In 2024 and into 2025, cybersecurity experts foresee an escalating landscape of advanced cyber threats, driven by both technological advancements and shifting geopolitical dynamics.
This compilation of expert insights from ESET researchers provides a glimpse into the evolving tactics and trends across various domains, including ransomware, AI-driven scams, mobile threats, and nation-state cyber espionage.
Ransomware (Jakub Souček, ESET Senior Malware Researcher)
“In 2024, RansomHub has established itself as the leading RaaS group in the market, replacing the disrupted LockBit service. We expect RansomHub to stay in that position well into 2025. However, RaaS is a very competitive cybercriminal environment where gangs often come up with innovations and changes to their affiliate programs, trying to attract more partners and grow in profitability. If some of the competitors turn out to be more profitable, skilled affiliates may very well modify their alliances.
EDR killers have become a common part of ransomware attacks. In 2025 we expect the most advanced actors to improve this type of tooling making it increasingly sophisticated, protected and harder to detect. What this trend shows is that security tools like EDR are a thorn in the side for cybercriminals and they will try hard to remove them or at least turn them off.
Most newcomers trying to earn their spot in the RaaS ecosystem will most likely code their encryptors in Rust or Go, as is the trend with well-established groups, to allow wider spread of platforms to target with a single code.”
AI-driven Threats (Juraj Jánošík, ESET Head of Automated Systems and Intelligent Solutions)
“Anticipating geopolitical shift in 2025, we foresee the potential deregulation of social media and tech companies. This change may lead to a degradation of content quality, coupled with a rapid increase in AI-generated spam, scam, and phishing campaigns – a trend we’ve already observed in 2024.
Low-quality AI-generated content may also serve as a lure for vulnerable social media users, who could subsequently become targets of disinformation campaigns and be manipulated into becoming its ‘online amplifiers’. This tactic could semi-automate the operations of content farms and troll farms currently used by adversarial states and groups.
We predict that attackers may utilise recent advancements in small open-source GPT models, training them on data from hijacked social media accounts. This could allow them to imitate communication styles and impersonate victims in a variety of scams, such as family emergency or romance scams, thereby making these fraudulent activities more convincing.
In 2025, we also project an increase in the number of fake or duplicate accounts for celebrities and other public figures on social media. These malicious profiles will use deepfake videos and other AI-generated content to appear legitimate and trustworthy, thereby increasing the importance of authenticity verification tools like verified badges on social media.”
Infostealers (Alexandre Côté Cyr, ESET Malware Researcher)
“We are quite certain that Operation Magnus spelled the end of RedLine Stealer. Even though the creator of RedLine has not been arrested yet, and could in theory try to rebuild, it is unlikely that he would try to resurrect the malware, especially after, he has been publicly identified and charged by law enforcement.
The other key part of RedLine operation – namely its affiliates – will also probably want to move on, since law enforcement now has the database with their usernames and last used IP. While this might not be enough to identify the people behind those aliases in every case, they are now considered ‘Very Important to the Police’.
Therefore we expect that in 2025 the power vacuum left by RedLine’s takedown will lead to a bump in the activity of other MaaS infostealers.”
Mobile Threats (Lukáš Štefanko, ESET Senior Malware Researcher)
“In 2024, ESET analysed attacks utilising a novel compromise vector targeting Android and iOS mobile devices. It leverages Progressive Web Apps (PWAs) and WebAPKs to bypass traditional security measures and trick users into installing malicious apps that steal banking credentials. These apps mimic legitimate banking interfaces, enabling attackers to capture login details, passwords, and two-factor authentication codes, which are then used to gain unauthorized access to victim’s accounts.
As cybercriminals continue to innovate, the use of PWAs and WebAPKs for malicious purposes is likely to increase also in 2025. These technologies provide a convenient and effective means for attackers to distribute phishing applications without needing app store approvals. The cross-platform nature of PWAs also allows attackers to target a broader audience, making these types of attacks more scalable and versatile.
Based on the attacks utilising PWAs and WebAPKs, we anticipate some increase in threats focusing on the iOS platform in 2025. Historically, the stringent policies of the Apple App Store have made it challenging to distribute malicious apps, leading users to believe that their iOS devices are inherently secure. However, threats can also be disseminated through alternative channels, such as malicious websites, phishing attacks, compromised email attachments, social engineering tactics, and malicious ads placed in search engines, on social media, and on websites, none of which rely on the App Store for distribution. On the other hand, Apple tends to react to new threats and update its security mechanisms.
