Year in review Atea IRT 2025

With January already over, Atea Incident Response Team would like to look at the year behind us and see what we spent 2025 doing. It has been a year where we have had fewer large incidents, but where the number of incidents still is high. We saw new forms of attack become normalized, and that the vigilance and adaptability of our customers bear fruit in the way of less serious AiTM-attacks.

The golden age of InfoStealers is upon us!

We start off with the biggest change from 2024 to 2025. While info-stealers (malware that steals credentials from your computer) has been around for many years, better endpoint protection has made most forms of malware obsolete, and distribution has become more difficult for the bad guys. This has created a new kind of social engineering type of attack called "ClickFix". ClickFix tricks the user to install the info-stealers themselves, therefore bypassing many of our security tools. There are many ways of doing this, but the most common one we have seen in 2025 is fake captcha, that tries to trick the user into pressing WinKey + R, CTRL + V, ENTER. This abuses the browsers ability to add text to the clipboard, and therefore make the user run a command on behalf of the attacker, installing the malware.

Example of ClickFix

Atea IRT talked about this attack for the first time in October 2024 in our regular meetings with our customers, but then only as a curiosity. Our first case came in December 2024, and during the quiet Christmas of 2024 a member of our team started looking into how the attacks were done.

2025 gave us many incidents with ClickFix and the like. The main distribution channel is abusing legitimate websites using vulnerable WordPress implementations. The attacker can then add their own code, usually just a single line, that adds the fake captcha for new visitors.

Example of breached webpage. The line in blue is an attacker's code.

We have seen many variations of the attacks during the last year, targeting Windows, MacOS and Linux. But we have also seen completely different ways attackers have tried to trick users into installing malicious software, like tricking them into installing "updates" to their browser.

In the second half of the year, we observed an increase in "fake software". Trojans masquerading as productivity tools - most commonly PDF editors/viewers/converters. Several investigations indicated malvertising or search engine optimization poisoning as a primary infection route, where users searching for a PDF tool (or even manuals) were led to sponsored or manipulated results that delivered trojanized installers.

The largest of our investigations was the "PDF editor"-tool, which hit a large amount of our customers. This tool exhibited credential-theft behaviour, including extracting saved login data from web browsers and in some instances, bringing a secondary payload into the system. In this case this was an information stealer as well, but there is nothing preventing it from next time being a more serious malware.

We suspect that with the ease of creating these kinds of fake software with the help of AI, we will see an increase in these kinds of incidents in the years to come.

As the information stealers are launched and installed by the user, in user context, no local admin privileges are needed. The main protection against these attacks, aside from good MDR, is not having anything to steal if a user does infect themselves. Limiting what browsers the users are allowed to use and denying the users from storing passwords in browsers, reduces the impact from having information stealers affect your environment. This can be supported by helping the users not needing passwords through federating sign ins where possible to your IDP (for instance Entra) or offering password managers where many different passwords are in use. And remember, if your users can sync their profiles from their work computers to their home computers, you expand your attack surface to those computers as well, and any stored work passwords can be stolen from the home computers.

AiTM and the security unicorn

Atea IRT handled 76 AiTM-incidents last year. This is about the same as in 2024 and a good step down from 2023 where AiTM was a brand-new form of attack. This is despite Atea IRT having greatly increased our customer base from 2023 to 2025. We believe that the reason why we don't have more incidents in this category is that many of our customers have taken a proactive stance and enabled protections such as phishing resistant MFA and require known devices to access their data. This really helps!

Number of AiTM-incidents year by year

Adversary in the middle attacks is still the number one type of incident that we have handled the last year. Though, the fallout of these incidents is not as serious as they have previously seen, as customers have protections enabled and now know better what to do when they happen. We still experience that AiTM as an attack form is not well known among many businesses. Every now and then we have serious incidents where we are contacted by walk-in-costumers that has had their first incident with phishing that bypasses regular MFA. And every time we are giving presentations or holding workshops on the subject, we meet IT people who have never heard about it. This tells us that the battle with AiTM will rage on for a long time to come.

The protection matrix we created a year ago for this blog post (Norwegian) is still current for protection. Though we had to expand it to contain the bottom row "No MFA" due to some confusion…

In some cases, we have seen very long dwell time between initial access and exploitation of access.
In one incident the attackers had been monitoring a mailbox for over a year before they tried to send a fake invoice. As you might know the default logging in Entra/M365 doesn't go that far back, so the only way we were able to tell when the attacker gained access was by seeing when a third-party email application was added as an Enterprise App. "eM Client", a legitimate email client, is the client of choice for many hackers as it doesn't produce many sign in events. Even if passwords are reset and sessions are revoked, eM Client may retain access, making it a quiet foothold that leaves few sign-in logs.

With protection against AiTM being as important as ever, we would like to stress that going phishing resistant isn't as difficult as it seems. With the correct setup, for instance Hello for Business on Windows PCs and Microsoft Authenticator Passkeys on mobile, you could even get to completely password-less! For almost no extra cost!

Passwordless is one of the rare controls that increases both security and usability while not increasing cost. In security, that's as close to a unicorn as it gets.

Ransomware activity down in the Nordics

Ransomware is one of the most demanding incidents that an organisation can experience, and for the last couple of years it has been the source of our biggest cases. This year marked a significant shift in ransomware activity across the Nordics. Whereas Atea IRT previously handled more than 20 cases annually, 2025 saw only three confirmed incidents. This sharp decline contrasts with the global trend where ransomware incidents seem to be trending up.

Source: https://www.ransomware.live/stats

Several factors may explain this trend. Nordic, and especially Norwegian, organisations appear to be targeted less frequently than before. A possible explanation is because they are perceived as less profitable due to a stronger stance against paying ransoms compared to other parts of the world. Increased adoption of cloud services may also have reduced traditional attack surfaces that are abused by ransomware-actors. This is especially true for small and medium sized businesses where IT-security is less mature and therefore was more often victims of ransomware in the past.

The global increasing trend might also be a quirk of statistics. A decreasing number of organisations are paying ransoms, which has resulted in more organisations having their data published ("shamed") by the ransomware actors. This creates a misleading impression of rising cases, as incidents that would previously remain undisclosed due to paying now appear in public breach statistics.

Even though the amount of ransomware is down, this doesn't mean that we have won the war. We have had dips in cases before, and keeping your environments secure is as important as ever. Our advice for protection against ransomware is luckily the same today as it has been for the last couple of years. And it is easy!

• Patch everything. Especially what is placed on the internet. Time from patch to mass exploitation is dropping year by year, and according to Mandiant is now -1 days.
• Require MFA for everything that is being signed on to. This is doubly important for remote services like VPN, Citrix, RDweb, etc.
• Limit what you can access through VPN, and who can use VPN.
• If you get hit by ransomware, you need a good backup solution. Have some form of immutable backup. If you can delete your backup, so can your attacker.

With this, Atea IRT would like to wish you a great and secure 2026!