. FunkSec also announced an auction to sell various hacking tools and stolen databases.

Supply chain attacks: how malicious code finds its way into popular services

In Q4 2024, financially motivated attackers and APT groups successfully carried out supply chain attacks. Cybercriminals compromised the repository of the Python library Ultralytics, which supports multiple computer vision tasks, and uploaded malicious versions of the library to PyPI. These versions were specifically designed for cryptocurrency mining. The attackers exploited a vulnerability in GitHub Actions handlers to gain the ability to publish code on behalf of developers. This vulnerability allowed them to format project code through pull requests. While the developers quickly addressed the issue and released an update, the attackers uploaded malicious versions with different code just two days later. The exact number of compromised users remains unknown, but the incident highlights the critical importance of secure development processes at every stage of a product’s lifecycle.

Towards the end of the year, attacks on retail and e-commerce companies tend to increase. Attackers hack poorly protected websites based on platforms like WordPress, WooCommerce, and 1C-Bitrix to embed web skimmers for stealing customers’ credit card data. However, in 2024, attackers adopted a more sophisticated approach by hacking the FreshClick application used by the e-commerce SaaS platform BigCommerce. Unknown attackers injected malicious code designed to collect credit card data into FreshClick. While the exact number of affected retail companies remains unclear, at least one company, ZAGG—a household electronics accessory manufacturer—filed an official notice regarding the compromise of customer credit card data for orders placed between October 26 and November 7.

A larger supply chain attack at the end of 2024 resulted in the compromise of 35 Google Chrome extensions, with attackers injecting malicious code to steal user credentials. The attackers sent phishing emails to extension developers, masquerading as messages from Google, claiming their extensions violated Chrome Web Store policies and could be removed. Developers were directed to follow a link purportedly to accept the new Chrome Web Store policies, but instead, they inadvertently granted external applications access to their Google accounts. The first report of this attack came from Cyberhaven, a cybersecurity solutions provider whose extension was also compromised.

The attackers used a tool called GoIssue, which automatically extracts email addresses from GitHub profiles and sends mass phishing emails directly to developers’ inboxes. The investigation revealed that the attackers primarily targeted Facebook account credentials. The malicious code added a mouse click event listener for the victim’s interactions on Facebook, looking for QR code images related to the platform’s two-factor authentication or CAPTCHA mechanisms. The attackers focused on business Facebook accounts to conduct direct payments using victims’ credit cards, spread disinformation, or monetize access by selling the accounts to other users.

Organizations developing software or hardware solutions should establish secure development processes and supply chain protection mechanisms. They should regularly update their source-code management tools and storage solutions, as well as ensure security and integrity throughout the entire software development life cycle. We recommend implementing application security tools, dynamic application security testing (DAST), and source code and package analyzers like PT PyAnalysis.
The payment card data obtained during attacks can be sold on darknet platforms and used in subsequent attacks. To avoid that, organizations should regularly update their CMS and plugins, as well as use strong passwords and multifactor authentication. This is particularly important because attackers typically exploit weak passwords and plugin vulnerabilities to gain extended access to websites and advance their attacks.

Hello, hackers on the line! More attacks on telecom

In Q4 2024, there was a notable rise in successful attacks targeting telecommunications companies. These attacks accounted for 6% of all successful incidents against organizations, reflecting a 2 percentage point increase compared to Q3. The attacks were conducted by APT (Advanced Persistent Threat) groups, financially motivated cybercriminals, and hacktivist collectives.

Telecom companies handle vast amounts of data about their subscribers—both individuals and businesses—including phone call records. Successful attacks on telecom providers can lead to massive data breaches with severe consequences. In December 2024, Namibia’s state-owned company Telecom Namibia fell victim to a ransomware attack by Hunters International. Over 600 GB of sensitive client data was leaked, including personal and financial information. According to the news outlet The Namibian, the victims included at least eight government ministries, five regional councils, ten municipal authorities, as well as corporate clients like Qatar Airways and Ethiopian Airlines.

