top of page

Cybersecurity Threat Landscape in 2025 TLP: CLEAR



This report was produced to predict cybersecurity events in 2025 by leveraging comprehensive Cyber Threat Intelligence expertise, industry trends, and insights into emerging technologies and adversarial tactics, techniques and procedures.


For further information or a demonstration of our products please visit our website: elemendar.ai If you want to get your PDF version please email us cti@elemendar.ai Previous Threat Intelligence Updates can be found HERE.


A glossary for terms used in our reporting is available HERE.



Contents












Executive Summary



The cyber threat landscape in 2025 is highly likely to grow more complex, driven by geopolitical tensions, advancements in AI, and the ever-expanding attack surface due to increased digital transformation. Threat actors, ranging from nation-states to empowered amateurs, will continue to adapt their TTPs, leveraging emerging technologies to exploit vulnerabilities and achieve their objectives.


The likely outcome for businesses and countries in the 2025 cyber threat landscape presents significant challenges. For businesses, ransomware and data breaches are almost certain to result in increased financial losses, including costs associated with ransom payments, regulatory fines, legal fees and operational disruptions, with small and medium-sized enterprises are likely to be disproportionately affected due to limited resources.



The expanding attack surface, driven by IoT and cloud adoption, is likely to cause more frequent and severe disruptions in critical sectors like healthcare, manufacturing, and logistics. Breaches compromising customer data and intellectual property are highly likely to erode trust, damage reputations, and lead to lost market opportunities. Increased regulatory oversight on data protection and cyber resilience is likely to add compliance burdens, particularly for organisations navigating cross-border data complexities. Fears of exploitation through emerging technologies like AI and quantum computing is also likely to hinder innovation as companies delay adoption.


National security risks will escalate as geopolitical tensions drive cyberattacks on CNI, threatening essential services and public safety, while cyber espionage is likely to continue to undermine intellectual property and military capabilities. Cyberattacks are likely to have far-reaching economic consequences, including supply chain disruptions, market instability, and reduced investor confidence, compelling governments to divert resources to cybersecurity at the expense of other critical sectors.


Cyber operations will also intensify geopolitical tensions. Disinformation campaigns and cyber-enabled propaganda will erode public trust in democratic institutions, electoral processes, and government systems. To combat these threats, governments will face increased pressure to collaborate with international bodies, private sectors, and academia, balancing national sovereignty with the need for global cooperation.

 

2025 Threat Landscape at a Glance




1. AI-Driven Threats

Artificial Intelligence (AI) will be weaponised at scale by threat actors. Key developments include:


  • AI-Augmented Attacks: Threat actors will use AI to automate reconnaissance, exploit development, and phishing campaigns. AI-enabled malware will adapt in real time, increasing detection challenges.

  • Deepfake Technology: Deepfakes will evolve beyond disinformation campaigns to include spear-phishing and social engineering attacks targeting executives and high-value targets.


2. Ransomware Evolution

Ransomware will remain a dominant threat, but TTPs will evolve:


  • Data Destruction and Triple Extortion: Beyond encryption and data exfiltration, attackers will threaten public leaks, denial-of-service (DoS) attacks, or destruction of backups.

  • Targeting Operational Technology (OT): Critical infrastructure, including energy, healthcare, and manufacturing sectors, will face heightened risk as ransomware groups exploit OT vulnerabilities.



3. Cloud and Supply Chain Risks

The continued migration to cloud environments and reliance on third-party vendors will increase risks:


  • Cloud Exploitation: Misconfigurations, API vulnerabilities, and identity mismanagement will remain primary targets.

  • Software Supply Chain Attacks: Adversaries will increasingly compromise widely used software dependencies to gain access to multiple organisations.


4. Geopolitical and State-Sponsored Threats

Geopolitical conflicts will intensify cyber operations:


  • Proliferation of Cyber Mercenaries: Private groups operating under state direction or sponsorship will blur the lines between criminal and nation-state activity.

  • Critical Infrastructure Attacks: Nation-states will prioritise disruption of essential services, including power grids, transport networks, and financial institutions.



