AI-powered malicious SEO is rapidly transforming the digital threat landscape, enabling threat actors to manipulate search engine algorithms at scale. This undermines the visibility of legitimate content, erodes trust in online information.

Between January and October 2025, two major ClickFix campaigns were tracked, including an Interlock ransomware incident in August targeting a U.S. SLTT entity. It has been used to deliver malware such as Lumma Stealer, NetSupport RAT, and SocGholish.

CoPhish abuses the flexibility of Microsoft Copilot Studio, which allows users to create and share chatbot agents hosted on copilotstudio.microsoft.com. These agents can be customized using "topics"—automated workflows that include login prompts.

A sophisticated APT campaign, dubbed Operation ForumTroll, has been linked to the use of advanced spyware tools including LeetAgent and Dante, developed by Memento Labs (formerly Hacking Team).

The cybersecurity landscape has seen a significant shift in threat actor behavior, with a marked increase in the exploitation of public-facing applications, evolving ransomware tactics, and targeted cyber-espionage campaigns.

Microsoft has implemented a security enhancement in File Explorer that disables the preview pane for files downloaded from the internet. This change is designed to prevent credential theft attacks that exploit NTLM hash leakage.

A newly discovered zero-click attack, dubbed Shadow Escape, exploits MCP used by AI assistants. This attack enables the silent exfiltration of sensitive data—including SSNs, financial records, and medical identifiers—without any user interaction.

A China-linked threat actor, UNC5221, has compromised F5 BIG-IP systems, stealing source code and vulnerability data. The attackers deployed the BRICKSTORM backdoor, a sophisticated Go-based malware, enabling stealthy C2 and data exfiltration.

A new report from cybersecurity research firm Sublime Security reveals yet another widespread credential phishing campaign where scammers try to get your login information, specifically by stealing victims’ Facebook login details.

PolarEdge was first documented by Sekoia in February 2025, attributing it to a campaign targeting routers from Cisco, ASUS, QNAP, and Synology with the goal of corralling them into a network for an as-yet-undetermined purpose.