ENISA Threat Landscape Briefing: 2024-2025 Analysis

Breached Company

Breached Company

10 min read
ENISA Threat Landscape Briefing: 2024-2025 Analysis
Photo by USGS / Unsplash

Executive Summary

This briefing document synthesizes the ENISA Threat Landscape (ETL) report for the period of July 2024 to June 2025, based on the analysis of nearly 4,900 curated incidents. The European Union's cyber threat environment is characterized by a maturing and converging landscape where adversaries exploit vulnerabilities rapidly and collectively erode resilience through continuous, diversified campaigns rather than single high-impact events.

Key takeaways include:

  • Dominance of Low-Impact Hacktivism: Hacktivist operations, primarily low-level Distributed Denial-of-Service (DDoS) attacks, dominate the incident volume, accounting for nearly 80% of all recorded events. While their operational impact remains minimal, these campaigns are ideologically driven and demonstrate the scalability of low-cost tools.
  • Resilient Cybercrime Ecosystem: Ransomware remains a core intrusion activity. In response to law enforcement actions, cybercriminal operators have decentralized, adopted aggressive extortion tactics, and capitalized on regulatory compliance fears. The proliferation of Ransomware-as-a-Service (RaaS) models, leaked builders, and initial access brokers continues to lower entry barriers, fueling a professionalized and fragmented criminal ecosystem.
  • Intensified State-Aligned Espionage: State-aligned threat groups have intensified long-term cyberespionage campaigns against the EU's telecommunications, logistics, and manufacturing sectors. These actors demonstrate advanced tradecraft, including supply chain compromises, stealthy malware frameworks, and the abuse of signed drivers. Russia-nexus and China-nexus groups remain the most active.
  • Systemic Sectoral Exposure: Public administration networks are the primary target sector (38%), facing pressure from hacktivists and state-nexus actors. The transport sector has emerged as a high-value target for ransomware and espionage, while digital infrastructure and services remain strategic targets for all adversary types.
  • Phishing and Vulnerability Exploitation: Phishing remains the dominant initial intrusion vector (60%), evolving through industrialized Phishing-as-a-Service (PhaaS) platforms. The exploitation of vulnerabilities is the second most common vector (21.3%), with threat actors rapidly weaponizing newly disclosed flaws, often within days.
  • Pervasive Integration of AI: Artificial intelligence has become a defining element of the threat landscape. Adversaries leverage AI to enhance social engineering, with over 80% of phishing campaigns reportedly using AI. The use of jailbroken models, synthetic media, and model poisoning techniques is growing, alongside the emergence of stand-alone malicious AI systems.
  • Convergence of Threats: The lines between hacktivism, cybercrime, and state-aligned activity are increasingly blurred. This is exemplified by state actors operating under hacktivist personas ("faketivism"), hacktivists adopting ransomware, and state-aligned groups leveraging cybercriminal tools, infrastructure, and TTPs.
enisathreatlandscape2025
enisathreatlandscape2025.pdf
5 MB
download-circle

I. General Threat Landscape Overview

Analysis of 4,875 incidents from July 2024 to June 2025 reveals distinct patterns in adversary behavior and targeting.

Initial Intrusion Vectors:

Vector

Percentage of Incidents

Key Characteristics

Phishing

60%

The primary entry point, used for credential theft, session hijacking, and payload deployment. Includes vishing, malspam, and malvertising.

Vulnerability Exploitation

21.3%

A highly effective vector, with nearly 70% of cases leading directly to an intrusion and 68% resulting in malware deployment.

Botnets

9.9%

Used for large-scale automated attacks and malware distribution.

Malicious Applications

8%

Comprised of compromised or trojanized software.

Insider Threats

0.8%

A smaller but still relevant vector for unauthorized access.

Incident Types and Threat Actors:

  • DDoS Attacks (76.7%): The most common incident type, overwhelmingly driven by hacktivist groups. Cybercrime groups contribute a marginal fraction, often for extortion purposes (ransom DDoS).
  • Intrusions (17.8%): Dominated by cybercriminal activities, followed by persistent campaigns from state-aligned groups. Hacktivists are only marginally involved in intrusion cases.
    • Following intrusions, 87.3% of malicious code deployed was ransomware, banking trojans, or infostealers.
    • 68.6% of intrusions led to data breaches leaked on cybercriminal forums.
  • Defacements: Almost exclusively associated with hacktivists as a symbolic tactic for visibility and protest.

Primary Adversary Objectives:

  • Ideology-Driven (Hacktivism): The most frequent objective, primarily carried out via DDoS attacks.
  • Financially Motivated (Cybercrime): The second most common objective, primarily conducted by cybercriminal operators.
  • Cyberespionage (State-Aligned): Accounted for 7.2% of activities, focused on strategic data collection.