One of the most prominent incidents in Q4 2024 was a long-lasting cyberespionage campaign targeting several major U.S. telecom providers. This campaign likely began in early 2024 and lasted through the November presidential elections. Cybercriminals infiltrated the infrastructure of at least eight major providers, including AT&T, Lumen Technologies, T-Mobile, and Verizon. Systems used by the U.S. federal government for court-authorized wiretapping were compromised in the attack. The ultimate goal was likely to target devices belonging to presidential candidates and other participants in the election campaign. Investigations revealed that attackers gained access to telecom networks nationwide by exploiting vulnerabilities in outdated network equipment and the lack of two-factor authentication. This large-scale campaign is believed to have been orchestrated by the APT group Salt Typhoon. According to Trend Micro, this group employs malware such as the GhostSpider backdoor, Masol RAT, the modular backdoor SnappyBee, and the Demodex rootkit. Exploited vulnerabilities included CVE-2023-46805 and CVE-2024-21887 (Ivanti Connect Secure VPN), CVE-2023-48788 (Fortinet FortiClient EMS), CVE-2022-3236 (Sophos firewalls), and the ProxyLogon vulnerabilities in Microsoft Exchange (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065).

Telecom operators provide communication services to critical sectors such as government, industry, and finance. They often supply equipment to corporate clients and maintain remote access to manage it, thereby creating communication channels between infrastructures. This close integration makes telecom companies attractive targets for cybercriminals. By compromising a provider’s infrastructure, attackers can launch attacks on its clients. This highlights the serious risk of attacks that exploit trusted communication channels (trusted relationship compromise).

We recommend that telecommunications companies and service providers implement a comprehensive set of security measures, including replacing or upgrading outdated equipment and software, establishing robust vulnerability management processes, and adopting multifactor authentication methods for corporate services. It is also recommended to use sandboxes to promptly detect malicious email attachments. Additionally, we advise ensuring the security of the network perimeter by deploying next-generation firewalls.

Based on an analysis of the latest cyber threats at the end of 2024, along with insights into recently discovered vulnerabilities, malware, increased access to emerging technologies, and other relevant data, we predict the following trends for the first half of 2025:

• In addition to attacks involving Microsoft Word documents, phishing attacks with attached archives (7-Zip and other formats) will remain a significant threat to organizations. The technique outlined in this research—use of corrupted files embedding malicious payloads that are activated upon recovery—applies not only to Word documents but also to archive files. Moreover, in Q4 2024, Perception Point researchers identified a new method for combining ZIP files to deliver malware while avoiding detection. This technique, combined with archive corruption, is likely to remain in use by attackers. Additionally, in the first half of 2025, we expect attackers to exploit the newly disclosed vulnerability CVE-2025-0411 (scored 7.0 on the CVSS scale), which allows threat actors to bypass the Mark of the Web protection mechanism in vulnerable versions of 7-Zip and execute arbitrary code with the privileges of the current user if they visit a malicious webpage or open an infected file.
• Attackers keep developing tools and techniques to compromise credentials and bypass multifactor authentication (MFA). This trend includes the growth of Phishing-as-a-Service (PHaaS) platforms and sophisticated targeted phishing campaigns that mimic corporate web services. For example, in late October 2024, EclecticIQ analysts uncovered a phishing campaign targeting the telecom and financial sectors in the U.S. and Canada. The phishing pages simulated the MFA login process for Telstra webmail and specifically targeted AT&T employees. Throughout 2025, attackers are likely to refine their methods for compromising MFA systems.
• In the first half of 2025, attackers will likely continue using phishing schemes involving fake CAPTCHA pages, as well as the ClickFix technique, which was widely used in Q3 2024. Reports of such campaigns were common in Q4 2024 and early 2025, highlighting the importance of raising cybersecurity awareness among target audiences.
• Spyware was increasingly used in successful cyberattacks on organizations in Q4 2024, with social engineering being the primary delivery method. Attackers use social engineering to steal credentials and escalate attacks under the guise of legitimate accounts. For example, the U.S. retailer Hot Topic and its associated brands, Box Lunch and Torrid, experienced a data breach affecting at least 54 million customers. Investigators found that one of the company’s computers had been infected with an infostealer. On the compromised device, researchers discovered credentials associated with corporate URLs related to Hot Topic and Torrid’s environment on Snowflake and Looker (Google Cloud). As for attacks on individuals, spyware was delivered through phishing campaigns involving fake CAPTCHA pages, as well as multiple SEO poisoning⁴ and malvertising⁵ attacks. We anticipate that well-known spyware strains will continue to be used in attacks against both organizations and individuals in the first half of 2025. The development of spyware and other malware will likely focus on minimizing digital footprints and bypassing MFA more efficiently. In 2025 we anticipate the emergence of a new type of infostealer—server side stealers—designed to stealthily exfiltrate data from the infrastructure.

