If 10 years down the line, someone asked which was the pivotal year that changed the outlook of cybersecurity landscape, we can simply point to the year gone-by. The threat landscape in 2025 proved to be one of the most turbulent years on record, marked by unprecedented ransomware growth, AI-driven attacks, and resilient cybercriminal ecosystems that adapted rapidly despite major law enforcement crackdowns.
Cyble’s recently released its comprehensive Annual Threat Landscape Report that revealed critical insights that answers every security professional’s why, when, what, which and how, about the cyberthreat landscape as we move into 2026. Here are the top 10 key takeaways.
1. Ransomware Attacks Surged 355%, Since 2020
The ransomware threat reached alarming levels in 2025, with attacks increasing 355% from 2020—rising from nearly 1,400 incidents to approximately 6,500 incidents. The year witnessed 57 new ransomware groups and 27 new extortion groups emerge, alongside over 350 new ransomware strains primarily based on MedusaLocker, Chaos, and Makop families.
Qilin dominated the landscape with 634 attacks, followed by Akira with 575 incidents. The Americas bore the brunt of attacks, accounting for 4,292 victimologies, with the United States alone suffering 3,527 incidents. This dramatic escalation demonstrates that ransomware remains the most disruptive cyber threat facing organizations globally.
2. Underground Cybercrime Forums Prove Resilient Despite Law Enforcement Victories
Despite significant law enforcement successes—including dismantling of Cracked and Nulled forums with 10 million users, the seizure of XSS.is infrastructure, and the arrest of IntelBroker from BreachForums—the cybercrime underground demonstrated remarkable resilience. When major platforms fell, threat actors rapidly migrated to alternative channels. DamageLib emerged as XSS’s successor, while DarkForums attracted displaced users from both XSS and BreachForums communities, gaining 10,000 new members monthly since July 2025.
The fragmentation led to increased use of Telegram channels and other messaging platforms, with groups like Scattered LAPSUS$ Hunters coordinating sophisticated supply chain attacks through encrypted communications. This adaptability underscores that takedowns alone cannot eliminate the cybercrime ecosystem.
3. Supply Chain Attacks Evolve Beyond Traditional Package Poisoning
2025 witnessed supply chain intrusions expanding far beyond conventional package poisoning, targeting cloud integrations, SaaS trust relationships, and vendor distribution pipelines. The Shai-Hulud 2.0 campaign compromised hundreds of npm packages with multi-stage scripts designed to harvest cloud credentials and CI/CD secrets. Scattered LAPSUS$ Hunters exploited compromised Salesloft-Drift OAuth tokens to breach multiple Salesforce instances, exfiltrating Snowflake tokens and internal credentials. China-aligned group PlushDaemon compromised a South Korean VPN vendor’s distribution channel, replacing legitimate installers with the SlowStepper backdoor.
These incidents show how upstream services—identity providers, package registries, and software delivery channels—have become strategic chokepoints capable of exposing thousands of downstream environments.
4. AI Integration Amplifies Attack Speed and Sophistication
Artificial intelligence fundamentally reshaped the threat landscape in 2025, with adversaries weaponizing AI across the entire attack lifecycle. AI-native malware like LameHug (attributed to APT28) leverages local reasoning loops and LLM inference for autonomous persistence, evasion, and data theft. The SesameOp backdoor uses OpenAI’s Assistants API as a covert command-and-control channel, requesting dynamically generated shellcode on demand.
AI-augmented frameworks like HexStrike combine LLM-driven reasoning with automated patch-diff analysis to rapidly produce functional exploits. Ransomware operators adopted AI-driven reconnaissance and negotiation automation, compressing attack timelines from days to hours. Meanwhile, 82.6% of phishing emails now utilize AI language models, achieving a 60% success rate through convincing deepfake voice and video impersonations.
5. Hacktivism Surges with Focus on Critical Infrastructure
Hacktivist activity exploded in 2025, with over 1.06 million sightings—a significant increase from 0.7 million in 2024. Pro-Russian groups like NoName057(16) and Z-Pentest, alongside pro-Palestinian collectives, drove coordinated campaigns tied to geopolitical flashpoints including the Russia-Ukraine War, Israel-Hamas conflict, and regional tensions across South Asia and Southeast Asia.
Critically, hacktivists dramatically expanded targeting of Industrial Control Systems and Operational Technology environments, with Z-Pentest conducting repeated intrusions against HMI and SCADA interfaces primarily across Europe. The intersection of state interests and hacktivism became more pronounced, with U.S. indictments exposing GRU-backed financing of Cyber Army of Russia Reborn and NoName057(16)’s DDoSia platform. This evolution demonstrates hacktivism’s transformation from nuisance attacks to material disruption of critical infrastructure.
6. Vulnerability Landscape Explodes with 45,000+ Disclosures
CRIL tracked over 45,000 vulnerabilities in 2025—a 15% increase compared to 2024, averaging 127 vulnerabilities reported daily. The surge in medium and high-severity vulnerabilities (CVSS 5.0-10.0) signaled a year dominated by high-risk security issues. Linux led CVE assignments by a wide margin, followed by Microsoft, Apple, and Adobe.