We are likely to see an increase in mobile and non-mobile malware leveraging the open-source Flutter software development kit (SDK). Flutter is designed for building multiplatform applications and simplifies development and could also be used to create and distribute malware and trojanized apps more efficiently. For instance, some SpyLoan apps have already exploited this SDK, as detailed in our previous analysis. Threat actors are also using Flutter as an anti-analytical tool to complicate reverse engineering efforts. Whether the utilisation of Flutter for such purposes will rise in 2025 will depend on various factors, including threat actors learning the Dart programming language. Important to note, the cybersecurity community is actively creating new tools and techniques to dissect and understand the intricacies of Flutter applications.”
Governmental Affairs (Andy Garth, ESET Director of Government Affairs)
“With the October 2024 transposition deadline reached, NIS2 is obligatory in EU countries that have adopted it into national law. Currently, only a few have done so, with major countries like Germany and France expected to implement it in 2025. This transposition will not be identical across the EU states, thus organisations aiming for compliance must be aware of local specificities.
While micro and small companies are mostly exempted, larger enterprises in selected critical sectors may demand support from their suppliers, including smaller companies, to meet reporting obligations in case of a cyber incident. Suppliers and vendors of all sizes thus have to be prepared or risk being excluded from future consideration.
Stricter security measures in certain sectors governed by NIS2 could drive cybercriminals to focus on easier targets, such as organizations not subject to the Directive.
Organisations unable to meet the mandatory higher standards set by the Directive, could also face increased risk of extortion. This potential situation might echo the scenario witnessed after GDPR entered into force in 2018 when ransomware gangs began using the regulation as leverage against their victims.
2024 also saw the approval of new EU cyber legislation, including the AI Act, designed to regulate AI systems with a focus on transparency and trust; the Cyber Resilience Act (CRA), ensuring the cybersecurity of products with digital elements; and the Cyber Solidarity Act, which establishes a network of interconnected SOCs across the EU. This momentum is set to continue in 2025, supported by additional strategies and new financing aimed at strengthening the EU’s cyber defense capabilities, a key priority of the new European Commission.”
Advanced Persistent Threats (APT) (Jean-Ian Boutin, ESET Director of Threat Research)
“According to ESET research in 2024, the China-aligned threat actors focused on developing and maintaining VPN networks to perpetrate their malicious campaigns. We expect this compromise vector to be heavily used and developed further also in the foreseeable future. There is also a growing concern about these China-aligned groups targeting telecommunications companies – especially in the US – which will probably continue to have impact well into 2025.
For 2025, we also expect cyber attacks to remain an aspect of armed conflicts around the world. In the Russia-Ukraine war, while cyber sabotage was heavily emphasised in the first year, we now observe a decline in such operations and a rise in espionage activities, which have always been a significant focus. As the Kremlin is waiting to see the new US president’s position regarding this conflict, we expect these cyber espionage operations to continue both in Ukraine and also in countries that have been supporting Ukraine war efforts while the sabotage operations could be less prevalent in the upcoming months.
At the onset of the Israel-Hamas conflict we saw a similar development for Iran-aligned cyber groups. In the beginning of the conflict they were trying to inflict damage to the Israeli civil society, burning a lot of previously gathered access. But over the time, they have also refocused on espionage, often targeting organisations that have information necessary for kinetic actions targeting Israel. However, with the recent development in the war and the fact that the Hezbollah and the Hamas have suffered significant losses, we don’t expect any of the potentially gathered information to be very useful for now.”
Emergence of Deepfake-Powered Malicious Digital Twins
Trend Micro, a global cybersecurity leader, has issued a warning about the growing threat of highly customized, AI-powered cyberattacks that could transform scams, phishing, and influence operations in 2025 and beyond.
In their 2025 cybersecurity predictions report, The Easy Way In/Out: Securing The Artificial Future, Trend Micro highlights the risks posed by AI-driven attacks, particularly in the realm of hyper-personalized threats. Mick McCluney, ANZ Field CTO at Trend, emphasized the importance of vigilance as generative AI becomes more integrated into businesses. He stressed that cybersecurity is no longer just a technical concern but a broader business risk that can deeply impact strategic decisions.
One of the more concerning predictions in the report involves “digital twins,” where personal information is used to train AI models that mimic a person’s identity. Combined with deepfake technology and biometric data breaches, these could facilitate identity fraud or manipulation through realistic impersonations, making attacks more difficult to detect.
Ways to Counter:
- Data Minimization & Encryption: Limit the amount of personal and sensitive information stored or shared online. Encrypt data to reduce the effectiveness of breaches.
