ENISA Threat Landscape 2025: Key Cybersecurity Threats Shaping Europe

Understanding the ENISA Threat Landscape 2025 Report

The ENISA Threat Landscape 2025 report represents the European Union Agency for Cybersecurity’s most detailed annual assessment of the cyber threat environment facing Europe. Published in October 2025, this landmark document analyzes 4,875 curated cybersecurity incidents collected between July 2024 and June 2025, providing organizations, policymakers, and security professionals with critical intelligence for defending against evolving threats. The report draws from open-source intelligence, anonymized data from EU Member States, and contributions from the ENISA Cyber Partnership Programme, making it the most authoritative cybersecurity assessment available for the European region.

What makes the 2025 edition particularly significant is its revised methodology. ENISA adopted a threat-centric approach with enhanced contextualization, moving beyond simple incident cataloging to provide deeper analysis of threat actor motivations, attack techniques, and sector-specific impacts. The report reveals that 79.4% of assessed incidents were ideology-driven — primarily hacktivist DDoS campaigns — while 13.4% were financially motivated and 7.2% linked to cyberespionage operations. For organizations working to strengthen their EU cybersecurity strategy, these findings offer an essential foundation for risk-based decision-making.

The dataset comes with important caveats worth noting. Open sources do not provide a complete picture of the threat landscape — cyberespionage incidents, for example, often emerge with delays of six months to four or more years, while DDoS and ransomware attacks generate near-immediate visibility. Additionally, 28.5% of analyzed incidents lacked specific sector attribution. Despite these limitations, the report’s scale and rigor make it indispensable for any European organization building or refining its cybersecurity posture.

Phishing Attacks Dominate as Primary Intrusion Vector

Phishing remains the undisputed king of initial intrusion vectors in the ENISA Threat Landscape 2025, accounting for approximately 60% of all attack entry points. This encompasses traditional email phishing, voice phishing (vishing), malspam campaigns, and increasingly sophisticated malvertising operations. The second most common vector, vulnerability exploitation, represents 21.3% of intrusions — but with a crucial difference: while only 27% of phishing attempts led to successful intrusions, a striking 70% of vulnerability exploitation attempts culminated in full intrusions, with 68% resulting in malicious code deployment.

Several advanced phishing techniques gained significant momentum during the reporting period. The ClickFix social engineering method emerged as a particularly dangerous innovation, using fake CAPTCHA prompts on compromised or fraudulent websites to trick users into executing PowerShell commands. This technique proved effective at deploying infostealers and loaders, and was adopted by both cybercriminal groups and state-aligned intrusion sets. The ClearFake campaign alone, which distributed the Lumma and Vidar infostealers via compromised WordPress sites, generated 9,300 confirmed infections across Europe.

The industrialization of phishing through Phishing-as-a-Service (PhaaS) platforms represents another alarming trend. The Darcula platform impersonated over 200 organizations and targeted victims in more than 100 countries. The Lucid platform supported phishing campaigns via iMessage and RCS messaging, reaching 169 targets across 88 countries. Perhaps most concerning, the FlowerStorm adversary-in-the-middle kit successfully mimicked Microsoft 365 portals and bypassed multi-factor authentication. QR code phishing — dubbed “quishing” — also advanced through the Scanception campaign, which embedded malicious QR codes in PDF attachments that redirected to credential harvesting pages hosted on trusted cloud platforms, specifically targeting EU users. As documented by the Europol IOCTA 2025 report, these industrial-scale phishing operations represent a fundamental shift in the cybercrime ecosystem.

Ransomware Trends and Cybercrime Statistics in 2025

Ransomware continues to dominate the post-intrusion threat landscape, accounting for a staggering 83.5% of all malicious code deployments following successful breaches. Combined with banking trojans and infostealers, criminal malware represents 87.3% of all intrusion outcomes. The data breach consequences are severe: 68.6% of recorded intrusions resulted in data being leaked on criminal forums, while 30.2% involved data exfiltration for credential theft (8.9%) or strategic data collection (21.3%).

