CTI & OSINT

Full CTI analysis of the ANSSI 2025 Cyber Threat Panorama (CERTFR-2026-CTI-002)

by  • 

Classification: TLP:CLEAR Unrestricted public distribution
Primary source: ANSSI CERTFR-2026-CTI-002 March 2026
Frameworks: MITRE ATT&CK v16 · Diamond Model · Cyber Kill Chain · CVSS v3.1
Regulatory context: NIS2 Directive · Cyber Resilience Act · GDPR
Sectors covered: Education · Healthcare · Telecom · Local Government · Defense · Cloud · OT/ICS

This article is CTI analysis based on the ANSSI 2025 Cyber Threat Panorama. Target audience: CISOs, CERT/CSIRT teams, SOC Managers, Threat Intelligence Analysts, Security Architects.

1. Executive Summary Board-Level Strategic Abstract

The year 2025 consolidates a structural recomposition of the global cyber threat landscape. The French National Agency for Information Systems Security (ANSSI) recorded 1,366 confirmed incidents for fiscal year 2025 a level stable compared to 2024 (1,361), but structurally higher than prior years (1,112 in 2023, 831 in 2022). This quantitative stability conceals a significant qualitative degradation: the threat is more distributed, more opaque, and harder to attribute.

The boundary between state-sponsored and cybercriminal actors is eroding structurally. Attack modes of operation (MOA) reportedly linked to nation-states Russia, China, Iran, North Korea now routinely adopt commercial criminal software (ransomware-as-a-service, malware-as-a-service), while cybercriminal groups employ techniques previously reserved for state espionage. This deliberate blurring complicates attribution and extends response timelines.

On the cybercriminal front, ransomware attacks declined slightly (128 in 2025, versus 141 in 2024), but data exfiltration incidents increased significantly: 196 in 2025 versus 130 in 2024, a 51% rise. This tactical shift data theft without encryption reduces immediate media exposure for the attacker while maintaining durable extortion pressure on victims. It signals a maturation of criminal business models.

The exposure surface remains concentrated on edge devices (firewalls, VPNs, gateways), virtualization environments, exposed collaborative solutions (SharePoint, webmail), and the digital supply chain. Four sectors account for 76% of incidents: education and research (34%), government ministries and local authorities (24%), health (10%), and telecommunications (9%). Compromised cloud providers generate cascading effects simultaneously affecting multiple downstream clients.

Regulatory implications are immediate. The NIS2 Directive, currently being transposed into French law, imposes mandatory notification and reinforced security obligations on essential and important entities. The Cyber Resilience Act enters into force on 11 September 2026, requiring digital product vendors to notify national CSIRTs of any actively exploited vulnerability. These instruments constitute a lever for raising the sectoral maturity baseline provided budget allocations follow.

Priority strategic arbitrations are as follows: (1) invest in vulnerability management prioritized by operational risk rather than CVSS score alone; (2) reinforce monitoring of edge devices and cloud environments; (3) integrate subcontractors into contractual security requirements and crisis exercises; (4) formalize and validate business continuity (BCP) and disaster recovery plans (DRP) before any crisis; (5) avoid reducing cybersecurity to a product posture EDR, MFA and privileged access management are necessary but insufficient against attackers systematically capable of circumventing them.

2. Introduction

2.1 Research Problem

The ANSSI 2025 Cyber Threat Panorama, published in March 2026 under reference CERTFR-2026-CTI-002, constitutes the primary source for this article. Its analysis aims to produce a structured CTI reading tactical, operational, and strategic of the dynamics observed during fiscal year 2025, going beyond a simple recounting of facts to propose a modeling of risk vectors, a mapping of adversarial capabilities, and a forward-looking projection over a 6-12 month horizon.

The central research problem is as follows: in a context of growing convergence between state-sponsored and cybercriminal actors, widespread adoption of Living off the Land (LOTL) techniques, and industrialization of offensive capabilities, how can defenders maintain a relevant detection and response posture against threats specifically designed to blend into legitimate traffic and defeat attribution mechanisms?

