Version française: 🇫🇷
The boundaries which traditionally separate state-sponsored and cybercriminal actors continued to blur in 2025, thereby further complexifying the imputation process. The exploitation of legitimate applications and services for malicious purposes can, for example, no longer be viewed as a hallmark of reputedly state-sponsored groups.
Social engineering techniques have also grown increasingly innovative, going beyond simple tech support scams. Attackers employing these techniques have furthermore shown interest in the more advanced tools provided by artificial intelligence, though this does not yet signify a complete paradigm shift.
In order to reach their ends, attackers continue to exploit vulnerabilities – massively and opportunistically or in a more targeted manner, depending on their objective. Vulnerabilities affecting edge devices, and solutions exposed on the internet more generally, can be exploited particularly quickly.
Simultaneously, in a context of escalating global geopolitical tensions, state-sponsored actors have persisted in their efforts to compromise diplomatic entities and gather strategic intelligence. As with the previous years, intrusion sets reputedly linked to the Russian and Chinese intelligence services have been observed.
In the cybercriminal sphere, the use of ransomware generally appears to be declining – a sharp contrast to the significant increase observed in the use of data exfiltration. In 2025 once again, ANSSI was nonetheless able use data leaks affecting these very actors to better understand their functioning.
