Threat Briefing: October 24, 2025

In recognition of Cybersecurity Awareness Month, the National Cybersecurity Alliance is promoting the theme “Stay Safe Online.” As digital threats evolve, that message extends beyond traditional computers, as mobile devices have become a growing target.

Verizon’s research underscores the risk: cybercriminals have launched vast networks of malicious domains and fake accounts designed to power phishing and smishing campaigns, making it easier than ever for attackers to steal and exploit login credentials.

• Mobile Devices Are Emerging as a Major Cybersecurity Weak Point – Organizations are increasingly vulnerable to attacks originating from employee mobile devices. The 2025 Mobile Security Index reports that 80% of businesses experienced smishing activity, underscoring how text-based phishing has surpassed traditional email threats. However, many organizations remain behind in adopting mobile-focused defenses, allowing breaches that begin on personal phones to infiltrate enterprise environments. Dark Reading
• The “Smishing Triad”: A Massive Phishing Network Behind 195,000 Fake Domains – The Smishing Triad, a Chinese-language phishing network active since January 2024, has registered roughly 195,000 malicious domains to impersonate organizations across multiple sectors. The operation uses a phishing-as-a-service model supported by data brokers, kit developers, hosting providers, and spammers, with coordination and recruitment facilitated through Telegram channels. CyberScoop
• It Only Takes 250 Documents to Corrupt an AI Model, Researchers Warn – A joint study by Anthropic, the UK AI Security Institute, and the Alan Turing Institute found that inserting a backdoor into an AI model requires only 250 crafted documents, even in models up to 13B parameters. The research demonstrates that absolute data count, rather than dataset proportion, governs poisoning success, making both small and large models equally vulnerable. These findings raise critical concerns about AI supply chain security and the potential for stealth manipulation through data poisoning. Dark Reading
• SIM-Farm Network Creating 49 Million Fake Accounts Taken Down – A joint law enforcement effort known as Operation SIMCARTEL, led by Europol, Eurojust, and national authorities, has taken down a SIM-farm platform used to create over 49 million fraudulent accounts. The operation resulted in seven arrests, 26 searches, and the seizure of 1,200 SIM-boxes hosting 40,000 active SIM cards, along with servers, crypto funds, and high-value assets. These fake accounts powered numerous criminal schemes, from phishing and investment fraud to migrant smuggling and CSAM distribution, underscoring the scale of cyber-enabled crime tied to SIM-farm infrastructure. The Hacker News
• Cybercriminals Exploit TikTok to Spread ClickFix Attacks – Recent threat intelligence indicates that cyber actors are leveraging TikTok videos to deliver ClickFix attacks. Videos purporting to offer activation instructions for popular software prompt users to execute PowerShell commands that fetch malware from domains like slmgr.win. The primary payload, such as Aura Stealer, extracts sensitive data including browser credentials, cookies, crypto wallets, and application logins, while secondary executables may load additional code in memory, increasing persistence. Security specialists emphasize caution and user education to mitigate risks associated with social-media-driven ClickFix attacks. BleepingComputer