2.2 Analytical Hypotheses

This article rests on the following explicitly formulated hypotheses:

  • H1 The erosion of actor boundaries is structural, not conjunctural: it results from economic dynamics (capability sharing, offensive outsourcing), technological factors (public availability of offensive tools), and geopolitical drivers (tacit protection of criminal groups by certain states).
  • H2 The generalization of LOTL is a rational response by attackers to the increasing maturity of detection tools (EDR, NDR, SIEM): it requires defenders to rethink their detection strategies beyond static indicators of compromise (IoC).
  • H3 The increase in data exfiltration without encryption signals a diversification of extortion business models, not a decrease in the ransomware threat.
  • H4 The digital supply chain constitutes the fastest-growing compromise vector, driven by widespread cloud adoption and competence delegation to third-party service providers.

2.3 Scope and Sources

This analysis covers the full scope of the ANSSI 2025 Panorama: incidents handled by the Agency, received notifications, corroborated open-source publications, and data leaks from adversarial groups. Secondary sources include publications from Sekoia, Mandiant (Google GTIG), Microsoft MSTIC, Proofpoint, Trend Micro, ESET, Orange Cyberdefense, and Group-IB, as well as CERT-FR advisories and alerts. The primary tactical reference framework is MITRE ATT&CK v16, supplemented by the Diamond Model and the Cyber Kill Chain.

2.4 Positioning in the Global Threat Landscape

The 2025 landscape is continuous with trends identified since 2022 increased attacks on edge devices, rising RaaS activity, state-criminal hybridization while marking significant inflections: the shift toward pure exfiltration, the rise of sophisticated social engineering techniques (Clickfix, SIM-Swapping, MFA Fatigue), and the emergence of offensive use of generative AI, still limited but progressing. ANSSI confirms that this evolution does not yet constitute a paradigm shift, but early precursor signals of such a break are already observable.

3. Threat Landscape and Strategic Context

3.1 History and Evolution (2022–2025)

The quantitative evolution of incidents handled by ANSSI reflects a sustained upward trend since 2022: 831 incidents in 2022, 1,112 in 2023, 1,361 in 2024, 1,366 in 2025. The total of events handled reached 3,586 in 2025, down 18% compared to 2024 a peak driven by the Paris Olympic and Paralympic Games. The structural baseline therefore remains at an elevated level.

On the ransomware front, the 2025 curve (128 compromises) marks a slight decline from 2024 (141), but remains above 2022-2023 levels. The sectoral distribution of victims is shifting: while SMEs and mid-caps remain the primary category (37% in 2025 versus 48% in 2024), the proportion of healthcare facilities is rising again (8%), and primary and secondary schools have emerged as a significant new target category.

On the exfiltration front, the 51% rise between 2024 and 2025 (130 versus 196 incidents) confirms the acceleration of an alternative model to double encryption. Only 80 exfiltration claims out of all declarations received were confirmed by ANSSI the remainder involving previously stolen recycled data or unsubstantiated claims.

3.2 Actor Typology

3.2.1 Cybercriminal Actors

The cybercriminal ecosystem is dominated by RaaS franchises. In 2025, three strains account for the bulk of documented activity: Qilin (21% of ransomware compromises recorded, 700+ victims claimed during the year, peaking at 185 in October 2025), Akira (9%), and LockBit 3.0/Black (5%). Over a dozen new strains were observed for the first time in 2025: Nova, Warlock, Sinobi, among others. This continuous emergence demonstrates the vitality and resilience of the RaaS ecosystem despite law enforcement dismantlement operations.

Initial Access Brokers (IABs) play a structuring role in this ecosystem: TA577, TA571, and TA544 have significantly reduced their dependence on loaders and botnets in favor of RMM tools and LOLBin techniques, making their initial access phase nearly indistinguishable from legitimate administrative activity.

