2025 Threat Landscape in Review: Lessons for Businesses Moving Into 2026
2025 Threat Landscape in Review: Lessons for Businesses Moving Into 2026andrew.gertz@t…Thu, 01/15/2026 – 16:48
2025 was a year that tested how businesses think about security.
AI Security: What Enterprises Are Getting Wrong
2025 Threat Landscape in Review: Lessons for Businesses Moving Into 2026andrew.gertz@t…Thu, 01/15/2026 – 16:48
2025 was a year that tested how businesses think about security. Some attacks happened in new, unexpected ways, while others employed old tricks, taken to a new level. Some attacks were surgical, while others were more like sledgehammers.
In some instances, attackers exploited the way systems work on a deep technical level. Others targeted businesses when they were at their busiest and most visible or vulnerable. Across industries, companies felt the impact. Sometimes it was instant, other times, it was much later.
All of these events exposed something uncomfortable: the systems we rely on have more vulnerabilities than we dare to think about.
An Old Dog With New Tricks
In September, our Imperva research team saw an old pattern resurface. Why would bad actors need to find new holes in the security nets when the old ones are still wide open? Using long‑exposed personal data, weak telecom verification, and a tiny quirk in Google Pay functionality, they turned a harmless CAPTCHA box into a way to uncover the last four digits of a credit card and accomplish a targeted SIM swap attack. A simple iframe became a shortcut straight into someone’s identity.
What makes it worse is how normal this leaked data has become. In places like Israel, names and national ID numbers are effectively public, popping up everywhere from Telegram drug bots to street-level delivery networks. These underground systems use old leaks to verify buyers and weed out police, while the very same information lets attackers impersonate people at telecom providers with almost zero effort.
That leaves the last four digits of a card as the only real barrier to verify someone’s identity, and it was way too easy to bypass. Our research helped shut this threat down, but if banks, carriers, and online services keep treating those digits as proof of identity, they are building on shifting sand. Stronger verification is the only way to stop old breaches from fueling the next wave of attacks.
The Gambling Ring Running on Your Servers
Earlier in the year, our researchers identified another type of stealthy compromise. This time, it targeted PHP-based web applications in Indonesia. Attackers exploited pre-existing web shells to install GSocket, a networking tool that slips past firewalls and Network Address Translation (NAT).
Once installed, servers unwittingly became part of a covert network supporting illegal gambling operations. The attacks didn’t try to disrupt immediately. Instead, they quietly enabled long-term control and persistent access.
The lesson here is not to ignore the importance of continuous auditing. Legacy scripts, forgotten plugins, or overlooked backdoors can all become footholds into the company, even when traffic seems normal.
Your Telegram Account is For Sale
Unsurprisingly, supply chain and third-party software introduced their own headaches. On PyPI, Imperva research uncovered malicious packages designed to steal Telegram Desktop session data. A single stolen data folder could give malicious actors full access to a user’s account.
We even saw these sessions being traded on underground markets, where stolen credentials were turned into a commodity. For companies, the message is to never underestimate the risk of supply chain dependency.
This incident hammered home how security isn’t just about your own infrastructure; it needs to extend to the partners, code, and libraries you trust. Vetting dependencies and continually monitoring for suspicious activity should be standard practice, not an afterthought.
When AI Moves Faster Than Security
Meanwhile, the rise of AI-driven development platforms exposed vulnerabilities that were easy to overlook but dangerous in scale. Base44, a platform that enables users to create applications from natural language prompts, suffered from weaknesses in authentication, session handling, and enforcement of premium features. Bad actors could exploit these flaws to take over accounts and gain access to sensitive data.
A similar pattern is now emerging in agentic AI workflows. A disclosed vulnerability in a popular MCP server highlighted how unsafe implementation choices in AI-driven, autonomous environments can introduce critical risks, including remote code execution. In this case, an insecure design and insufficient safeguards around agent communication and execution flows created an attack path that could be exploited at scale, demonstrating that agent-based systems can significantly expand the attack surface when security is not embedded by design.
Together, these incidents reinforce a consistent lesson: new technologies often outpace the security controls designed to protect them. Whether through low-code AI platforms or agentic workflows orchestrated via MCP servers, user-friendly abstractions can mask fragile underlying controls. For organizations adopting emerging AI tools, security must be addressed from the outset—built into architectures, workflows, and identity controls—rather than being treated as an afterthought to be added later.