• Software supply chain attacks remained effective throughout 2024, posing a significant security threat to organizations. Attackers exploit vulnerabilities, employ sophisticated social engineering tactics, and use automation tools to search for credentials and authentication tokens in public code repositories. These attacks highlight weaknesses in the current software development and delivery processes, demanding greater attention. We expect that APT groups, as well as financially motivated attackers, will continue to seek opportunities for supply chain attacks and refine their tools. With the rise in attacks on telecommunications, we also anticipate an increase in attacks targeting trusted communication channels.
• In the first quarters of 2025, botnets are expected to remain active. Many vulnerable devices and interfaces lack security updates or are configured insecurely, making them susceptible to automated vulnerability scanning and exploitation, especially as attackers refine their tools. As of Q4 2024 and January 2025, we have observed alliances of well-known hacktivist groups.
• Malware infection chains, including Remote Access Trojans (RATs), are becoming increasingly complex. Attackers will continue improving existing versions of popular tools to evade detection and combine them with BYOVD⁶ (Bring Your Own Vulnerable Driver) techniques, which allow attackers to disable logging in EDR systems and remain undetected.
• Ransomware operators will continue leveraging social engineering and exploiting vulnerabilities. Due to the widespread availability of stolen credentials, many cybercriminals—including ransomware operators—are likely to attempt access to infrastructures using compromised credentials or authentication tokens. Halcyon Ransomware Detection and Recovery (RDR) reported in late Q4 2024 that several organizations using Amazon S3 cloud infrastructure were compromised through publicly exposed keys with permissions to read and write object storage. As a result, their S3 buckets were encrypted with the AES-256 algorithm, rendering them unrecoverable without the decryption key. Ze anticipate the ransomware group FunkSec to target organizations worldwide throughout 2025 and recruit novice hackers. Their Ransomware-as-a-Service (RaaS) model will enable them to compete with more experienced groups.

The exploitation of software vulnerabilities remains one of the most effective methods for attacking organizations (32% of successful breaches). Below are the most notable vulnerabilities exploited in Q4:

• CVE-2024-9680. This vulnerability, rated 9.8 on the CVSS 3.1 scale, is related to a use-after-free⁷ flaw in Mozilla Firefox’s animation timelines. It allows arbitrary code execution within the browser’s sandbox. When combined with a Windows vulnerability (CVE-2024-49039, rated 8.8 on CVSS 3.1), attackers can escape the sandbox and execute code with the current user’s privileges. The APT group RomCom exploited these two vulnerabilities in zero-day attacks to gain remote code execution without user interaction. Victims were compromised simply by visiting a malicious site, which downloaded and ran the RomCom RAT on their devices.