The ransomware ecosystem experienced notable disruption and reorganization during the reporting period. Operation Cronos’s impact on LockBit was evident in sector-specific data — the once-dominant group was notably absent from public administration ransomware statistics. However, new actors rapidly filled the vacuum. NightSpire emerged as the leading ransomware strain targeting government entities (41.7% of public sector ransomware), followed by SafePay (33.3%) and Stormous (25%). In the transport sector, Akira led ransomware deployments at 12.9%, with INC Ransom and Cl0p each at 9.7%. The Split Airport incident in Croatia demonstrated the real-world impact when Akira ransomware disrupted flight operations, causing temporary service suspensions.

Financial extortion schemes also evolved beyond traditional ransomware. Brand spoofing emerged as a creative criminal tactic — threat actors sent email extortion demands impersonating the CL0P ransomware group, while others mailed physical ransom letters using BianLian branding. The FunkSec group blended political messaging with financial extortion via its FunkLocker ransomware, illustrating the growing convergence between hacktivism and cybercrime. Organizations exploring how digital transformation creates cybersecurity risks will find these evolving extortion models particularly relevant to their threat modeling.

DDoS Attacks and Hacktivist Threat Activity

Distributed denial-of-service attacks account for an overwhelming 76.7% of all incidents in the ENISA Threat Landscape 2025, driven almost entirely by hacktivist groups. The sheer volume of DDoS campaigns reflects a geopolitical reality: hacktivist collectives, often aligned with state interests, use service disruption as their primary weapon of choice. The top hacktivist threat actor by a significant margin is NoName057(16), responsible for 66.7% of hacktivist attacks targeting public administration and maintaining dominant positions across virtually every targeted sector.

DarkStorm Team emerged as the second most active hacktivist group (20% in public administration targeting), followed by Keymous+ (13.3%) and Mysterious Team Bangladesh. These groups consistently timed their campaigns around politically sensitive events — bilateral security agreements with Ukraine, national elections, and polarizing policy decisions all served as triggers. In the financial sector, hacktivist DDoS campaigns peaked around elections, with banks bearing the brunt (69% of financial sector DDoS targeting). NoName057(16) accounted for 71.1% of attacks against financial institutions, reflecting a deliberate strategy to maximize economic disruption and media coverage.

The ENISA report highlights an important analytical caveat regarding DDoS dominance in the statistics. Because DDoS attacks are immediately visible and publicly claimed (often on Telegram channels), they naturally dominate open-source incident reporting. More sophisticated operations like cyberespionage may take years to surface. However, the operational impact of sustained DDoS campaigns against critical infrastructure should not be dismissed. The report notes that hacktivist operations occasionally serve as cover for more sophisticated state-directed activities occurring simultaneously, a tactic known as “faketivism” — where state-aligned intrusion sets operate under hacktivist personas. Cyber Army of Russia Reborn, linked to Russia’s Sandworm group, and CyberAv3ngers, connected to Iran’s IRGC, exemplify this concerning trend.

State-Sponsored Cyber Espionage Targeting Europe

Cyberespionage represents 7.2% of assessed incidents but carries disproportionate strategic significance. The ENISA Threat Landscape 2025 identifies four primary state-nexus threat clusters targeting Europe: Russia-nexus actors (including APT28, APT29, Turla, Sandworm, and GoldenJackal), China-nexus groups (APT31, Mustang Panda, APT17, Salt Typhoon, APT41), India-nexus actors (led by the emerging Sidewinder group), and DPRK-nexus operations (Famous Chollima, Lazarus, Kimsuky). Public administration was the most targeted sector for state-sponsored operations, with Russia-nexus actors responsible for 39% of incidents, India-nexus for 31.7%, and China-nexus for 24.4%.

Several state-sponsored campaigns during the reporting period demonstrated particularly concerning capabilities. The Salt Typhoon campaign, attributed to China-nexus actors, targeted telecommunications infrastructure across at least three EU Member States, active since at least December 2024. This campaign specifically targeted telecom providers to gain access to communications metadata and content — a classic intelligence collection pattern. In the transport sector, China-nexus groups including Mustang Panda, UNC5221, and APT41 focused on maritime, shipping, and logistics entities, aligning their targeting with Belt and Road Initiative strategic interests.