The Scattered Spider group constitutes a case study in advanced social engineering: its operators obtain initial access almost systematically through the compromise of legitimate credentials without malicious code leveraging SIM-Swapping, MFA Fatigue, and identity impersonation. Several French luxury sector entities were compromised via this vector in 2025.

Cl0p maintains its pure exfiltration model without ransomware deployment, exploiting zero-day vulnerabilities in managed file transfer solutions. In August 2025, exploitation of CVE-2025-6182 in Oracle E-Business Suite enabled the exfiltration of data from hundreds of companies worldwide.

3.2.2 State-Sponsored Actors

Russian-attributed MOAs remain most active on espionage and sabotage. APT28 (GRU) continues phishing campaigns exploiting legitimate cloud services (Koofr, Icedrive, Filen.io) and the Clickfix technique. Turla (FSB, 16th Center) targets Moscow-based embassies via Adversary-in-the-Middle attacks exploiting the SORM system. Callisto (FSB) targets NGOs, journalists, and Russia-focused researchers. Sandworm (GRU/APT44) continues its destructive campaigns in Ukraine (wipers) and extends its BadPilot campaign to Europe, Central Asia, and the Middle East.

Chinese-attributed MOAs are broadening their victimology. Salt Typhoon compromised the U.S. federal military network between March and December 2024, extending targeting to twelve sectors in the United States and to French entities. APT31 was formally attributed by the Czech Republic to a critical infrastructure attack. UNC5221 (sub-cluster of APT27/UNC5174/Houken) exploits Ivanti zero-day vulnerabilities (CVE-2024-8190, CVE-2024-8963, CVE-2024-9380) to compromise French government, telecom, media, and finance entities. RedDelta (Mustang Panda) conducts a campaign against European diplomatic entities, including France, in September 2025.

State-criminal convergence manifests notably in the use of RaaS strains by nation-state MOAs: Moonstone Sleet (North Korea) deploys Qilin in a limited number of attacks; Chinese-attributed operators use NailaoLocker and RA World alongside traditional espionage tools (PlugX, ShadowPad).

3.3 Underlying Economic Model

The cybercriminal ecosystem operates as a specialized services marketplace: RaaS operators provide infrastructure and ransomware; IABs sell initial access; distribution clusters handle propagation; negotiators manage ransom demands; and laundering services convert cryptoassets. This division of labor increases operational efficiency and complicates judicial attribution.

The average lifespan of a RaaS group is estimated at 262 days (2023 data). Persistent affiliates deploy multiple strains successively: EvilCorp transitioned from LockBit (2022) to RansomHub (July 2024-early 2025). This rotation complicates tracking via technical markers and requires an affiliate identification approach based on discriminating TTPs rather than strain-specific indicators.

3.4 MITRE ATT&CK Correlation

The dominant ATT&CK techniques observed in 2025 are as follows:

  • T1190 Exploit Public-Facing Application: primary vector on Ivanti, Fortinet, SharePoint, VMware devices.
  • T1566 Phishing (T1566.001 Spearphishing, T1566.004 via voice service): primary vector for state espionage campaigns.
  • T1078 Valid Accounts: systematically exploited by Scattered Spider and IABs replacing traditional malware.
  • T1219 Remote Access Software: AnyDesk, AteraAgent, SimpleHelp, ScreenConnect used across all kill chain phases.
  • T1021 Remote Services (Lateral Movement): via legitimate services to bypass network segmentation.
  • T1048 Exfiltration Over Alternative Protocol: rclone, MEGA, Dropbox, Google Drive to evade DLP detection.
  • T1486 Data Encrypted for Impact: ransomware deployment in terminal phase.
  • T1562 Impair Defenses (BYOVD): EDR disabling via legitimate vulnerable drivers (Bring Your Own Vulnerable Driver).
  • T1027 Obfuscated Files: Lumma Stealer uses control flow flattening; widespread adoption of advanced obfuscation in MaaS ecosystems.
  • T1110.003 Password Spraying: Laundry Bear systematically targets email authentication panels.

