2025: The Untold Stories of Check Point Research

Check Point Research's 2025 threat landscape analysis reveals a complex environment dominated by state-sponsored actors. Chinese, Russian, and Iranian-nexus groups conducted extensive espionage, influence operations, and targeted intrusions globally. Key activities included ToolShell zero-day exploitation targeting North American government organizations, AiTM-enabled credential theft against US think tanks, and sustained Chinese espionage in Asia Pacific leveraging updated attack playbooks. European operations combined disruption, espionage, and election-related influence efforts, particularly around Moldova. Novel threats emerged through innovative combinations of familiar techniques—DLL side-loading, cloud-based C2 infrastructure, and ClickFix social engineering—rather than entirely new tooling. Organizations must prioritize visibility across identity, cloud, and endpoints; rapidly patch exposed entry points; and strengthen industry collaboration to counter these evolving multi-regional threats.

Introduction Check Point Research (CPR) continuously tracks threats, following the clues that lead to major players and incidents in the threat landscape. Whether it’s high-end financially-motivated campaigns or state-sponsored activity, our focus is to figure out what the threat is, report our findings to the relevant parties, and make sure Check Point customers stay protected. […] The post 2025: The Untold Stories of Check Point Research appeared first on Check Point Research .

Check Point Research's 2025 threat landscape analysis reveals a complex environment dominated by state-sponsored actors. Chinese, Russian, and Iranian-nexus groups conducted extensive espionage, influence operations, and targeted intrusions globally. Key activities included ToolShell zero-day exploitation targeting North American government organizations, AiTM-enabled credential theft against US think tanks, and sustained Chinese espionage in Asia Pacific leveraging updated attack playbooks. European operations combined disruption, espionage, and election-related influence efforts, particularly around Moldova. Novel threats emerged through innovative combinations of familiar techniques—DLL side-loading, cloud-based C2 infrastructure, and ClickFix social engineering—rather than entirely new tooling. Organizations must prioritize visibility across identity, cloud, and endpoints; rapidly patch exposed entry points; and strengthen industry collaboration to counter these evolving multi-regional threats. Introduction Check Point Research (CPR) continuously tracks threats, following the clues that lead to major players and incidents in the threat landscape. Whether it’s high-end financially-motivated campaigns or state-sponsored activity, our focus is to figure out what the threat is, report our findings to the relevant parties, and make sure Check Point customers stay protected. […] The post 2025: The Untold Stories of Check Point Research appeared first on Check Point Research . Introduction Check Point Research (CPR) continuously tracks threats, following the clues that lead to major players and incidents in the threat landscape. Whether it’s high-end financially-motivated campaigns or state-sponsored activity, our focus is to figure out what the threat is, report our findings to the relevant parties, and make sure Check Point customers stay protected. Some of our work naturally makes it into the spotlight through public reports and deep blog posts. However, a large portion of what we uncover remains in the shadows but is used on a day-to-day basis to improve protections, connect the dots between incidents, and keep a watchful eye on known threat actors and infrastructure. In 2025, the activity varied by region and objective. In the Americas, attackers invested in high-value targets, including early ToolShell exploitation assessed as Chinese-nexus activity against North American government organizations. Identity-centric intrusion methods were also prominent, such as AiTM-enabled credential theft in targeted campaigns against researchers within US think tanks. In Europe, the year combined disruption, espionage, influence operations, and financially motivated intrusions. Russian-affiliated activity drove pressure in Eastern Europe and Ukraine, while Chinese and Iranian-nexus actors remained active, and election-related influence efforts persisted, including renewed targeting around Moldova’s parliamentary cycle. Across Asia Pacific and Central Asia, Chinese-nexus espionage was sustained, frequently relying on updated versions of established attack playbooks. In the Middle East and Africa, campaigns reflected a diversified mix of state-aligned operations, destructive activity, and PSOA-linked exploitation, with conflict periods amplifying targeted collection such as attempts to compromise internet-connected cameras. Across these threats, novelty more often came from how familiar techniques were combined than from entirely new tooling. Actors repeatedly used trusted platforms and common enterprise pathways: cloud hosting for command and control, remote administration tooling, DLL side-loading chains, and social engineering patterns such as ClickFix, to reduce detection and improve reliability. Overall, 2025 reinforced the need for durable visibility across identity, cloud, and endpoints, faster closure of exposed and unpatched entry points, and industry collaboration. Check Point Research Untold Stories Timeline – 2025 Key APT campaigns, cyberattacks & threat actor activity tracked throughout the year Jan APT36 Targeting Indian Aerospace Industry RedCurl Weaponized LNK Files Campaign Mar Stealth Falcon Exploits WebDAV 0-day in the Middle East and Africa Apr Samsung Security Release Fixes 0-day Lying Pigeon Campaign Targeting the Moldovan Elections May Flax Typhoon Targets IT Supply Chains in Taiwan GoldenSMTP Targeting Governments in Central Asia Jun Cameras Targeting by Iranian-Nexus Actors Handala Hack Wiper Muddy Water Activity in Israeli Municipality Jul ToolShell Intrusion SilverFox Attacks Web Servers Kimsuky Phishing Campaigns against the US Think Tanks YoroTrooper Targets Eurasian Economic Union Countries Aug Camaro Dragon Targeting Government Sector UAC-0050 Phishing Campaign Zipline Shifting to Europe WIRTE Espionage and Sabotage Sep WhiteLock Ransomware Oct COLDRIVER in Southeast Europe Dec Nimbus Manticore Activity in Africa Figure 1 – Overview of CPR Untold Stories 2025. Americas Throughout the...