As 2025 comes to a close, cybersecurity teams are focused on the most pressing threats of the year based on testing numbers. These threats were identified and tested using the Cymulate security posture management platform.
One emerging threat is the Manjusaka attack framework, which bears similarities to the commercially produced Cobalt Strike and Sliver framework. However, unlike these tools, Manjusaka was designed for criminal use and is freely available for download. The framework is written in Rust and Golang, with a user interface in Simple Chinese. It includes ready-made Windows and Linux implants and a C2 server, as well as the ability to create custom implants.
There is concern that Manjusaka will be widely adopted by malicious actors in 2025, reducing their reliance on commercially available simulation and emulation frameworks. While there is no evidence that the creators of Manjusaka are state-sponsored, China has been active in the cybersecurity space this year.
In February, the most popular Iran-related threat was the Powerless Backdoor. This threat was designed to avoid detection by PowerShell and had capabilities such as data encryption and decryption, command execution, and the activation of a kill process. It also included a browser info stealer and a keylogger.
The number of immediate threats attributed to Iran doubled in 2022 compared to the same period in 2021, reaching 17. However, it slowed down considerably after the September 14th sanctions against Iranian cyber actors by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC). The current political tensions within Iran may impact the frequency of attacks in 2025, but it is unclear whether they will increase or decrease.
In March, it was reported that APT41, a Chinese state-sponsored attacker group, continued to be very active and was deliberately targeting U.S. state governments. APT41 used reconnaissance tools, such as Acunetix, Nmap, SQLmap, OneForAll, subdomain3, subDomainsBrute, and Sublist3r, and launched various types of attacks, including phishing, watering hole, and supply-chain attacks. They exploited various vulnerabilities to initially compromise their victims and had been observed using SQLmap as the initial attack vector to perform SQL injections on websites.
In November, a new subgroup, Earth Longhi, was observed targeting multiple sectors across Taiwan, China, Thailand, Malaysia, Indonesia, Pakistan, and Ukraine. Earth Longhi joined the already long list of monikers associated with APT41, including ARIUM, Winnti, LEAD, WICKED SPIDER, WICKED PANDA, Blackfly, Suckfly, Winnti Umbrella, and Double Dragon.
According to the Microsoft Digital Defense Report, many cyberattacks from China exploit “zero-day vulnerabilities,” which are previously unknown flaws in software that have not yet been patched by developers. This trend is believed to have increased after a new Chinese law mandated that entities report vulnerabilities to the government before disclosing them to others.
In February, the North Korean Lazarus group, also known as Dark Seoul, Labyrinth Chollima, Stardust Chollima, BlueNoroff, and APT 38, launched a phishing campaign targeting US defense sector job applicants. The campaign, named LolZarus, used malicious documents such as Lockheed_Martin_JobOpportunities.docx and salary_Lockheed_Martin_job_opportunities_confidential.doc, which abused macros to automate the attack execution. The macro then loaded the WMVCORE.DLL Windows Media dll file to deliver the second stage shellcode payload, allowing the attackers to hijack control and connect with the Command & Control server. Lazarus is affiliated with North Korea’s Reconnaissance General Bureau and has been responsible for high-profile attacks such as the 2016 attack on Sony and the 2017 WannaCry ransomware attack.
The Microsoft Digital Defense Report reveals that China has been leveraging “zero-day vulnerabilities” to power attacks, due to the government’s law mandating the reporting of such vulnerabilities to the government before sharing with others. Furthermore, the North Korean threat actor Lazarus, also known as Dark Seoul, Labyrinth Chollima, Stardust Chollima, BlueNoroff, and APT 38, has been linked to several attacks this year. One of these is the LolZarus phishing campaign, which targeted U.S. defense sector job applicants. The campaign used malicious documents that exploited macros to deliver a second stage shellcode payload aimed at hijacking control and connecting with the Command & Control server.
Another notable threat is Industroyer2, a cyber-physical attack that targeted high-voltage electric substations in Ukraine. The country’s high-alert state due to the ongoing conflict with Russia helped thwart the attack. However, Ukraine’s cyber-resilience cannot defend against kinetic attacks, and Russia has now resorted to traditional military means to destroy power stations and other civilian facilities.
In general, geopolitical tensions seem to be the driving force behind the most pressing cybersecurity concerns. As four of the five most concerning threats this year have been directly linked to state-sponsored threat actors, pre-emptive defense against complex attacks should focus on security validation and continuous processes that identify and close security gaps in context.