PostHole
Compose
Login
2025: The Untold Stories of Check Point Research
Introduction Check Point Research (CPR) continuously tracks threats, following the clues that lead to major players and incidents in the threat landscape. Whether it’s high-end financially-motivated campaigns or state-sponsored activity, our focus is to figure out what the threat is, report our findings to the relevant parties, and make sure Check Point customers stay protected. […]
The post 2025: The Untold Stories of Check Point Research appeared first on Check Point Research.
2025: The Untold Stories of Check Point Research
February 23, 2026
https://research.checkpoint.com/2026/2025-the-untold-stories-of-check-point-research/
Introduction
Check Point Research (CPR) continuously tracks threats, following the clues that lead to major players and incidents in the threat landscape. Whether it’s high-end financially-motivated campaigns or state-sponsored activity, our focus is to figure out what the threat is, report our findings to the relevant parties, and make sure Check Point customers stay protected.
Some of our work naturally makes it into the spotlight through public reports and deep blog posts. However, a large portion of what we uncover remains in the shadows but is used on a day-to-day basis to improve protections, connect the dots between incidents, and keep a watchful eye on known threat actors and infrastructure.
In 2025, the activity varied by region and objective. In the Americas, attackers invested in high-value targets, including early ToolShell exploitation assessed as Chinese-nexus activity against North American government organizations. Identity-centric intrusion methods were also prominent, such as AiTM-enabled credential theft in targeted campaigns against researchers within US think tanks.
In Europe, the year combined disruption, espionage, influence operations, and financially motivated intrusions. Russian-affiliated activity drove pressure in Eastern Europe and Ukraine, while Chinese and Iranian-nexus actors remained active, and election-related influence efforts persisted, including renewed targeting around Moldova’s parliamentary cycle.
Across Asia Pacific and Central Asia, Chinese-nexus espionage was sustained, frequently relying on updated versions of established attack playbooks. In the Middle East and Africa, campaigns reflected a diversified mix of state-aligned operations, destructive activity, and PSOA-linked exploitation, with conflict periods amplifying targeted collection such as attempts to compromise internet-connected cameras.
Across these threats, novelty more often came from how familiar techniques were combined than from entirely new tooling. Actors repeatedly used trusted platforms and common enterprise pathways: cloud hosting for command and control, remote administration tooling, DLL side-loading chains, and social engineering patterns such as ClickFix, to reduce detection and improve reliability. Overall, 2025 reinforced the need for durable visibility across identity, cloud, and endpoints, faster closure of exposed and unpatched entry points, and industry collaboration.
Check Point Research
Untold Stories Timeline – 2025
Key APT campaigns, cyberattacks & threat actor activity tracked throughout the year
Jan
APT36 Targeting Indian Aerospace Industry
RedCurl Weaponized LNK Files Campaign
Mar
Stealth Falcon Exploits WebDAV 0-day in the Middle East and Africa
Apr
Samsung Security Release Fixes 0-day
Lying Pigeon Campaign Targeting the Moldovan Elections
May
Flax Typhoon Targets IT Supply Chains in Taiwan
GoldenSMTP Targeting Governments in Central Asia
Jun
Cameras Targeting by Iranian-Nexus Actors
Handala Hack Wiper
Muddy Water Activity in Israeli Municipality
Jul
ToolShell Intrusion
SilverFox Attacks Web Servers
Kimsuky Phishing Campaigns against the US Think Tanks
YoroTrooper Targets Eurasian Economic Union Countries
Aug
Camaro Dragon Targeting Government Sector
UAC-0050 Phishing Campaign
Zipline Shifting to Europe
WIRTE Espionage and Sabotage
Sep
WhiteLock Ransomware
Oct
COLDRIVER in Southeast Europe
Dec
Nimbus Manticore Activity in Africa
Figure 1 – Overview of CPR Untold Stories 2025.
Americas
Throughout the year, the Americas were a focal point for both nation state activity and high-end cybercrime, with a wide mix of actors targeting government and private-sector organizations alike. The state-sponsored groups in particular seem to reserve some of their most innovative tradecraft for targets in the Americas. Whether through zero-day exploitation, abuse of cloud services, or highly refined phishing operations, attackers appear willing to invest more time and sophisticated efforts for targets in this region.
ToolShell Exploitation Used as a Zero-day by Chinese-nexus Actors
ToolShell is an exploit chain targeting on-premises Microsoft SharePoint and enables unauthenticated remote code execution (RCE) on vulnerable servers. It works by abusing weaknesses in how SharePoint handles certain web service / API requests, which allow attackers to reach code execution without needing valid credentials. ToolShell’s involvement in active exploitation efforts has been observed globally.
While analyzing in July the broader wave of ToolShell activity, we found a subset of targeted incidents where the exploit chain appears to have been used as a zero-day, before the original patch was available. In each of these limited early exploitation attempts, the targets were government-sector organizations in North America.
We attribute the zero-day exploitation activity to Chinese-nexus threat actors. This assessment is based on the supporting infrastructure we observed in this campaign, which includes router-based relay nodes consistent with Operation Relay Box (ORB)-style networks, an approach most frequently seen in intrusions attributed by multiple vendors to Chinese nexus groups. This assessment aligns with Microsoft Threat Intelligence report that Chinese APTs exploited the vulnerability as a zero-day.
Figure 2 – ToolShell Exploitation Timeline.
Kimsuky Targeting Think-Tanks in the US
Since mid-July, we’ve been tracking a targeted phishing campaign aimed at researchers within US think tanks which focus on North Korean affairs and policy. The campaign relies on spear-phishing emails, often impersonating peers from European universities or NGOs, with invitations to collaborate or participate in academic or policy events.
*[Figure 3 - Email sent from a compromised account of a UK university
professor.]*
Figure 3 – Email sent from a compromised account of a UK university professor.
The malicious emails contain either a link or a PDF attachment embedding a QR code, both of which lead to web pages impersonating legitimate organizations.
Figure 4 – Example of a phishing landing page (hosted at signup-forms[.]theonlycompany[.]com), explaining the login request.
The landing pages claim a login is required and include a button that redirects victims to credential-harvesting sites tailored to their email providers, such as Yahoo, Gmail, or Microsoft. The phishing infrastructure leverages Adversary-in-the-Middle (AiTM) kits to bypass MFA and gain unauthorized access to victims’ email accounts.
RedCurl Weaponizes LNK files
RedCurl is a sophisticated, Russian-speaking threat actor historically tied to corporate espionage, and most recently, to ransomware operations. The actor has targeted North American entities for years. In more recent activity affecting North America and Asia, we observed a new multi-stage infection chain that pulls a remote resource by abusing the Working Directory parameter in LNK files. The LNKs point to a legitimate Windows binary (such as conhost or rundll32), and pass an argument that references a file located in that remote working directory production[.]dav[.]indeedex[.]workers[.]dev.
[...]