3.5 24-Month Trends

Over the 2024-2025 period, five major trends are confirmed and accelerating: (1) the generalization of Living off the Land across all actor types; (2) the rise of pure exfiltration at the expense of double encryption; (3) massive and rapid exploitation (sometimes zero-day) of edge devices; (4) increasing targeting of cloud environments and providers occupying central positions in the supply chain; (5) use of generative AI by attackers to improve the quality and quantity of phishing content and attack infrastructure.

3.6 Geopolitical Correlations

The level of cyber threat is directly correlated with global geopolitical tensions. Russia’s ongoing aggression against Ukraine since 2022 generates sustained sabotage and espionage cyber activity, with spillover effects on NATO and EU member states supporting Kyiv. Poland suffered coordinated attacks on its energy infrastructure at end-2025 the first such incident in an EU member state attributed to Russian-linked actors.

Sino-Western tensions fuel espionage campaigns targeting diplomatic, defense, telecommunications, and energy sectors. The ‘cyber lawfare’ context documented by ANSSI use of national legal frameworks to mandate software with offensive capabilities illustrates the convergence between state legal instruments and compromise capabilities.

4. Methodology

4.1 CTI Approach

This article simultaneously mobilizes all three levels of Cyber Threat Intelligence as defined by the SANS Institute framework and adopted by ENISA:

  • Tactical CTI: analysis of indicators of compromise (IoC), malware signatures, actor-specific TTPs, and forensic artifacts documented in the ANSSI report and associated publications.
  • Operational CTI: modeling of compromise chains, attack infrastructure, persistence mechanisms, and lateral movement patterns observed in 2025 incidents.
  • Strategic CTI: identification of structural trends, systemic risk modeling, 6-12 month prospective projection, and implications for governance arbitrations.

4.2 Frameworks Mobilized

MITRE ATT&CK v16 is the primary tactical reference framework. It is complemented by:

  • The Diamond Model (Adversary, Capability, Infrastructure, Victim) for attribution correlation and actor relationship modeling.
  • The Lockheed Martin Cyber Kill Chain for sequential structuring of the technical analysis (Section 5).
  • CVSS v3.1 for standardized vulnerability severity assessment.
  • The ANSSI EBIOS Risk Manager model for the risk modeling section.

4.3 Methodological Limitations

Several limitations must be explicitly formulated. First, the ANSSI report covers only a fraction of the actual landscape incidents brought to the Agency’s attention, with a bias toward public entities and direct ANSSI beneficiaries. Second, the attribution process remains probabilistic rather than deterministic: the use of shared tools and false flag techniques introduces residual uncertainty in any attribution. Third, quantitative data on data exfiltrations is partial: only 80 claims out of all received declarations were confirmed. Fourth, assessment of AI offensive use remains limited by the small number of incidents documented with certainty.

5. Technical Analysis

5.1 Initial Access

Exploitation of Internet-exposed edge devices constitutes the dominant initial access vector in 2025. The most significant CERT-FR alerts cover: Ivanti Connect Secure (CVE-2025-0282, CVSS 9.0, zero-day exploitation detected as early as mid-December 2024 by MOA UNC5221; CVE-2025-22457, widespread exploitation post-publication); Fortinet FortiOS (post-patch exploitation of CVE-2022-42475, CVE-2023-27997, CVE-2024-21762 illustrating persistence of durably vulnerable assets); Microsoft SharePoint (CVE-2025-49704/49706 ‘Toolshell’, zero-day exploitation from late June 2025, public PoC on 21 July); VMware ESXi/Workstation/Fusion (CVE-2025-22224/22225/22226, zero-day exploitation revealed 6 March 2025).

In parallel, VPN accounts lacking strong authentication (MFA) constitute a persistent intrusion vector systematically exploited during ransomware campaigns. ANSSI documents numerous 2025 incidents initiated through VPN account compromise whether user accounts or contractor accounts.

