2025 marked yet another busy year in security, between big attacks, government shakeups, and dangerous flaws that echo of the past. The moments that defined this year were impactful but felt evenly spread across the year. Early in 2025, we observed the China-nexus advanced persistent threat (APT) Salt Typhoon continuing its assault against telecom companies as part of its espionage operations. In the summer and into the fall, we saw the Cybersecurity and Infrastructure Security Agency (CISA) face budgetary cuts and layoffs, fallout from President Trump's commitment to slim the US government at any cost. And just this past month, React2Shell disclosed to the public a React vulnerability with a CVSS score of 10 that echoed the now-infamous Log4Shell.[1]
Though not mentioned in this list, it's also worth noting that some good things are happening, too. Many key ransomware statistics (such as the payment rate) are moving in the right direction, and there have been regular, coordinated international law enforcement takedowns of cybercrime operations.
This year has been dynamic for cybercrime and security, in some ways reminiscent of what came before and in others specific to this year. Here are five threats that defined security in 2025.
- Salt Typhoon Continues Its Onslaught - Salt Typhoon is a Chinese state-sponsored threat actor best known in recent memory for targeting telecom giants, including Verizon, AT&T, and Lumen Technologies, and for discovering multiple others last fall targeting the systems used by police for court-authorized wiretapping. The group, also known as Operator Panda, uses sophisticated techniques to conduct espionage against targets and pre-position itself for longer-term attacks.
Salt Typhoon's activities have continued at scale. In July, it was discovered that the APT hacked the US National Guard for nearly a year. Telecom giants, including Viasat, have confirmed breaches attributed to Salt Typhoon. And that only scratches the surface.
Adam Meyers, head of counter adversary operations at CrowdStrike, says Operator Panda marked one of many examples of China-nexus threat actors "evolving into highly coordinated, cross-domain operators focused on long-term persistence. Operator Panda, like many other Chinese nexus adversaries, relies on vulnerabilities in Internet-connected devices such as routers, security equipment, VPN devices, and other network layer systems. These devices do not run modern security tools such as [endpoint detection and response] and often lag in patching," he tells Dark Reading. "Organizations need unified, cross-domain visibility and proactive threat hunting, or they risk being outmaneuvered by adversaries operating with unprecedented speed and persistence."
- CISA Sees Big Layoffs and Budget Cuts - CISA layoffs, indirectly, mark a threat of a different kind. At the beginning of the year, the Trump administration cut all advisory committee members from the Cyber Safety Review Board (CSRB), a group run by public and private sector experts that researches and makes judgments on current issues. As the CSRB was effectively shuttered, it was working on a report about Salt Typhoon.
This was one of the early cyber cuts in Trump's second term, but it was far from the last. CISA faced layoffs and budget cuts throughout the year, in part due to DOGE-style commitments to a slimmer government. Another factor: Trump and Department of Homeland Security (DHS) head Kristi Noem vowing to get the agency back "on mission" and away from what Noem called a "ministry of truth." For context, Trump fired former CISA director Chris Krebs in 2020 after Krebs called the 2020 presidential election "the most secure in American history" amidst Trump's unfounded claims of election fraud.
CISA provides a wide range of services for organizations, including vulnerability guidance, physical and cyber security assessments, election security, incident response support, and more. John Bambenek, president of Bambenek Consulting, says much of the immediate impact of CISA cuts has been felt at the state and local government levels, as well as among organizations that can't afford commercial threat intelligence offerings. "There is a notion that states and local governments should shoulder their own cybersecurity burden. But shifting that burden suddenly makes it hard to build the capability in time," he explains in an email. "Frankly, nation-states are targeting these organizations, and it seems unfair to put a town of 10,000, possibly near a military base, in a position to counter espionage on their own."
- React2Shell Carries Echoes of Log4Shell - React2Shell describes CVE-2025-55182, a vulnerability disclosed early this month affecting the React Server Components (RSC) open-source protocol. Caused by unsafe deserialization, the vulnerability was considered easily exploitable and highly dangerous, earning it a maximum CVSS score of 10. Even worse, React is ubiquitous, and at the time of disclosure, it was thought that a third of cloud providers were vulnerable.
The vulnerability was named React2Shell, in apparent reference to Log4Shell, a similarly dangerous bug from late 2021 that affected environments using Log4j. Exploitation hit within hours of disclosure, as did a wide range of public proof-of-concept exploits. Nation-state actors were among the first to exploit the vulnerability, but within days, the range of attackers ran the gamut.
Rapid7 senior principal researcher Stephen Fewer tells Dark Reading that the appeal of React2Shell to attackers is the pervasiveness of React applications around the world, "as not only is React itself quite popular, but the affected downstream frameworks, such as Next.js, are widely adopted as well. We have seen public reporting of over half a million affected domains." Fewer ads. "These are huge numbers, and they only represent the public Internet-facing exposure of this vulnerability; the scale of affected React applications deployed on internal networks cannot be fully gauged."
- Shai-Hulud Opens Floodgates on Self-Propagating Open-Source Malware - In September, self-replicating malware known as Shai-Hulud emerged. It's an infostealer that infects open-source software components; when a user downloads a package infected by the worm, Shai-Hulud infects other packages maintained by the user and publishes poisoned versions, automatically and without much direct attacker input. The cycle continues.
Justin Moore, senior manager of threat intel research for Palo Alto Networks' Unit 42, explains that the danger of Shai-Hulud is that it uses defenders' own automation (i.e., using components to build software) against them. For every one package an enterprise developer installs, Moore says, they're implicitly trusting the dozens of other packages used to make it. "Attacks like Shai-Hulud aggressively capitalize on this reliance by corrupting the open source 'well' that thousands of companies draw from daily. This creates a significant danger because the threat isn't just common vulnerabilities; it's deeply nested, multilayer dependencies," Moore says. "This creates a massive, multilayered attack surface where a single compromise deep in the stack can cascade across thousands of companies simultaneously."
Though other versions of this kind of attack had occurred previously, the first Shai-Hulud attack was a firecracker that led to follow-on attacks, other self-propagating malware like GlassWorm, and, most importantly, many poisoned open-source software packages. These attacks became so pervasive so quickly that GitHub had to come out and say it would take action to prevent such incidents in the future.
- Threat Campaigns Target Salesforce Customers - Earlier this year, a threat actor breached Salesloft's GitHub account and leveraged that access to steal OAuth tokens associated with Salesloft Drift's Salesforce integration. This led to downstream attacks against hundreds of Salesforce instances.
Zscaler, Palo Alto Networks, Proofpoint, Cloudflare, Tenable, and more were caught up in the wide blast radius of this campaign. The incident has been fully addressed for months now, but it remains one of the year's most prominent supply-chain incidents. This comes independently of other threat campaigns targeting Salesforce customers, including the ShinyHunters attacks and follow-on incidents from an adjacent group.
Jaime Blasco, co-Founder and chief technology officer (CTO) of Nudge Security, says Salesforce is an attractive target for threat actors "because it is where high-value business data lives, particularly credentials that customers might need to share with vendors via support tickets managed in Salesforce. These attacks targeting Salesforce are just one example of the broader theme we are seeing where attackers are exploiting the ecosystem of SaaS applications and the integrations between them," Blasco explains. "These integrations frequently fly under the radar of conventional security controls, making them an attractive attack surface."
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators-of-compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://www.darkreading.com/vulnerabilities-threats/five-threats-that-defined-security-2025
Comments