Russia-nexus operations evolved their tradecraft significantly. APT29 and Sandworm adopted commercial residential proxy networks and commodity infostealers — tools traditionally associated with cybercriminals — to complicate attribution. Sandworm’s targeting of Signal and WhatsApp accounts in Ukraine, including linking Signal accounts from battlefield devices, demonstrated the intersection of cyber operations with kinetic military intelligence. Turla’s takeover of Transparent Tribe’s infrastructure for false-flag operations added another layer of complexity to attribution challenges. The EU Cybersecurity Strategy recognizes these state-sponsored threats as among the most significant risks to European sovereignty and digital autonomy.

AI-Powered Cyber Threats and Emerging Attack Vectors

Artificial intelligence emerged as both a powerful weapon and a vulnerable target in the ENISA Threat Landscape 2025. The most striking statistic: over 80% of phishing emails analyzed between September 2024 and February 2025 used AI to some extent, whether for crafting convincing lure text, personalizing messages, or automating campaign management. Deepfake technology expanded into vishing attacks and online fraud schemes, while state-nexus actors from China, Iran, and North Korea actively used platforms like Google Gemini and OpenAI ChatGPT for reconnaissance, research, and developing techniques to evade anomaly detection systems.

The underground AI ecosystem matured considerably. Jailbroken and purpose-built malicious LLMs including WormGPT, EscapeGPT, and FraudGPT were used for social engineering content generation and tool development. North Korea’s Famous Chollima group used AI to create convincing LinkedIn profiles and communications for their fraudulent IT worker schemes. The Xanthorox AI system represented an evolution in threat actor operational security — running entirely on local servers to avoid detection by cloud-based AI providers. AI was also weaponized as a lure vector: fraudulent websites impersonating popular AI platforms including Kling AI, Luma AI, Canva Dream Lab, and DeepSeek-R1 delivered malware to users seeking AI tools.

Perhaps most concerning for the long-term threat landscape is the emergence of AI supply chain attacks. Threat actors poisoned machine learning models and PyPI packages to introduce vulnerabilities into AI development pipelines. The “Rules File Backdoor” technique targeted AI coding assistants like Cursor and GitHub Copilot, potentially injecting malicious code suggestions into developers’ workflows. A new concept called “slopsquatting” — exploiting AI hallucinations that consistently reference non-existent packages — was introduced as a novel supply chain attack vector. Vulnerabilities discovered in production AI systems, including Langflow, Microsoft 365 Copilot, and an OpenAI ChatGPT server-side request forgery flaw (CVE-2024-27564), underscored that AI platforms themselves represent an expanding attack surface.

Supply Chain Security Vulnerabilities and Digital Dependencies

Supply chain compromises and digital dependency exploitation emerged as critical themes in the ENISA Threat Landscape 2025. Cybercriminals and state-sponsored actors increasingly targeted third-party service providers as force-multiplying entry points into multiple downstream organizations. The Plus Service breach in March 2025 exemplified this strategy — the compromise of a single Italian transport provider paralyzed the Mobilita di Marca ticketing system for two days and impacted Busitalia Veneto and ATM Milano’s operations. In Germany, the BVG external provider attack in May 2025 exposed 180,000 customer records from Berlin’s transit authority.

Digital supply chain exploitation took increasingly sophisticated forms. North Korea’s Lazarus group maintained a persistent campaign of planting malicious npm packages in GitHub repositories dating back to 2022, with activity increasing throughout the reporting period. The detection of sprawling secrets — API keys, credentials, and tokens committed to code repositories — increased by 25% between 2023 and 2024, creating a vast landscape of exploitable access points. A late-2024 campaign compromised multiple Chrome browser extensions, specifically targeting AI and VPN extensions where users had elevated trust levels.

