Table of contents
- The role of ENISA in the cyber security landscape
- The threat landscape in 2025
- The convergence of criminal groups
- The reuse of offensive tools
- TTPs: why they matter more than indicators
- The evolution of ransomware
- Social engineering and identity-based attacks
- Software supply chain and indirect attacks
- Operational implications for technical teams
Every year, the ENISA Threat Landscape report represents one of the most important documents for understanding the real state of cyber threats at a global level. Published by the European Union Agency for Cyber Security, the report analyzes attacks, vulnerabilities, and strategies used by malicious actors, offering a detailed overview of emerging trends.
For professionals working in the field of cyber security, this type of analysis falls squarely within the activities of Threat Intelligence, meaning the process of collecting, analyzing, and interpreting information about threats in order to improve the ability to prevent and respond to cyberattacks.
However, the ENISA Threat Landscape 2025 reveals a significant shift compared to previous years. It is not just about new techniques or new malware, but about a deeper transformation: the convergence between criminal groups, the systematic reuse of offensive tools, and the adoption of increasingly standardized tactics.
For cyber security technical teams, this means that defense can no longer rely solely on indicators of compromise or individual attack signatures. It is necessary to understand the TTPs (Tactics, Techniques and Procedures) used by malicious actors, analyze the dynamics of cybercrime, and develop detection strategies based on behavioral analysis.
This article offers a critical reading of the report, focusing on the aspects most relevant to those who work daily in cyber security: SOC analysts, threat hunters, incident responders, and security architects.
The role of ENISA in the cyber security landscape
ENISA (European Union Agency for Cyber Security) is one of the most authoritative organizations in Europe in the field of cyber security. Its main mission is to support EU member states, European institutions, and the private sector in managing digital threats and developing resilience strategies.
Among its most influential publications is the Threat Landscape, an annual report that collects data from:
- national incident response teams
- cyber security companies
- intelligence organizations
- academic communities
- open-source analysis
Unlike many commercial reports, the ENISA document does not have marketing objectives. Its purpose is to provide a systemic view of threats, identifying trends that may influence security policies across Europe.
For this reason, the Threat Landscape is often used as a reference by regulatory frameworks and technical guidelines, including those related to the NIS2 directive and European cyber resilience strategies.
The threat landscape in 2025
One of the most interesting aspects of the ENISA Threat Landscape 2025 is the persistence of some historical threats combined with the growing professionalization of malicious actors.
The most relevant attack categories remain:
- ransomware
- advanced malware
- software supply chain attacks
- social engineering
- data breaches and data theft
- attacks targeting service availability
The difference compared to the past lies not so much in the nature of the threats, but in the way they are organized and distributed.
Criminal groups increasingly operate like real digital companies. They structure their services, develop shared tools, and create collaborative ecosystems that make attacks more efficient and scalable.
This phenomenon is often referred to as crime-as-a-service, and it represents one of the main drivers behind the rise in cyber incidents in recent years.
The convergence of criminal groups
One of the key points highlighted in the report is the growing convergence among cybercriminal groups.
In the past, many criminal organizations developed proprietary tools. Today, however, we are witnessing a different phenomenon: the systematic reuse of tools, infrastructure, and techniques across seemingly distinct groups.
This means that the same malware or intrusion technique may be used by completely different actors.
The reasons behind this convergence are several:
- increasingly structured dark web markets
- availability of ready-to-use toolkits
- temporary collaborations between criminal groups
- exchange of exploits and compromised access
In practice, cybercrime is evolving toward a model similar to that of the digital economy.
There are providers of compromised access, malware developers, ransomware operators, and brokers who resell stolen data.
A simplified example of this chain can be represented as follows:
Initial Access Broker → Malware Developer → Ransomware Operator → Data Broker
This model lowers the barriers to entry in cybercrime and increases the speed at which new actors can launch sophisticated attacks.
The reuse of offensive tools
Another important trend highlighted by ENISA is the reuse of offensive tools.
Many criminal groups use publicly available toolkits or offensive frameworks originally developed for penetration testing.
Among the tools most frequently observed in incidents are:
- Cobalt Strike
- Metasploit
- Mimikatz
- Empire
- Sliver
These tools are not malware by themselves. They are legitimate platforms used by security professionals to simulate attacks and test the resilience of infrastructures.
The problem arises when they are used by malicious actors.
From a defensive perspective, this makes it much more difficult to distinguish between legitimate activity and hostile activity.
Example
A PowerShell command may be executed either by a system administrator or by an attacker attempting lateral movement within a network.
TTPs: why they matter more than indicators
The ENISA report clearly highlights a fundamental concept for modern defense: the need to focus on TTPs (Tactics, Techniques and Procedures).
Indicators of compromise such as file hashes or IP addresses are useful, but they have a limited lifespan.