A. Phishing: The Dominant Initial Intrusion Vector

Phishing has evolved with more sophisticated techniques and industrialized platforms:

  • Innovative Techniques: "ClickFix-style" scams using fake CAPTCHA prompts to trick users into executing PowerShell commands gained momentum in Q1 2025. The "ClearFake" campaign compromised WordPress sites to distribute infostealers like Lumma and Vidar through drive-by downloads.
  • Phishing-as-a-Service (PhaaS): Platforms like Darcula (impersonating over 200 brands), Lucid (expanding to iMessage and RCS), and FlowerStorm (an adversary-in-the-middle kit bypassing MFA) have automated and scaled phishing operations for low-skill actors.
  • QR Code Phishing (Quishing): The "Scanception" campaign used malicious QR codes in PDF attachments to redirect EU victims to credential harvesting pages hosted on trusted cloud platforms, evading email filters.

B. Cyber Dependencies: An Expanding Attack Surface

Adversaries increasingly target third-party providers and the digital supply chain to amplify the impact of their attacks.

  • Third-Party Provider Compromises:
    • Plus Service (March 2025): A breach at this provider for Italian transport companies paralyzed ticketing systems for Mobilita di Marca (MoM) and impacted Busitalia Veneto and ATM Milano.
    • Berliner Verkehrsbetriebe (BVG) (May 2025): The compromise of an external service provider affected the data of 180,000 BVG customers.
    • Operation Digital Eye (Mid-2024): A cyberespionage campaign targeted professional IT providers in Southern Europe to infiltrate supply chains.
  • Digital Supply Chain Exploitation:
    • Malicious Packages: The DPRK-nexus Lazarus group increasingly deployed malicious Node Package Manager (npm) packages in GitHub repositories to compromise developer environments.
    • Malicious Browser Extensions: A late 2024 surge in attacks compromised multiple companies' Chrome extensions, particularly those related to AI and VPNs.

C. Mobile Devices: A Continuous Target

Mobile devices, especially Android, faced a high level of threat in Q1 2025.

  • Financially Motivated Malware: The Rafel RAT targeted outdated Android devices in Czechia, France, Germany, Italy, and Romania. The Medusa banking trojan re-emerged with updates targeting France and Italy, focusing on On-Device Fraud (ODF).
  • State-Aligned Surveillance: State-aligned groups deployed sophisticated spyware, including KoSpy (DPRK), BoneSpy and PlainGnome (Uzbekistan), and EagleMsgSpy (reportedly used by Chinese Public Security).
  • Messaging App Exploitation: Russia-nexus groups (Sandworm, CozyLarch) targeted WhatsApp, Signal, and Telegram accounts in Ukraine, abusing features like "linked devices" to gain access.
  • Infrastructure-Level Risks: State-linked telecommunications providers were reported to be exploiting vulnerabilities in outdated mobile signaling protocols (SS7 and Diameter) to conduct silent, infrastructure-level monitoring and manipulation of mobile communications across borders.

D. Threat Actor Convergence: Blurring the Lines

The distinctions between hacktivism, cybercrime, and state-aligned activity have continued to erode.

  • Faketivism and Blended Operations: State-aligned groups like Russia's Sandworm leverage hacktivist personas such as "Cyber Army of Russia Reborn" to mask their operations. Pro-Russia hacktivist DDoS waves around elections often align with FIMI objectives.
  • Hacktivism Adopting Criminal TTPs: Groups are pivoting to monetization. FunkSec emerged with ransomware blending political messages and extortion. Pro-Russia CyberVolk used multiple ransomware strains, and KillSec launched a RaaS platform.
  • State-Nexus and Cybercrime Crossover:
    • DPRK-nexus groups (Andariel, Moonstone Sleet) were linked to Play and Qilin ransomware activity.
    • China-nexus Mustang Panda leveraged RA ransomware, possibly for moonlighting.
    • Russia-nexus APT29 and Sandworm used commercial proxy networks and commodity infostealers shared with cybercriminals.
  • Hybrid Campaigns: Pro-Russia groups used Telegram to recruit EU-based individuals for physical sabotage, vandalism, and arson across NATO countries, demonstrating the extension of cyber-aligned conflicts into the physical domain.

E. The Proliferation of AI in Cyber Operations

AI is being used both to facilitate attacks and as a target for exploitation, creating a new level of scalability for malicious activity.

