Threat Landscape Report 2025: A Year in Review

A more complex and diversifying threat landscape

In 2025, we identified at least 174 distinct threat actors engaged in malicious activity against Union entities or their ecosystem, a significant increase from 110 in 2024. Cyberespionage and prepositioning remained the dominant motive, accounting for 38% of recorded activity, but cybercrime grew to represent 30% of observations, reflecting both a genuine trend and the result of our expanded monitoring through automation and artificial intelligence.

Based on assessments by trusted partners and reliable sources, the largest share of attributable activity was associated with China-linked threat actors, closely followed by Russia-linked threat actors. Threat actors linked to China primarily conducted broad exploitation of vulnerabilities and supply-chain compromises, while threat actors linked to Russia continued to focus on entities in Ukraine and EU countries supporting Ukrainian efforts.

Internet-facing systems remain the highest-impact target

For the second consecutive year, the exploitation of vulnerabilities in internet-facing software was the initial access vector with the highest impact. CERT-EU responded to nine significant incidents in 2025, down from 15 in 2024. Vulnerability exploitation was the initial access vector in seven of these, including two zero-day compromises. Edge devices such as firewalls, VPN appliances, and network management solutions remained the primary targets, with Fortinet, Ivanti, Cisco, and Palo Alto products accounting for the bulk of observed attacks.

Our analysis identified 198 software products used by Union entities that were targeted or exploited, up from 110 in 2024.

Social engineering evolves beyond e-mail

A notable shift in 2025 was the diversification of social engineering techniques. E-mail-based spearphishing declined from 41% to 31% of initial access attempts, while voice phishing, Adversary-in-the-Middle attacks, ClickFix attacks, and device-code authentication abuse grew in prominence.

In one of the most significant campaigns of the year, threat actor UNC6040 used voice phishing to trick employees at over 90 organisations worldwide into authorising malicious OAuth applications in their Salesforce environments. Several vendors for Union entities were among those affected.

Threat actors also increasingly leveraged artificial intelligence to enhance their campaigns, including voice cloning, personalised phishing content, and deepfakes of officials. In a notable development, a reportedly China-linked threat actor directed a jailbroken agentic AI system against 30 entities across multiple sectors, achieving autonomous intrusion in a small number of cases.

Global events continue to shape cyber operations

We analysed 44 distinct events linked to malicious cyber activity, spanning conferences and summits, elections, conflicts, sanctions, and other geopolitical developments. Threat actors used these events both as lures in social engineering campaigns and as triggers for reactive operations such as hacktivism and digital foreign interference.

Eight national elections in EU and neighbouring countries were targeted, most accompanied by DDoS attacks from pro-Russia supposed hacktivists. Destructive attacks remained rare outside direct conflict zones, but the Sandworm-attributed attempted wiper attack on a Polish renewable energy operator in December demonstrated that such attacks can reach EU territory.

Partners and service providers as indirect pathways

For the first time, this year’s report includes a dedicated analysis of threats targeting partner organisations. We observed 178 cases of malicious activity targeting 90 partner organisations, with public administrations accounting for 60% of this activity. Threat actors exploited trusted relationships with partners as a beachhead to attempt to reach Union entities, primarily through credential phishing from compromised partner e-mail accounts and data exposure from partner breaches.

We also tracked malicious activity affecting 32 service providers supporting Union entities. In one case, the compromise of a service provider with access to a Union entity’s internal systems led to a significant incident. Intrusions into telecommunications providers were recurrent and carried significant downstream risk.

Looking ahead to 2026

The report concludes with strategic foresight and ten prioritised recommendations. Among the key trends we anticipate:

• social engineering will continue to expand beyond e-mail into voice, messaging, and browser-based channels
• identity and authorisation systems will become an increasingly important attack surface
• supply-chain attacks will deepen beyond code dependencies into the broader SaaS integration ecosystem
• and AI-enabled social engineering will become significantly more scalable.

Our top recommendation remains the timely patching of internet-facing systems and edge devices: the single highest-impact defensive action based on our 2025 data. We also recommend that Union entities transition to phishing-resistant multi-factor authentication and adopt end-to-end encryption as the default for sensitive communications.

Read the full report

The full Threat Landscape Report 2025 is available for download on our website. The report is classified TLP:CLEAR and may be shared without restriction.

We welcome constructive feedback at services@cert.europa.eu.

About CERT-EU

CERT-EU is the Cybersecurity Service for the Union institutions, bodies, offices and agencies, established under Regulation (EU, Euratom) 2023/2841. Under the Cybersecurity Regulation, CERT-EU acts as the central cybersecurity hub for all Union entities, providing threat intelligence, incident response coordination, vulnerability management, and security guidance. CERT-EU also supports Union entities in implementing their cybersecurity risk-management frameworks and issues calls for action to raise the collective level of cybersecurity across the EU institutional ecosystem.