5. Quantum Computing and Cryptographic Risk

While quantum computing remains in its infancy, adversaries will prepare for a post-quantum future:


  • Harvest Now, Decrypt Later: Threat actors will focus on stealing encrypted data today with the aim of decrypting it when quantum capabilities become viable.

  • Cryptographic Modernisation Challenges: Organisations slow to adopt quantum-resilient encryption will face heightened risks.



6. IoT and Edge Device Vulnerabilities

The proliferation of Internet of Things (IoT) and edge devices will create new attack surfaces:


  • IoT Botnets: Attackers will leverage poorly secured IoT devices for DDoS attacks and lateral movement within networks.

  • Healthcare and Wearables: Exploitation of medical IoT devices and wearables will pose risks to patient safety and data integrity.


7. Emergence of Hacktivism 2.0

Social movements will increasingly leverage cyber tools for activism:


  • Hacktivist Alliances: Groups may collaborate with criminal or nation-state actors to achieve their goals.

  • Disruption Over Data Theft: Motivations will shift towards visibility and disruption, such as targeting financial systems or high-profile companies.


1. AI-Driven Threats

In 2025, Artificial Intelligence (AI) will be weaponised at an unprecedented scale by both state-sponsored and criminal threat actors. The convergence of AI's capabilities with evolving threat landscapes will lead to increasingly sophisticated and difficult-to-detect attacks. AI will not only enhance the efficiency of traditional cyberattacks but also enable entirely new classes of threats, posing significant challenges for organisations and governments alike.


AI-Augmented Attacks: AI has and will continue to significantly enhance threat actors’ capabilities by automating key phases of the attack lifecycle. AI-driven tools will enable faster and more precise reconnaissance, allowing adversaries to scan networks, systems, and social profiles to build detailed victim profiles and identify vulnerabilities. Machine learning will streamline exploit development and refine malware, creating polymorphic threats that evade traditional detection. Phishing campaigns will be transformed, as AI generates highly personalised, context-aware messages that mimic legitimate communications, greatly improving success rates. AI-enabled malware will dynamically adapt its behaviour in real time, bypassing security measures and challenging defenders to adopt equally advanced countermeasures.


Deepfake Technology: Deepfake technology, driven by AI, is highly likely to extend beyond disinformation campaigns to pose diverse and sophisticated threats. Threat actors are likely to leverage deepfakes for spear-phishing and social engineering, impersonating executives or trusted figures in real-time video or audio to extract sensitive information or authorise fraudulent transactions. An increase in fabricated compromising content, used for extortion or reputational damage, particularly targeting high-profile individuals or organisations is highly likely to be seen. In cyber-physical environments, deepfakes may undermine trust in critical systems by mimicking government officials or authoritative figures, spreading false directives during crises, and sowing confusion or public distrust.



2. Ransomware Evolution

In 2025, ransomware is almost certain to remain a global cyber epidemic, affecting organisations across industries and geographies, with most likely increasing sophistication and scale. No sector will be immune, but critical infrastructure; particularly energy, healthcare, and manufacturing will face elevated risks as ransomware groups exploit Operational Technology (OT) vulnerabilities to cause widespread disruption and public safety concerns.


Globally, the interconnected nature of supply chains and digital ecosystems will amplify the ripple effects of ransomware incidents, causing financial losses, operational disruptions, and erosion of public trust. As ransomware groups become more organised and professionalised, often operating as part of transnational cybercriminal networks, the challenge of attribution and law enforcement will grow. International collaboration among governments, businesses, and cybersecurity vendors will be essential to combat the ransomware threat, with a focus on proactive defences, intelligence sharing, and fostering a collective response to this persistent threat.


Data Destruction and Triple Extortion: Threat actors are likely to move beyond the traditional model of data encryption and exfiltration, increasingly adopting "triple extortion" strategies. This approach will not only involve demanding payment to restore data but also threatening to publicly leak sensitive information and launch DoS attacks to disrupt operations. Deliberate destruction of backups, leaving victims with limited recovery options and increasing the pressure to pay ransoms are likely to be seen. These tactics heighten the stakes for organisations, particularly those handling sensitive or proprietary data.