• CVE-2024-51567, CVE-2024-51568, CVE-2024-51378. These three critical remote code execution (RCE) vulnerabilities, each rated 9.8 on the CVSS 3.1 scale, were discovered in CyberPanel versions 2.3.6 and 2.3.7—a free hosting control panel for website management. CyberPanel instances affected by these vulnerabilities managed over 152,000 domains and databases. While the number of vulnerable instances dropped rapidly after the release of a security patch, attackers still managed to exploit them. According to LeakIX, cybercriminals widely used compromised CyberPanel servers to deploy the PSAUX ransomware.
• CVE-2024-0012, CVE-2024-9474. These two vulnerabilities in Palo Alto Networks’ Expedition firewall interface were widely exploited by attackers and rated 9.3 and 6.9 on the CVSS 4.0 scale, respectively. They allow attackers to gain superuser privileges without authentication and remotely execute code or commands on compromised devices. Over 2,000 devices worldwide were hacked in a short period. Expedition firewalls also had other vulnerabilities widely exploited by attackers during Q4 2024, including an OS command injection vulnerability (CVE-2024-9463, rated 9.9) and an SQL injection vulnerability (CVE-2024-9465, rated 9.2).
• CVE-2024-55956, CVE-2024-50623. Two critical vulnerabilities, both rated 9.8 on the CVSS 3.1 scale, were found in Cleo’s LexiCom, VLTransfer, and Harmony software, commonly used to manage file transfers. CVE-2024-55956 enables unauthenticated attackers to import and execute arbitrary Bash or PowerShell commands by exploiting default autostart directory parameters, while CVE-2024-50623 allows unrestricted file uploads and downloads from compromised devices. These vulnerabilities were quickly weaponized by the Clop ransomware group, which claimed 66 unnamed victims by the end of Q4 2024. Exploiting these flaws, attackers deployed the Malichus backdoor (written in Java) to steal data, execute commands, and gain further access to compromised networks.

An extended list of the most popular vulnerabilities can be found in the monthly digest on our website.

Using systems containing vulnerabilities can jeopardize any company. We recommend establishing a vulnerability management process to promptly identify and address weaknesses. Attackers waste no time in taking advantage of flaws in popular solutions, especially if exploits are available. Moreover, attackers seek to exploit older, well-known vulnerabilities, often targeting weaknesses in an organization’s network perimeter. We also recommend segmenting networks and regularly updating information about existing network assets. Old or forgotten components with access to the corporate network can become a potential entry point for attackers.

Successful cyberattacks in Q4 2024 had diverse consequences, affecting individuals, organizations, and even entire regions. As in Q1—Q3, cybercriminals focused on stealing sensitive information (53% of successful attacks) and disrupting core business operations (32%). Most attacks on individuals resulted in data breaches (55%), but there was also a significant increase in attacks leading to direct financial losses (48%), the same trend we observed in 2023.

Attacks in Q4 with dire consequences and wide repercussions:

• In early October, a ransomware attack disrupted the state data center of Uttarakhand, India, on October 2, coinciding with the national holiday Gandhi Jayanti (honoring the birth anniversary of Mahatma Gandhi). The attack took down 192 government and other websites, including those of the state police and the IT Development Agency in charge of cybersecurity. The attack also disrupted a global computing network that supports online transfer of confidential data and payments, as well as communication between ministries, departments, and local authorities across the state. It took several days to restore the affected resources.
• The Wayback Machine, a free digital archive operated by the non-profit Internet Archive, suffered consecutive cyberattacks in October. The incident started when attackers compromised publicly exposed GitLab authentication tokens, leading to the theft of a user authentication database containing 31 million unique records, including hashed passwords. A week later, Internet Archive faced another attack, this time targeting the Zendesk email support platform. The breach happened because the API keys exposed during the earlier GitLab compromise were not replaced in time. The attacker sent emails to all Internet Archive users, claiming that the organization had failed to address its security issues and that they were in possession of over 800,000 support tickets from Internet Archive’s help desk. As a result of this attack, The Wayback Machine and Archive-It were unavailable for several days. When restored, they operated in read-only mode, without the ability to archive new content. This incident could have impacted the work of many analysts, researchers, journalists, and public libraries, as it made tracking changes on websites impossible. By mid-November, an update appeared on the official Internet Archive website stating that services were gradually being restored.
• In late October 2024, Microlise, a global provider of solutions for the transportation and logistics industry, experienced a cyberattack. Microlise operates using a SaaS model, so when their systems went down, it caused disruptions to their delivery tracking services, with the most significant impact on Serco, a company contracted to transport prisoners for the UK Ministry of Justice. Following the Microlise system outage, tracking devices and panic buttons in Serco vehicles were disabled, leaving prisoner monitoring systems offline for several days. Microlise disclosed the breach on October 31, causing a 16% drop in its stock price. A new ransomware group SafePay claimed responsibility for the attack, stating they had stolen 1.2 TB of confidential data.
• In November 2024, the major retail group Fourlis fell victim to a ransomware attack by an unidentified ransomware, disrupting the operations of its subsidiaries in Greece, Cyprus, Bulgaria, and Romania, including IKEA and Intersport. The incident caused disruptions to the core infrastructure that supports the Fourlis Group companies. IKEA’s online stores in several countries went down, leaving customers with no choice but to shop offline. The attack occurred just days before Black Friday, severely impacting the company’s operations.