Attackers can easily change:
- command-and-control servers
- malware hashes
- domains used in attacks
Techniques, however, tend to evolve much more slowly.
For this reason, many Security Operations Centers (SOCs) are adopting approaches based on the MITRE ATT&CK framework, which classifies the techniques used by threat actors during different stages of an attack.
One widely used technique is credential dumping, which involves extracting credentials from system memory.
A typical command used during such operations might be:
Invoke-Mimikatz -Command “privilege::debug sekurlsa::logonpasswords”
The ability to detect this kind of behavior is far more valuable than blocking a single malware hash.
The evolution of ransomware
Ransomware remains one of the main threats in 2025, but its evolution is significant.
Modern operations are no longer limited to encrypting data.
Many groups now adopt double extortion or triple extortion strategies, which include:
- data exfiltration
- threats of public disclosure
- attacks targeting partners or customers of the victim
This dramatically increases the pressure on affected organizations.
A modern ransomware attack often follows a pattern similar to this:
Initial access
↓
Privilege escalation
↓
Lateral movement
↓
Data exfiltration
↓
Encryption
↓
ExtortionThis process may involve weeks of silent presence within the network, which is why early detection is crucial.
Social engineering and identity-based attacks
Another central theme in the report is the growing importance of identity-based attacks.
Many incidents do not begin with sophisticated exploits but with social engineering techniques.
Among the most common are:
- phishing
- spear phishing
- business email compromise
- vishing
These attacks exploit human weaknesses rather than technical vulnerabilities.
Example
A spear phishing could involve an email that mimics an internal corporate communication and persuades the user to enter their credentials on a fraudulent login page.
From a technical standpoint, this means that security cannot rely solely on firewalls or antivirus software.
It becomes essential to integrate:
- user awareness training
- multi-factor authentication
- behavioral detection systems
Software supply chain and indirect attacks
In recent years, software supply chain attacks have demonstrated how fragile the digital ecosystem can be.
When an attacker compromises a software supplier, they can potentially affect thousands of organizations simultaneously.
The SolarWinds case showed how malicious code can be inserted directly into the software build process.
In a simplified scenario:
Developer environment compromise
↓
Malicious code injected in build pipeline
↓
Signed update distributed
↓
Customers install compromised softwareThis type of attack is particularly difficult to detect because it exploits trusted update channels.
Operational implications for technical teams
The analysis of the ENISA Threat Landscape 2025 suggests several concrete operational implications for cyber security professionals.
First of all, organizations must shift their focus from prevention to early detection.
Attackers almost always manage to obtain an initial foothold. The real difference lies in the ability to identify the intrusion quickly.
Secondly, it becomes essential to adopt behavior-based security strategies.
This means analyzing:
- anomalies in logs
- suspicious account activity
- lateral movement within networks
- data exfiltration patterns
Finally, security teams must strengthen the integration between threat intelligence, detection engineering, and incident response.
Only by combining these disciplines is it possible to confront increasingly organized threat actors.
Conclusion
The ENISA Threat Landscape 2025 confirms that the cyber threat landscape has entered a stage of maturity.
Attacks are no longer isolated incidents but part of a structured criminal ecosystem, where tools, infrastructure, and expertise are shared among different groups.
For technical teams, this means that defense strategies must evolve.
It is no longer sufficient to block individual malware samples or patch known vulnerabilities. Organizations must understand attacker behavior, analyze their TTPs, and build detection systems capable of identifying suspicious activity before it escalates into major incidents.
Cyber security today is not just a technological challenge. It is a strategic discipline that requires continuous analysis, collaboration between organizations, and a deep understanding of how threats operate.
The ENISA Threat Landscape does not simply provide a snapshot of the present. It also offers guidance for the future of digital defense.
Questions and answers
- What is the ENISA Threat Landscape?
It is an annual report published by the European Union Agency for Cyber security that analyzes the main global cyber threats. - Why is the ENISA report important?
Because it provides an independent and systemic view of threats based on data collected from multiple sources. - What are the main threats identified in 2025?
Ransomware, supply chain attacks, social engineering, data breaches, and advanced malware. - What are TTPs in cyber security?
They are the tactics, techniques, and procedures used by attackers during an intrusion. - Why are indicators of compromise no longer sufficient?
Because attackers can easily modify them, while techniques tend to remain stable over time. - What does convergence between criminal groups mean?
It refers to the sharing of tools and infrastructure between different cybercriminal groups. - How are ransomware attacks evolving?
They increasingly involve data theft and multi-layer extortion in addition to encryption. - What are supply chain attacks?
They are attacks targeting software vendors in order to compromise many organizations at once. - What role does social engineering play in modern attacks?
Many attacks begin with manipulation techniques targeting users. - What should security teams focus on today?
Behavior-based detection, stronger threat intelligence capabilities, and improved incident response processes.