  • AI as an Offensive Tool:
    • Phishing & Social Engineering: Over 80% of phishing emails between September 2024 and February 2025 used AI to some extent. Deepfakes are increasingly used in vishing and fraud.
    • Malware Development: Malicious LLMs like WormGPT, FraudGPT, and the stand-alone Xanthorox AI automate social engineering and accelerate tool development.
    • State-Actor Use: China, Iran, and DPRK-nexus groups use commercial AI (Gemini, ChatGPT) as productivity boosters for reconnaissance and research.
  • AI as a Lure and Target:
    • Malware Distribution: Fraudulent websites impersonating legitimate AI tools (Kling AI, Luma AI) were used to deliver infostealers and other malware.
    • Supply Chain Attacks: Attackers have used poisoned machine learning models on hosting platforms and a "Rules File Backdoor" vector to inject malicious instructions into AI coding assistants like GitHub Copilot.
  • AI System Vulnerabilities: AI software is not immune to flaws, as shown by critical remote code execution vulnerabilities in Langflow and Microsoft 365 Copilot.

III. Threat Actor Analysis

A. Cybercrime: A Professionalized and Resilient Ecosystem

Cybercrime accounted for 13.4% of all incidents, with ransomware being the most impactful threat.

  • Threats & Trends:
    • Ransomware Fragmentation: Following law enforcement actions against major players like LockBit, the ecosystem has fragmented. A total of 82 ransomware variants were deployed against EU organizations, with Akira (11.6%), SafePay (10.1%), and Qilin (7.5%) being the most frequent.
    • Infostealer Market Disruption: The takedown of RedLine and META (Operation Magnus) led to a more than 350% increase in the use of Lumma Stealer.
    • Advanced TTPs: Cybercriminals are using tools like AvNeutralizer and EDRKillShifter to disable Endpoint Detection and Response (EDR) solutions and are leveraging Bring Your Own Vulnerable Driver (BYOVD) techniques for stealthier intrusions. Aggressive pressure tactics include Qilin's "call lawyer" feature, which exploits regulatory fears.
  • Sectorial & Geographical Impact:
    • Digital Infrastructure and Services (13.7%) and Manufacturing (13.26%) were the most targeted sectors.
    • The top five most impacted EU Member States were Germany (23.4%), Italy (11.33%), Spain (9.8%), France (9.5%), and Belgium (3.7%).

B. State-Aligned Activities: Persistent and Sophisticated Espionage

State-aligned activities accounted for 7.2% of incidents, with 46 distinct intrusion sets observed targeting the EU.

  • Russia-Nexus: The most active threat, with groups like APT29, APT28, and Sandworm conducting cyberespionage against public administration (diplomatic and governmental entities), defense, and digital infrastructure. Targeting often correlates with EU Member States' support for Ukraine.
  • China-Nexus: Groups like UNC5221 (Volt Typhoon), Mustang Panda, and APT41 focused on public administration, transport (maritime), and digital infrastructure (telecommunications). Their activities align with strategic goals like the Belt and Road Initiative and often involve compromising edge devices to build Operational Relay Box (ORB) networks.
  • DPRK-Nexus: Groups like Famous Chollima, Lazarus, and Kimsuky primarily targeted private companies in finance, defense, and technology, often using sophisticated job-themed social engineering campaigns to infiltrate organizations and generate revenue.
  • Other Actors: India-nexus groups (Bitter, SideWinder) emerged with spearphishing campaigns against EU embassies. Iran-nexus groups targeted civil society and NGOs. Private Sector Offensive Actors (PSOAs) like NSO Group and Paragon continued to be used against civil society in the EU.

C. Foreign Information Manipulation and Interference (FIMI)

Primarily carried out by Russia-aligned Information Manipulation Sets (IMS), FIMI campaigns targeted EU Member States with increased activity around electoral events.

  • Key Actors: Matryoshka (most active), Doppelgänger, Storm-1516, and Portal Kombat conducted operations against France, Germany, and Poland.
  • Narratives & TTPs: FIMI operations aimed to degrade the Union, discredit high-ranking officials, and interfere in elections. TTPs included creating inauthentic news articles, fabricating investigations, using decontextualized quotes, and leveraging AI for voice cloning.
  • Strategic Exploitation: 72.5% of FIMI campaigns targeted or opportunistically exploited strategic events, such as the elections in Poland, Romania, and Moldova, to undermine EU policies and institutions.

D. Hacktivism: High Volume, Low Impact

Hacktivism represented 79% of all incidents, dominated by DDoS attacks (91.5%) with minimal confirmed operational impact.

  • Key Actors & Motives: Pro-Russia groups were prevalent, led by NoName057(16). Pro-Palestine groups were also highly active. The formation of alliances like The Holy League, which gathers pro-Russia and pro-Palestine groups, signals a trend of ideological convergence.
  • Targeting: The most targeted sectors were Public Administration (63.1%), Transport (12%), and Finance (11.7%). The most targeted EU Member States were France, Italy, Poland, Germany, and Lithuania, with attacks often triggered by geopolitical events or declarations of support for Ukraine.
  • Evolving TTPs: Hacktivists showed intent to target Operational Technology (OT) systems, with groups like Z-PENTEST-ALLIANCE claiming attacks on energy and water management interfaces. They also continued to adopt ransomware, with groups like KillSecurity launching RaaS platforms.

