The 6 main trends in cybersecurity for 2025

Experts at global cybersecurity company ESET identify the most critical developments expected to shape the cybersecurity sector in 2025. From the rise of malicious technologies to the strengthening of regulatory frameworks, the following trends emerge as the most important for the year ahead:

Ransomware

In 2024, RansomHub established itself as the leading Ransomware-as-a-Service (RaaS) group in the market, displacing LockBit from the top spot. It is expected that RansomHub will maintain this position in 2025. However, the RaaS sector is highly competitive, with constant innovation and changes in partnership strategies as cybercriminals seek to attract more partners and increase their revenue. If a competitor manages to demonstrate greater profitability, it is likely that specialist partners will review their alliances.

EDR (Endpoint Detection and Response) killer tools have become a key element in ransomware attacks. For 2025, it is predicted that more advanced threat actors will further upgrade these tools, making them even more sophisticated, protected and difficult to detect. As security tools, such as EDR, remain a significant obstacle for cybercriminals, they are expected to intensify their efforts to either remove or neutralize them.

New players attempting to enter the RaaS ecosystem will likely choose to develop their ciphers using languages such as Rust or Go, a trend that enables support for multiple platforms with a single code.

Artificial intelligence 

Anticipating geopolitical changes in 2025, the potential deregulation of social media and technology companies is predicted. This change may lead to a degradation in the quality of content, accompanied by a rapid increase in spam, scam and phishing campaigns created by AI tools, a trend that has already started to emerge since 2024.

Low-quality content generated by AI can act as a trap for vulnerable social media users, who can then be targeted through disinformation campaigns. This strategy could manipulate users, turning them into "online multipliers" to support malicious campaigns. This tactic could semi-automate the functions for content farms and troll farms currently used by rival states and groups.

At the same time, attackers are likely to exploit the recently developed small open-source GPT models by training them with data from intercepted conversations on social media accounts. This will allow them to mimic the way victims communicate, facilitating more convincing forms of fraud, such as domestic distress or romantic scams.

In 2025, a significant increase in fake or duplicate accounts of celebrities and public figures on social media is also expected. These malicious profiles will likely use deepfake videos and other AI-generated content to boost their credibility. This makes it even more imperative to use authentication tools such as "verification signals" provided by social media platforms.

Infostealer malware

We're pretty sure that Operation Magnus signaled the end of the RedLine Stealer. Although the creator of RedLine has not yet been caught, it is unlikely that he will try to revive the malware, especially since, he has been publicly identified and charged by law enforcement.

The other key part of RedLine's operation - namely the partners - are likely to want to disengage, since law enforcement authorities now have the database of their usernames and last used IP. While this may not be enough to identify the people behind these aliases in any case, they are now being sought by law enforcement authorities.

Consequently, in 2025 we expect that the power vacuum created by the RedLine takedown will lead to increased activity from other players in the MaaS (Malware-as-a-Service) infostealer space.

Mobile threats

In 2024, ESET analyzed new attacks targeting Android and iOS mobile devices, leveraging an innovative breach vector. These attacks are based on the use of Progressive Web Apps (PWAs) and WebAPKs, which bypass traditional security measures by tricking users into installing malicious apps. These applications mimic legitimate banking environments by capturing login credentials, passwords and two-factor authentication codes, which are used by attackers to gain unauthorized access to victims' accounts.

In 2025, the use of PWAs and WebAPKs for malicious purposes is expected to increase, as they provide cybercriminals with an easy and efficient way to distribute phishing applications without the need for approval from application stores. The nature of these technologies allows attackers to target users on different platforms, enhancing the scalability and flexibility of attacks.

Based on attacks using PWAs and WebAPKs, we expect some increase in threats focused on the iOS platform in 2025. Historically, Apple's strict App Store policies have made it difficult to distribute malicious apps, leading users to believe that iOS devices are inherently secure. However, threats can also spread through alternative channels, such as malicious websites, phishing attacks, compromised email attachments, social engineering tactics, and malicious ads placed on search engines, social media, and websites, none of which rely on the App Store for distribution. On the other hand, Apple tends to react to new threats and update its security mechanisms.

We are likely to see an increase in mobile and non-mobile malware that leverages the open source Flutter software development kit (SDK). Flutter is designed to create multi-platform applications and simplifies development and could also be used to more effectively create and distribute malware and trojan applications. For example, some SpyLoan applications have already exploited this SDK. Threat actors also use Flutter as a tool to complicate reverse engineering efforts. Whether the use of Flutter for such purposes will increase in 2025 will depend on several factors, including the learning of the Dart programming language by threat actors. It is important to note that the cybersecurity community is actively creating new tools and techniques to analyze and understand the intricacies of Flutter applications.

Government cases

With the October 2024 deadline for transposition of the NIS2 Directive, cybersecurity legislation has become mandatory for EU Member States that have transposed it into national law. However, so far, only a few countries have completed this process, while major economies such as Germany and France are expected to adopt the Directive in 2025. The incorporation of NIS2 will not be completely uniform across all member states, meaning that organisations seeking compliance will need to take into account local specifics and requirements.

While micro and small businesses are largely exempt from the obligations of the Directive, larger companies operating in critical sectors may require support from their suppliers and partners in meeting their cybersecurity incident reporting obligations. This means that suppliers, regardless of size, need to be prepared or risk being excluded from future partnerships and procurements.

The tightening of security measures introduced by NIS2 may push cybercriminals to turn to more vulnerable targets, such as companies that are not within the scope of the Directive. Moreover, companies that fail to comply with the highest security standards risk becoming targets for extortion, repeating the scenario seen after the implementation of the GDPR in 2018, when ransomware gangs exploited the regulation as a tool to pressure their victims.

Meanwhile, in 2024, the EU moved to adopt significant new cybersecurity legislation. The AI Act was introduced with the aim of regulating AI systems, focusing on transparency and building trust. The Cyber Resilience Act (CRA) focuses on ensuring the security of products with digital components, while the Cyber Solidarity Act created a network of interconnected Security Operations Centres (SOCs) across the EU. This momentum will continue in 2025, supported by additional strategies and new funding to strengthen the EU's cyber defence capabilities, a key priority of the new European Commission.

APT

ESET's 2024 research revealed that China-linked threat actors focused on deploying and maintaining VPNs as a key means of perpetrating malicious campaigns. This strategy offers them anonymity and flexibility, making it difficult to detect and contain their activity. We expect this tactic to be heavily used and further developed in the foreseeable future. There is also a growing concern about these China-linked groups targeting telecommunications companies - particularly in the US - which will likely continue to have an impact well into 2025.

For 2025, we also expect cyber-attacks to remain an aspect of armed conflicts around the world. In the Russia-Ukraine war, while cyber sabotage was a major focus in the first year, we are now seeing a decline in such operations and an increase in cyber espionage activities, which have always been a major focus. As the Kremlin waits to see the new US President's position on this conflict, we expect that these cyber espionage operations will continue both in Ukraine and in countries that have supported Ukraine's war efforts, while sabotage operations could become less prevalent in the coming months.

At the start of the Israel-Hamas conflict we saw a similar development for cyber espionage groups linked to Iran. At the beginning of the conflict they were trying to cause damage to Israeli society. Over time, they also refocused on cyber espionage, often targeting organizations that have information necessary for actions targeting Israel. However, with the recent evolution of the war and the fact that Hezbollah and Hamas have suffered significant losses, we do not expect the potentially gathered intelligence to be useful at this time.