Operation Digital Eye, a China-nexus cyberespionage campaign discovered in mid-2024, specifically targeted IT service providers in Southern Europe — reportedly without success, but demonstrating the strategic value state actors place on compromising managed service providers. Spain’s Repsol saw customer data compromised through a provider breach. For organizations seeking to understand the intersection of digital transformation and security exposure, the ENISA findings reinforce that supply chain risk management is no longer optional but an operational imperative under NIS2 requirements. The NIST Cybersecurity Framework provides complementary guidance for organizations building supply chain security programs.

Sector-Specific Cybersecurity Risks Across Europe

The ENISA Threat Landscape 2025 provides granular sector-by-sector analysis revealing distinct threat profiles for each industry. Public administration bore the heaviest burden at 38.2% of all incidents — a dramatic increase from 19% in the previous year’s report. France (27%), Italy (26.3%), Germany (16.2%), Spain (15.3%), and Poland (15.1%) were the most targeted EU Member States for government cyberattacks. Regional government entities accounted for 24.4% of known targets, with municipalities proving particularly vulnerable to ransomware campaigns.

The transport sector (7.5% of incidents) showed distinctive sub-sector targeting patterns. Air transport received the highest share at 58.4%, followed by logistics (20.8%), water transport (12.9%), road (5.9%), and rail (2.0%). Hacktivist DDoS accounted for 87.6% of transport incidents, often triggered by countries’ bilateral security agreements with Ukraine. In the financial sector (4.5%), banking institutions bore 69% of the DDoS burden, with campaigns peaking around elections and politically sensitive events. Manufacturing (2.9%) rose from seventh to fourth place among NIS2 sectors compared to the previous year, reflecting growing threat actor interest in industrial targets.

Digital infrastructure and services (4.8%) presented a complex threat picture. Telecommunications providers (25.1% of the sector) faced particular risk from state-sponsored espionage, with the Salt Typhoon campaign impacting at least three EU Member States. The DPRK-nexus Famous Chollima and DeceptiveDevelopment operations specifically targeted digital service providers through fraudulent IT worker placements. Overall, essential entities as defined under the NIS2 Directive accounted for 53.7% of all incidents, underscoring the urgency of compliance for organizations in scope of European cybersecurity regulation.

NIS2 Compliance and Building Cyber Resilience

The ENISA Threat Landscape 2025 findings carry direct implications for NIS2 compliance and organizational cyber resilience strategies. With essential entities comprising 53.7% of all targeted organizations and public administration incidents doubling year-over-year, the regulatory urgency is clear. Organizations must implement comprehensive risk management measures that address the full spectrum of threats identified — from phishing and ransomware to supply chain compromises and AI-enabled attacks. The report’s data provides an evidence base for prioritizing security investments: if 60% of intrusions begin with phishing, robust email security, user awareness training, and anti-phishing technologies deserve proportional budget allocation.

Building effective cyber resilience requires addressing the threat convergence trend highlighted throughout the report. The blurring of lines between hacktivism, cybercrime, and state-sponsored operations means that organizations can no longer design defenses against a single threat actor category. A hacktivist DDoS campaign may serve as cover for a state-sponsored intrusion. A ransomware group may leverage techniques pioneered by intelligence services. An AI-generated phishing campaign may combine criminal infrastructure with state-developed malware. Effective defense requires layered security architectures, threat intelligence integration, and incident response plans that account for hybrid and multi-vector attacks.

The mobile device threat landscape — accounting for 42.4% of threat categories — deserves special attention in resilience planning. The proliferation of Android banking trojans like Medusa and BingoMod, state-aligned spyware targeting messaging applications, and the exploitation of fundamental protocol vulnerabilities in SS7 and Diameter signaling systems all point to mobile security as a critical gap. Organizations should implement mobile device management solutions, enforce application whitelisting on corporate devices, and educate users about the risks of outdated mobile operating systems. The ENISA report serves as both a warning and a roadmap — organizations that align their security programs with its findings will be better positioned to defend against the evolving European threat landscape in the years ahead.