IV. Sectorial Threat Analysis

The top five targeted sectors align closely with those identified as critical under the NIS2 Directive, confirming the directive's relevance.

Rank

Sector

% of Total Incidents

Primary Threats

Key Observations

1

Public Administration

38.2%

Hacktivist DDoS (96.2%), State-Nexus Espionage, Ransomware

Remains the most targeted sector. DDoS attacks are a first-line tactic around specific events. State-aligned actors focus on diplomatic and governmental entities for espionage.

2

Transport

7.5%

Hacktivist DDoS (87.6%), Ransomware, State-Nexus Espionage

Air transport (58.4%) and logistics (20.8%) are the most affected sub-sectors. Ransomware incidents have caused significant disruptions (e.g., Split Airport).

3

Digital Infrastructure & Services

4.8%

Hacktivist DDoS (57.5%), Cybercrime (34.3%), State-Nexus Espionage

A high-value target for data collection and large-scale disruption. Telecommunications is the most impacted sub-sector. Russia-nexus groups are particularly active here.

4

Finance

4.5%

Hacktivist DDoS (83.5%), Cybercrime (Data Breaches, Ransomware)

The banking sub-sector is the primary target. DDoS attacks aim to create nuisances for users. Data breaches (64%) are more common than ransomware (36%).

5

Manufacturing

2.9%

Cybercrime (59.3%), Hacktivist DDoS (39.3%)

Cybercrime, particularly ransomware (Akira, Qilin), is the primary threat and has caused prolonged business disruptions. Defense and automotive sub-sectors are frequently targeted by hacktivists.

V. Common Tactics, Techniques, Procedures (TTPs) and Vulnerabilities

TTPs

Analysis of adversary behavior mapped to the MITRE ATT&CK framework highlights a heavy focus on post-compromise activities. Key clusters of commonly used techniques include:

  • Discovery: Adversaries frequently use a combination of techniques to inventory systems and networks (Process Discovery, System Network Configuration Discovery, File and Directory Discovery).
  • Execution: The most common execution methods involve Command and Scripting Interpreters (PowerShell, Windows Command Shell) and related vectors like WMI and Service Execution.
  • Persistence: Attackers layer multiple methods to maintain footholds, including creating Windows Services, modifying the registry for autostart, and creating or abusing valid accounts.

Vulnerabilities

Vulnerability exploitation remains a cornerstone of initial access (21.3% of intrusions).

  • Disclosure Trends: 42,595 new vulnerabilities were disclosed, a 27% increase from the previous year. 64% had a network attack vector, underscoring the risk of remote exploitation.
  • Known Exploited Vulnerabilities (KEV): 245 vulnerabilities were added to CISA’s KEV catalog during the reporting period. At least 115 of these were reported as exploited against EU organizations.
  • Exploitation Patterns: Attackers consistently exploit internet-facing applications (MITRE T1190), including flaws in Confluence, Exchange, Citrix NetScaler, and various VPN appliances. These are often targeted in mass-exploitation waves within hours of disclosure. Local privilege-escalation vulnerabilities (T1068) and client-side execution flaws (T1203) delivered via phishing remain prevalent for post-exploitation.

VI. Outlook and Strategic Recommendations

Outlook

The cyber threat landscape is expected to intensify along three dimensions: convergence, automation, and industrialization.

  • Near-Term: EU organizations will continue to face periodic spikes in hacktivist activity, stable cyberespionage campaigns from Russia- and China-nexus actors, and an increasingly mature but fragmented cybercriminal ecosystem. Ransomware and infostealers will remain the dominant impact-oriented threats.
  • Forward-Looking: AI will accelerate offensive innovation, enabling faster campaign development and more effective deception. Abuse of cyber dependencies and supply chains will remain a strategic priority for adversaries.

Strategic Recommendations

Defensive strategies must be intelligence-driven, systemic, and proactive. The following foundational controls are recommended based on observed adversary TTPs:

  • System Hardening: Implement execution prevention, endpoint behavior monitoring, and proper OS and software configuration to reduce the attack surface.
  • Access & Privilege Control: Enforce least-privilege principles through user account management, privileged account management, and multi-factor authentication (MFA).
  • Network Protections: Use network segmentation to contain threats, filter network traffic to block malicious communications, and restrict web-based content to reduce exposure.
  • Monitoring: Ensure comprehensive system and activity logging (auditing) to enable early detection of malicious activity and anomalies.
  • Resilience: Maintain regular data backups, store backups remotely, implement data loss prevention, and provide user training to recognize social engineering attempts. Prioritize patching, especially for known exploited vulnerabilities in internet-facing systems.

Read more