October 2025 marked a notable escalation in cyber threats, with phishing campaigns and ransomware variants exploiting trusted cloud services to target corporate credentials and critical infrastructure.
Attackers increasingly abused platforms like Google, Figma, and ClickUp for credential theft, while LockBit’s latest iteration extended its reach to virtualized environments.
These incidents, analyzed by cybersecurity firms such as ANY.RUN underscores the need for behavioral detection beyond static indicators.
Sophisticated Phishing Leverages Legitimate Platforms
Phishing attacks in October heavily relied on legitimate services to evade traditional filters, starting with a campaign mimicking Google Careers job offers.
Emails lured victims with fake application pages, routing through Salesforce redirects and Cloudflare Turnstile CAPTCHAs before harvesting credentials via domains like satoshicommands.com.
This multi-step attack chain targeted tech and consulting sectors, exploiting brand trust to enable account takeovers and data exfiltration.
Similarly, Figma’s public prototypes became a vector for Microsoft-themed phishing, where shared “document” invites led to fake login pages, here is the attack analysis.
Groups like Storm-1747 drove nearly half of these attacks, using Figma’s trusted domain to embed interactive lures that bypassed email security. Victims encountered CAPTCHAs and redirects to credential-stealing sites, often linked to operators such as Mamba.
ClickUp faced abuse as a redirector, with phishing emails directing users to doc.clickup.com, then hopping to Microsoft microdomains and Azure Blob Storage for final payload delivery. This chain mimicked collaboration traffic, making it hard for whitelists to flag, and resulted in widespread credential compromises.
A standout development was TyKit, a reusable phishing kit first spotted in May 2025 but peaking in October. It hid obfuscated JavaScript in SVG files, using eval functions and Base64 encoding to redirect users to Microsoft 365 impersonators.
Affecting finance, government, and telecom across multiple regions, TyKit employed anti-debugging and staged C2 checks for evasion, leading to hundreds of account thefts via AitM techniques.
Ransomware Targets Diverse Operating Systems
LockBit 5.0 emerged as a cross-platform threat on the ransomware front, celebrating the group’s sixth anniversary by expanding beyond Windows to Linux and VMware ESXi.
The variant analysis featured enhanced obfuscation, DLL reflection, and anti-analysis routines, allowing rapid encryption of virtual machines and datastores.
This enabled affiliates to disrupt entire data centers, with randomized extensions and log clearing complicating response efforts.
The ESXi build was particularly alarming, targeting hypervisors to encrypt multiple VMs simultaneously, while Linux and Windows versions included region-based restrictions and service terminations.
Attacks hit enterprises in Europe, North America, and Asia, amplifying downtime and financial losses through shared infrastructure tactics.
Security teams must prioritize sandbox detonation for SVG and redirect analysis, as static tools miss these behaviors. Implementing phishing-resistant MFA, monitoring for suspicious domains like segy.zip or hire.gworkmatch.com, and integrating threat intelligence feeds can mitigate risks.
Regular backups, VPN-enforced access, and behavioral monitoring in sandboxes like ANY.RUN’s reduce mean time to response, turning isolated indicators into proactive rules. As attackers refine cloud abuse, organizations should rehearse playbooks to counter the next surge.
Catch attacks early with instant IOC enrichment and interactive sandbox => Try Now