Targeting OT: OT systems are integral to critical infrastructure sectors such as energy, healthcare, and manufacturing. Exploiting OT vulnerabilities allows threat actors to cause significant operational disruption, jeopardising public safety and economic stability. For example, an attack on an energy provider’s OT network could halt electricity delivery, while a ransomware incident in healthcare could compromise patient care by disabling medical devices or accessing sensitive patient records.


3. Cloud and Supply Chain Risks

In 2025, cloud and supply chain risks will present significant challenges as organisations continue their rapid digital transformation. The migration to cloud environments will expand the attack surface, with adversaries exploiting misconfigurations, API vulnerabilities, and identity management flaws to access sensitive data and disrupt operations. Software supply chain attacks are likely to escalate, as threat actors target widely used software dependencies and third-party vendors to infiltrate multiple organisations from a single breach point.


Cloud Exploitation: Increased observations of cloud exploitation, which allow attackers to compromise critical systems, access sensitive data, and disrupt services are highly likely to be seen. As organisations increasingly adopt multi-cloud and hybrid architectures, ensuring consistent security practices across these environments will be essential to mitigate risks and maintain operational resilience.


Software Supply Chain Attacks: Software supply chain attacks are likely to pose an increasing threat as threat actors exploit the interconnected nature of modern business ecosystems. Compromising widely used software dependencies or third-party vendors allows attackers to infiltrate multiple organisations through a single point of failure. Such attacks can lead to far-reaching consequences, including operational disruption, data breaches, and reputational damage, emphasising the need for robust vendor risk management, code integrity verification, and continuous monitoring of supply chain security.


4. Geopolitical and State-Sponsored Threats

The threat landscape from hostile nation states continues to grow but the intent of these actors vary. Russia continues to use cyber operations to further its geo-political aims with attacks on CNI, political interference and espionage. China’s espionage capabilities are vast, but focused on stealing intellectual property to further its technology sectors and drive its military’s upgrades. The growth of Iran and North Korea’s cyber capabilities has been stark. Iran’s targeting of the energy and financial sectors in the middle east is highly likely indicative of its intent to to capture a sphere of influence in the area and advance its own position as a regional power. North Korea’s attacks on the other hand are highly likely motivated by financial gain as a means to subvert the economic sanctions against it. While intent amongst these actors vary, it is almost certain that geopolitical events will drive an increase in the overall scale of cyber threats.


Proliferation of Cyber Mercenaries: There is an increasing trend of cyber mercenaries being employed by nation states and corporate organisations. The use of mercenaries enables offensive action with plausible deniability for the hirer, and also enables nation states with advanced cyber capabilities to leverage influence with developing nations and profitable organisations by lending their capabilities. Corporate organisations have also used mercenaries to further their aims and for financial gain. Cyber mercenaries enable corporate organisations to target competitors and steal intellectual property whilst obfuscating their involvement.



Critical Infrastructure Attacks: Nation states, particularly Russia, have shown the capability and willingness to target CNI. The disruption and destruction of CNI through cyber has enabled nation states to target adversaries via sub-threshold methods unlikely to result in state on state conflict. Cyber attacks on CNI can disrupt the political and economic stability of nations, enabling the attacker to further their own geopolitical aims. In addition, cyber provides nation states a means for controlled escalation outside of undeniable conventional action to highlight the scale of destruction the attacker can unleash if provoked. With the Middle East and the war in Ukraine highlighting the increasingly procarious state of geopolitics, it is highly likely the threat to CNI will remain extant over the next 12 months.


5. Quantum Computing and Cryptographic Risk

Quantum computing will remain in its early stages but is likely to increasingly influence the cybersecurity landscape, particularly in the realm of cryptography. Threat actors, especially nation-states, are likely to intensify "harvest now, decrypt later" campaigns, stealing encrypted data today with the expectation that future quantum advancements will enable decryption. This looming threat will push organisations to accelerate the adoption of quantum-resistant encryption standards to safeguard sensitive information. However, the transition to post-quantum cryptography will be complex and resource-intensive, with organisations facing challenges in updating legacy systems and ensuring interoperability across global operations. As quantum capabilities continue to evolve, the risk of cryptographic obsolescence will heighten, making proactive planning, investment in quantum-safe solutions, and international collaboration essential to secure critical data and maintain trust in digital systems.