Industrial Control Systems faced particular risk with 2,451 ICS-specific vulnerabilities disclosed by 152 vendors, peaking dramatically in August 2025. Among 241 Known Exploited Vulnerabilities added to CISA’s KEV catalog, 26 were weaponized in ransomware campaigns. Critical vulnerabilities like CVE-2025-61882 (Oracle E-Business Suite) enabled CL0P’s supply-chain campaign affecting over 118 entities globally. The sheer volume and rapid weaponization of vulnerabilities underscore the urgent need for prioritized patch management.
7. Credential Stealers Evolve to Target Session Tokens and Cloud Artifacts
The credential theft landscape in 2025 expanded far beyond simple password extraction, with stealers targeting browser session tokens, cloud CLI credentials, Credential Vaults, and DPAPI-protected keys. Lumma Stealer incorporated App-Bound bypasses enabling extraction of Chrome passkeys and session tokens even when encrypted at rest. RisePro 2.0 shifted to a relay-proxy architecture while intercepting Chromium passkeys and Cloudflare 2FA tokens.
Rhadamanthys introduced “continuous sync” mechanisms that harvest newly created credentials in real time. Nova Stealer focused heavily on cloud developer credentials including AWS profiles, Azure CLI tokens, and GitHub PATs. Browser-in-the-Middle (BitM) attacks emerged as a new technique, with malicious proxies capturing active session tokens to bypass MFA protections. This evolution demonstrates that modern credential theft targets both static credentials and replayable authentication artifacts.
8. Android Threats Surge with NFC Relay Attacks and Banking Trojans
The Android ecosystem faced sophisticated threats in 2025, particularly NFC relay attack malware enabling unauthorized tap-to-pay transactions. PhantomCard transformed infected devices into remote payment instruments via dedicated control panels, while SuperCardX evolved into a full Malware-as-a-Service ecosystem with subscription-based fraud tools. Banking trojans like Sturnus bypassed encrypted messaging platforms (WhatsApp, Telegram, Signal) to intercept MFA codes, while Herodotus employed human-behavior simulation to mimic natural user interactions.
APT groups intensified mobile surveillance with commercial-grade spyware like Landfall providing comprehensive surveillance suites, and state-linked actors deploying Android implants for espionage missions targeting diplomats and political entities. The convergence of financial fraud and espionage capabilities positions Android as a critical battleground for 2026.
9. Identity and OAuth Abuse Becomes Primary Attack Vector
Modern authentication flows became prime targets in 2025, with adversaries exploiting OAuth user experience weaknesses rather than traditional credential forms. Device-code phishing, popularized by Storm-2372, tricks victims into entering legitimate device codes on attacker-controlled pages, granting valid OAuth tokens that bypass MFA and session monitoring. OAuth authorization-code phishing campaigns proxy authentication flows and redirect tokens to attacker infrastructure, with some using AI-obfuscated phishing pages generating dynamic HTML variants that evade static detection.
Operators combined OAuth abuse with real-time 2FA interception kits like Sneaky2FA to achieve seamless account takeover. Direct Send relay abuse and DKIM replay attacks allowed threat actors to deliver phishing emails through trusted channels with valid signatures. This shift toward identity-centric attacks demonstrates that username/password theft is no longer the primary concern.
10. Threat Actor Ecosystem Fragments with Collaborative Networks
The threat actor landscape in 2025 showcased both fragmentation and unexpected collaboration. Analysis of 9,817 incidents revealed that prolific actors like Sentap (888 incidents), miyako, Sorb, and Big-Bro dominated data brokerage and access sales across underground forums. The emergence of “Scattered LAPSUS$ Hunters” as a coordinated supergroup uniting Scattered Spider, LAPSUS$, and ShinyHunters demonstrated sophisticated alliance-building within the English-speaking cybercrime network “The Com.” Despite operating under multiple threat designations (UNC3944, UNC6395, UNC6040), the group coordinated supply chain attacks affecting Google, Salesforce, Zscaler, and Cloudflare.
Meanwhile, the market showed low concentration—top three access sellers controlled just 5% of total posts—indicating widespread opportunistic participation. The dual nature of specialized high-volume actors and fragmented opportunistic sellers creates a complex, adaptive threat environment resistant to traditional disruption.
Conclusion
The 2025 threat landscape reveals a cybersecurity environment defined by resilience, adaptation, and convergence. Ransomware operators integrate AI automation, hacktivists target critical infrastructure, and supply chain attacks exploit trust relationships at unprecedented scale. As we enter 2026, organizations must prioritize identity protection, rapid vulnerability patching, supply chain security, and behavioral detection capabilities. The threats documented in Cyble’s comprehensive report call-out for adoption of proactive, intelligence-driven strategies to counter adversaries who are increasingly sophisticated, well-resourced, and globally coordinated.