In successful attacks on organizations that led to confidential information breaches, criminals most often targeted personal data (29% of attacks), login credentials (26%), and trade secrets (20%). As for attacks against individuals, attacker interest was focused on credentials (47%), personal data (22%), and payment card information (12%).

The growth of phishing-as-a-service (PHaaS) platforms and the increasing use of infostealers have made it easier for attackers to steal credentials from both organizations and individuals. In Q4 2024, breaches of corporate credentials increased by 4 percentage points compared to the previous quarter and by 16 percentage points year-over-year. In attacks on individuals, credentials accounted for 47% of stolen data, an increase of 18 percentage points from the previous quarter and 20 percentage points from Q4 2023.

The most notable breaches in Q4 2024:

• Free, the second-largest internet provider in France, confirmed a cyberattack on its systems in October 2024, which resulted in the theft of personal data from 19.2 million customers—approximately a third of France population. The stolen database, which included 5.11 million IBAN numbers, was put up for sale on a dark web forum. Just weeks after the incident, a wave of attacks targeted Free’s subscribers. Fraudsters called affected individuals, persuading them to install malware or share one-time SMS passcodes, potentially leading to the theft of funds from their accounts.
• Center for Vein Restoration, a medical clinic based in Maryland, the U.S., suffered a cyberattack that caused a major breach of medical data affecting over 445,000 individuals. Suspicious activity was detected in the clinic’s information systems on October 6. The attackers stole sensitive information, including patient names, addresses, dates of birth, Social Security numbers, driver license numbers, medical records, diagnoses, test results, treatment details, insurance information, and financial data. Employees whose contracts were among the documents stolen by the attackers were also affected.
• Interbank, one of Peru’s leading financial institutions, confirmed a data breach after an attacker who compromised its systems published stolen information online. The attackers claimed to have stolen full names of Interbank’s customers, their account IDs, dates of birth, addresses, phone numbers, email addresses, IP addresses, credit card numbers, CVVs, card expiration dates, banking transaction details, and other sensitive information, including plaintext credentials. The exact number of affected individuals remains unknown.
• In December 2024, the Regional Revenue, Finance, and Asset Management Agency of Indonesia’s Blora Regency fell victim to a cyberattack. The attackers gained access to 82 GB of confidential data from the Regional Financial Management Information System. The stolen data, spanning from 2018 to the present, included user information such as usernames, hashed passwords, and employee email addresses. In addition, financial transaction records, budget allocations, regional government expenditures, and taxpayer data—including names, identification numbers, and tax payment records—were compromised.

To protect against cyberattacks, we recommend following our general guidelines on personal and corporate cybersecurity. We strongly advise users to be careful when entering their credentials on unfamiliar websites, downloading email attachments, and following links from messaging apps, social media, and emails. An objective and critical assessment of the situation will help safeguard your data and money.
To protect your organization from potential data breaches, implement data protection measures. We recommend conducting regular inventory and classification of assets, establishing data access control policies, monitoring access to sensitive information, and using specialized data security solutions that apply the «data-centric security» concept.
We also recommend using web application firewalls (WAFs) to harden the network perimeter. To protect devices against advanced malware, use sandboxes to analyze file behavior in a virtualized environment, detect malicious activity, and prevent damage to your company. Organizations should develop vulnerability management processes and participate in bug bounty programs.

23% of successful attacks were aimed at individuals