Harvest Now, Decrypt Later: The "harvest now, decrypt later" strategy will pose a significant threat as adversaries, particularly nation-states, prioritise the theft of encrypted data. Their aim is to store this data until quantum computing advancements render current cryptographic methods obsolete, enabling decryption. Sensitive information, including government communications, intellectual property, and financial data, will be primary targets, with the potential for far-reaching consequences once quantum capabilities mature.



Cryptographic Modernisation Challenges: The transition to quantum-resilient encryption will present considerable challenges for organisations, especially those with legacy systems and complex infrastructures. Slow adopters will face heightened risks as existing cryptographic methods become vulnerable to emerging quantum capabilities. Updating encryption across global networks, ensuring interoperability, and maintaining compliance with evolving regulatory requirements will require substantial resources and coordination. Organisations that delay modernisation risk becoming prime targets for adversaries exploiting outdated cryptographic methods, underscoring the urgency of proactive planning and investment in quantum-safe technologies.


6. IoT and Edge Device Vulnerabilities

Security of IoT and Edge Devices remains weak and will almost certainly increase the attack surface for threat actors. In 2023, the proportion of IoT devices with vulnerabilities was assessed at 14%. In 2024, it rose to 33%. Outdated software, use of weak encryption and weak authentication mechanisms continue to be common flaws in both commercial and industrial IoT devices. The poor security measures have seen an increase in the use of IoT Botnets and data exfiltration through these means. The proliferation of Edge Devices, while improving response times, also pose a risk when the weak measures listed above are combined with a lack of centralised monitoring. This risk is compounded by the increasing usage of IoT and Edge Devices in industrial control systems. Without security changes, it is highly likely these devices will be increasingly used to target industry and CNI in the next 12-24 months.


IoT Botnets: The poor security of IoT devices has enabled the creation of IoT Botnets. 2024 has seen an alarming growth in their use. Newer Botnets such as Mozi and Gafgyt have been seen to take over home routers and security cameras to be redirected against other targets. Industry has seen a surge of attacks through DDoS using IoT Botnets. BT noted a 1,200% rise in cyber-attack signals on its network between 2023 and 2024. In the same period, US utilities have seen a 70% increase in the number of IoT Botnet attacks on its infrastructure. A variety of actors are utilising these Botnets for a number of purposes. DDoS can be used to mask other activity such as data exfiltration and APTs including state-sponsored groups utilise them to target increasingly digitised CNI. The use of IoT Botnets will almost certainly continue to rapidly increase amongst a variety of threat actors.



Healthcare and Wearables: Healthcare has seen a substantial increase in IoT devices being used to regulate many of their systems. As a result, a surge in attacks targeting the weak security systems in IoT has occurred. 2024 saw Mozi Botnet being used to target hospitals in Europe and the US by targeting medical devices and patient monitoring systems. Mirai 2.0 was also used to target smart infusion pumps in the US to attack patient data management systems. Healthcare provides lucrative rewards to threat actors with over $22 million reportedly generated from one attack on Change Healthcare alone. The use of wearables for medical and personal health purposes has also increased the attack surface for espionage. Financially motivated threat actors have used stolen wearables data to sell adware to target individuals based on their current health state. State sponsored actors have also used wearables to target persons of interest to understand their daily routines. Healthcare and the health industry is highly likely to continue its expansion and the attack surface available will almost certainly increase as a result.


7. Emergence of Hacktivism 2.0

Hacktivist groups across a spectrum of causes have adapted to the increasing digitisation of government and businesses across the globe. The increased transmission and storage of sensitive information online has given ample opportunity to target organisations that don’t meet the hacktivists social, racial and environmental aims. In addition, social media continues to grow in usage and provides hacktivists with a platform to promote their ideals, damage their opponents through information release and recruit support globally.