The Handshake That Never Happened
Network-level threats didn’t slow down either. The Imperva research team found that LSQUIC, widely used for QUIC and HTTP/3 traffic, suffered a denial of service pre-handshake memory exhaustion vulnerability, which they called QUIC-LEAK. Threat actors could crash servers without even having to establish a legitimate connection.
The flaw was hidden in the way multiple packets were parsed and allocated in memory. Any business running LiteSpeed-powered servers could face sudden outages unless the issue was promptly patched. This shows that performance-driven innovations often carry hidden operational risks.
Here, the best defense is monitoring infrastructure for unusual patterns, and updating it as soon as possible.
14.2 Million Reasons to Plan Better
Finally, our researchers saw large-scale attacks timed to exploit predictable business events. A Turkish luxury retailer suffered a record-breaking DDoS attack during its fall collection launch, peaking at a staggering 14.2 million requests per second.
The attack coincided with peak traffic, greatly amplifying the pressure on systems and operations. It was clear that attackers aimed for visibility and disruption, and the company had to rely on real-time mitigation to keep sales running. These incidents show that attackers don’t only think about systems, but the business calendar, too.
Protecting critical events takes preparation, real-time intelligence, and resilient infrastructure that is able to scale under pressure.
The Uncomfortable Truth
In all these findings, there’s a common thread. Threats are evolving faster than defenses, using every possible trick, and blending technical complexity with business awareness. Some attacks are subtle, operating clandestinely in the background, while others are bold, seeking to strike during inconvenient moments.
Businesses need both deep technical understanding and situational awareness to keep up. They cannot afford to be on the back foot, so responding isn’t enough. Anticipating what could go wrong in normal operations or peak activity windows is as important.
What 2026 Needs to Look Like
2025 reminded us that threats don’t always knock before they enter, and the work of security never really stops. However, by staying informed, vigilant, and prepared, you can cut through the noise and complexity of today’s threat landscape and enter 2026 with genuine confidence.
Ensure your teams know what to look for and trust their instincts, even when something seems minor or out of place. Plan and prepare for your busiest moments, ensuring your infrastructure can handle sudden spikes or unusual traffic without interruption.
At Thales, we continually adapt to stay ahead of these evolving threats. The Imperva Application Security platform protects against everything from stealthy, under-the-radar attacks to massive, high-impact events.
You gain real-time monitoring, intelligent threat mitigation, and insights into attack patterns that might otherwise fly under your radar. Whether it’s a protocol-level exploit, a hidden backdoor, or a large-scale DDoS campaign, the platform is built to keep your business running smoothly, whatever happens.
Staying abreast of the latest research is one of the simplest, yet most effective ways to protect your business. The more you understand about adversaries and their tricks, the better you can identify risks before they do harm. Make sure to visit our Threat Research page where you can access valuable resources for free.
If you want to experience the added value of the Imperva Application Security platform, get your free trial today.
{“@context”: “https://schema.org”,“@type”: “BlogPosting”,“mainEntityOfPage”: {“@type”: “WebPage”,“@id”: “https://cpl.thalesgroup.com/blog/cybersecurity/2025-threat-landscape-review-security-lessons-2026”},“headline”: “2025 Threat Landscape Review: Security Lessons for 2026 | Thales”,“description”: “Explore key cybersecurity threats from 2025, including AI risks, DDoS attacks, supply chain exploits, and what businesses must do to prepare for 2026.”,“image”: “”,“author”: {“@type”: “Person”,“name”: “Nadav Avital”,“url”: “https://cpl.thalesgroup.com/author/navital”},“publisher”: {“@type”: “Organization”,“name”: “Thales Group”,“description”: “The world relies on Thales to protect and secure access to your most sensitive data and software wherever it is created, shared, or stored. Whether building an encryption strategy, licensing software, providing trusted access to the cloud, or meeting compliance mandates, you can rely on Thales to secure your digital transformation.”,“url”: “https://cpl.thalesgroup.com”,“logo”: “https://cpl.thalesgroup.com/sites/default/files/content/footer/thaleslogo-white.png”,“sameAs”: [“https://www.twitter.com/ThalesCloudSec”,“https://www.linkedin.com/company/thalescloudsec”,“https://www.youtube.com/ThalesCloudSec”]
},“datePublished”: “2025-01-15”,“dateModified”: “2025-01-15”}
THALES BLOG
January 15, 2025
*** This is a Security Bloggers Network syndicated blog from Thales CPL Blog Feed authored by [email protected]. Read the original post at: https://cpl.thalesgroup.com/blog/cybersecurity/2025-threat-landscape-review-security-lessons-2026
About Author