- AI Behavior Monitoring: Implement AI systems that can monitor and detect abnormal behavior, such as attempts to replicate employee identities or mimic personal communication styles.
- Employee Training: Educate staff on the risks of deepfake technology and digital impersonation, ensuring they are vigilant to unusual communication patterns.
- Advanced Authentication: Utilize multi-factor authentication (MFA) and biometric verification to prevent unauthorized access, making it harder for attackers to impersonate employees.
AI technologies, including deepfakes and generative language models (LLMs), could be used for large-scale, hyper-personalized attacks that enhance business email compromise (BEC), “fake employee” scams, and even romance scams. Attackers could use these AI-generated personalities to deceive victims, manipulate emotions, and lure them into fraudulent schemes.
Ways to Counter:
- AI-powered Anti-Phishing Tools: Implement AI-driven solutions that analyze email patterns and behaviors to identify phishing attempts or deceptive messages.
- Email Verification Systems: Use tools like DMARC, DKIM, and SPF to verify email authenticity and prevent spoofing.
- Behavioral Analytics: Leverage behavioral analytics to monitor interactions and identify suspicious activity that could indicate a scam or fraud attempt.
- Incident Response Plans: Have a robust, AI-informed incident response plan in place to address and quickly mitigate the impact of AI-driven scams.
The report also highlights the risks associated with the increased adoption of AI across industries in 2025. Businesses will need to be alert to threats such as the hijacking of AI agents to carry out unauthorized actions, unintentional information leaks, and denial-of-service attacks driven by AI resource consumption.
Ways to Counter:
- AI Security Monitoring: Regularly audit and monitor AI systems to detect potential manipulation or unauthorized actions. Ensure that security measures are in place to prevent AI hijacking.
- Data Leak Prevention Tools: Implement AI-based data loss prevention (DLP) tools that detect and prevent sensitive information from being leaked inadvertently.
- System Resource Management: Deploy AI that automatically adjusts or limits resource usage to avoid denial-of-service attacks or malicious resource consumption.
- AI Authentication: Harden AI agents with strong authentication mechanisms to prevent unauthorized control.
Beyond AI, Trend Micro’s report outlines other key areas of concern, including vulnerabilities in memory management, container escapes, and common exploits like SQL injections. The report also forecasts more sophisticated ransomware attacks that will evade detection by exploiting gaps in endpoint detection and response (EDR) tools, potentially using advanced techniques such as “bring your own vulnerable driver” (BYOVD).
Ways to Counter:
- Patch Management & Regular Updates: Keep all systems and software updated to mitigate vulnerabilities, including those targeting memory management, containers, and APIs.
- Enhanced EDR Solutions: Implement advanced EDR tools with machine learning capabilities to detect and respond to sophisticated attacks, even those using techniques like BYOVD.
- Application Security: Regularly test applications for vulnerabilities, focusing on common exploits such as XSS and SQL injections. Employ secure coding practices to prevent them.
- Ransomware Prevention: Utilize backup solutions that are air-gapped from the main network, implement network segmentation, and employ behavior-based detection to catch ransomware early.
In response to these emerging threats, Trend Micro recommends a proactive, risk-based approach to cybersecurity. Businesses should prioritize AI security, implement centralized risk assessment systems, and ensure that staff are trained to recognize new AI-driven threats. Additionally, securing AI technology itself—through sandbox environments, prompt injection prevention, and multi-layered defenses—is essential. Trend also suggests investing in end-to-end visibility into AI agents and utilizing attack path prediction tools to mitigate risks, especially in the cloud.
Ways to Counter:
- Comprehensive Risk Management: Adopt a centralized, risk-based approach that assesses and prioritizes vulnerabilities across the enterprise, from cloud to on-premise assets.
- AI and Threat Intelligence Platforms: Implement platforms that consolidate threat intelligence and assist with predictive attack path analysis, offering real-time insight into potential attack vectors.
- Regular AI Training and Testing: Ensure all AI systems undergo rigorous training and testing for potential security flaws or vulnerabilities. Maintain a continuous improvement cycle to adapt to new threats.
- Multi-Layered Defenses: Implement layered security defenses (such as firewalls, intrusion detection systems, and endpoint security) across the organization, with particular focus on cloud systems and supply chains.
Keep up to date with our stories on LinkedIn, Twitter, Facebook and Instagram.
Expert insights from ESET researchers and Trend Micro highlight evolving trends in ransomware, and AI-driven scams Security, cybersecurity Dynamic Business