Hacktivist Alliances: Hacktivists across the globe have shown an increased willingness to coordinate and are likely to continue to do so. The motivations include shared adversaries and shared desired end-state. In 2024 for instance, Anonymous, which works on a number of social issues, partnered with a number of niche activist groups including LulzSec AnonGhost to work on common goals around social activism in France and Israel. In addition, many organisations use the same platforms for their operations, such as Doxbin for data leaks. The shared platform provides a mutual ground which is likely to enable greater communication and cooperation.



Disruption Over Data Theft: Exfiltration of data has been a key element of hacktivist operations in 2024. The rapid digitisation of government and multinational corporations has increased the attack surface for hacktivists to exploit. With more sensitive information stored online, hacktivists continue to seek out data against organisations and governments to expose corruption, malfeasance and to target personal data against individuals to ransom change within the organisations. Digitisation is almost certain to continue for public and private sectors and hacktivists are almost certain to weaponise this to further their own aims.

Conclusion


The cyber threat landscape in 2025 will demand that organisations place an unwavering focus on resilience and proactive defence strategies. The sophistication of adversaries, coupled with the rapid evolution of technology, means that a reactive approach will no longer suffice. Instead, organisations must be proactive, building layered and adaptive security frameworks that can withstand the challenges of this dynamic environment. Critical investments in threat intelligence, AI-driven defences, and secure-by-design principles will form the cornerstone of an effective cybersecurity strategy


Collaboration will be essential. Governments, private sectors, and cybersecurity vendors must work together to share intelligence, develop standards, and implement coordinated responses to emerging threats. Public-private partnerships, along with international cooperation, will be crucial in addressing the cross-border nature of cyber risks, particularly in areas such as supply chain security and critical infrastructure protection.


To prepare for these evolving threats, organisations must focus on the following priorities:


Strengthen Supply Chain Security

The interconnected nature of modern business ecosystems means that vulnerabilities in third-party vendors or partners can have far-reaching consequences. Organisations should conduct thorough due diligence on suppliers, enforce robust contractual cybersecurity requirements, and implement continuous monitoring systems to detect and respond to potential breaches within the supply chain.


Adopt Zero Trust Architectures

In a world where breaches are a realistic inevitability, adopting a Zero Trust approach is essential. By verifying all users, devices, and actions within a network, organisations can limit lateral movement, reduce attack surfaces, and minimise the impact of potential breaches. This approach must extend to cloud environments, IoT devices, and remote work setups to ensure comprehensive security.


Invest in Threat Intelligence

Predictive and actionable threat intelligence will be a key advantage in 2025, and proactive AI-driven cybersecurity solutions (such as READ by Elemendar) will be pivotal in achieving this. Organisations should leverage intelligence-sharing platforms, collaborate with industry peers, and deploy advanced tools like READ to extract, process, and analyse threat intelligence at scale. AI and machine learning will play a crucial role in identifying patterns, detecting anomalies, and responding to threats in real time, enabling organisations to anticipate and mitigate emerging risks with greater precision and speed.


Embrace Post-Quantum Cryptography

The looming threat of quantum computing requires organisations to future-proof their encryption methods. Transitioning to quantum-safe encryption standards is not only a necessary step for protecting sensitive data but also a proactive move to mitigate the "harvest now, decrypt later" strategies employed by advanced threat actors.


Foster a Cyber-Resilient Culture

Beyond technology, human factors will remain a critical aspect of cybersecurity. Organisations must prioritise training and awareness programmes to ensure employees are equipped to recognise and respond to threats, such as phishing and social engineering. A cyber-resilient culture involves empowering teams to take an active role in safeguarding the organisation, whilst fostering a “no blame” culture when employees report potential intrusions.


Enhance Incident Response and Recovery Plans

Resilience also means being prepared to respond to and recover from attacks quickly. Organisations should regularly update and test their incident response plans, incorporate lessons learned from past incidents, and ensure alignment with industry best practices. Disaster recovery plans should account for scenarios involving ransomware, supply chain compromises, and critical infrastructure outages. Having contingency plans to operations should be adopted wherever practicable, particularly for CNI and healthcare sectors where operational disruption increases threat to life and national instability.



Annex A: References.


1. AI-Driven Threats



https://www.ncsc.gov.uk/report/impact-of-ai-on-cyber-threat



https://www.crowdstrike.com/en-us/cybersecurity-101/cyberattacks/ai-powered-cyberattacks/



https://www.gov.uk/government/publications/research-on-the-cyber-security-of-ai/cyber-security-risks-to-artificial-intelligence



https://www.malwarebytes.com/cybersecurity/basics/risks-of-ai-in-cyber-security



https://macaonews.org/news/city/macau-news-legislators-deepfake-images-ai-macao/


2. Ransomware Evolution


https://www.ncsc.gov.uk/collection/ncsc-annual-review-2024/chapter-01



https://www.scworld.com/brief/u-k-cybersecurity-chief-warns-of-increasing-cyber-threats



https://securityintelligence.com/articles/roundup-the-top-ransomware-stories-of-2024/



https://www.ncsc.gov.uk/news/risk-facing-uk-widely-underestimated-cyber-chief-to-warn-in-first-major-speech



https://www.sentinelone.com/cybersecurity-101/cybersecurity/ransomware-examples/



3. Cloud and Supply Chain Risks



https://csrc.nist.gov/CSRC/media/Projects/Supply-Chain-Risk-Management/documents/briefings/Workshop-Brief-on-Cyber-Supply-Chain-Best-Practices.pdf



https://www.scmr.com/article/analyzing-the-supply-chain-risks-behind-the-top-data-breaches-in-2024#:~:text=In%202024%2C%20cyberattacks%20targeting%20critical,and%20the%20digital%20supply%20chain.



https://ico.org.uk/about-the-ico/research-reports-impact-and-evaluation/research-and-reports/learning-from-the-mistakes-of-others-a-retrospective-review/supply-chain-attacks/#:~:text=A%20supply%20chain%20attack%20is,services%20that%20you%20rely%20on.


4. Geopolitical and State-Sponsored Threats


https://www.ncsc.gov.uk/collection/ncsc-annual-review-2024


https://www.phoenixs.co.uk/resources/blog/understanding-state-sponsored-cyber-attacks


https://cybertechaccord.org/cyber-mercenaries-a-growing-threat-prompting-collective-action-at-the-2024-summit-for-democracy


https://www.ncsc.gov.uk/collection/ncsc-annual-review-2024


https://www.ncsc.gov.uk/collection/annual-review-2023/resilience/case-study-securing-cni



https://www.reuters.com/technology/cybersecurity/cyberattacks-us-utilities-surged-70-this-year-says-check-point-2024-09-11/


5. Quantum Computing and Cryptographic Risk



https://www.ncsc.gov.uk/whitepaper/preparing-for-quantum-safe-cryptography


https://www.ibm.com/topics/quantum-safe-cryptography


https://threatresearch.ext.hp.com/anticipating-the-quantum-threat-to-cryptography/#:~:text=Capture%20and%20decrypt%20attacks&text=An%20attacker%20can%20intercept%20and,security%20requirement%20has%20been%20broken.



https://www.americanscientist.org/article/is-quantum-computing-a-cybersecurity-threat



6. IoT and Edge Device Vulnerabilities


https://www.infosecurity-magazine.com/news/iot-vulnerabilities-entry-point


https://www.checkpoint.com/cyber-hub/network-security/what-is-iot/iot-botnet/


https://www.wired.com/story/alphv-change-healthcare-ransomware-payment/


https://www.cloudflare.com/en-gb/learning/ddos/glossary/mirai-botnet/


7. Emergence of Hacktivism 2.0


https://www.secalliance.com/blog/the-changing-landscape-of-hacktivism?utm_


https://www.sentinelone.com/labs/cybervolk-a-deep-dive-into-the-hacktivists-tools-and-ransomware-fueling-pro-russian-cyber-attacks/




 

Probability Language


This document uses probability language based on assessment. Further information can be found in the image below: 



Feedback


We welcome your feedback, this ensures we meet your needs.

Please contact our CTI Director at : CTI@elemendar.ai

Acknowledgements

Authored by

Paul Montgomery, CTI Director Elemendar

Matt Orwin, CTI Analyst


Recent Posts

See All

Comments

Rated 0 out of 5 stars.
No ratings yet

Add a rating
bottom of page