Phishing remains the initial access vector for state espionage campaigns: targeted spearphishing (Callisto against RSF, UNC6293 against Russia-focused researchers), voice phishing (vishing), and phishing campaigns via Signal and WhatsApp impersonating American and Ukrainian political figures.

5.2 Exploitation Chain

The 2025 exploitation chains are characterized by their heterogeneity and adaptability. In RaaS campaigns, the typical chain is: edge device exploitation or VPN account compromise → RMM tool deployment (AnyDesk, MeshAgent, AteraAgent) → internal reconnaissance → data exfiltration via rclone/MEGA → ransomware deployment. In state espionage campaigns, the chain is: spearphishing or edge device exploitation → lightweight implant or compromised account access → extended reconnaissance → silent exfiltration via legitimate services (Google Drive, Dropbox, WebDAV services) → persistence maintenance.

CVE-2024-55591 (Fortinet, authentication bypass on the management interface) illustrates the stakes of exposing management interfaces: upon CERT-FR notification, over 3,700 Fortinet administration interfaces were exposed on the Internet in France. Exploitation allows an attacker to obtain administrator privileges on the firewall, restrict legitimate administrator rights, and establish a durable entry point.

5.3 Payload Architecture

The payload architecture observed in 2025 reflects the specialization of MaaS and RaaS ecosystems. Lumma Stealer (MaaS active since August 2022 on Russian-language forums) illustrates the sophistication of these tools: credential theft capabilities (browser passwords, session cookies, crypto wallets); code execution on infected machine; secondary payload deployment; advanced obfuscation (control flow flattening); dynamic C2 infrastructure (domains rotated multiple times per week, Cloudflare CDN to mask real IPs). Its infrastructure was dismantled 21 May 2025 under Operation ENDGAME, but rapidly resurged demonstrating operator resilience.

In espionage campaigns, implants used include ApolloShadow (Turla, deployed via Adversary-in-the-Middle targeting Moscow-based embassies), Kazuar v2 (Turla, deployed via Gamaredon inter-FSB MOA collaboration), and the StaticPlugin/CanonStager/PlugX chain (UNC6384/Mustang Panda against European diplomatic entities). These implants are designed for long-term presence, discreet exfiltration, and adaptation to specific target environments.

5.4 Persistence

Persistence mechanisms observed in 2025 rely heavily on legitimate system components. In-memory Servlet filter injection into VMware vCenter (UNC5221) enables backdoor installation without disk writes, bypassing antivirus signatures. RMM tools used as backdoors (AnyDesk, AteraAgent, LogMeIn) leverage their apparent legitimacy to survive reboots without triggering alerts. Use of cloud services (Google Calendar, Google Drive, Dropbox) as C2 channels conceals malicious communications within legitimate HTTPS traffic.

One documented case illustrates persistence sophistication: in incidents involving RMM tools deployed via fake IT support, attackers modify registry keys to ensure program launch in Safe Mode bypassing EDRs that do not initialize in this mode.

5.5 Privilege Escalation

Privilege escalation exploits primarily three vectors in 2025. First, vulnerability exploitation on already-compromised devices: after exploiting CVE-2024-8190/8963/9380 on Ivanti CSA devices, MOA Houken (UNC5174) escalates to local administration then laterally moves into the internal network. Second, Active Directory exploitation via Kerberos attack techniques (Pass-the-Hash, Kerberoasting) documented during ANSSI security audits. Third, hypervisor vulnerability exploitation (CVE-2025-22224, CVE-2025-41244 in VMware) enabling virtual sandbox escape and access to the host hypervisor.

5.6 Defense Evasion

Defense Evasion constitutes the most sustained innovation axis among attackers in 2025. Living off the Land is now generalized across all actor types state-sponsored and cybercriminal alike. Documented techniques include: LOLBins usage (legitimate system binaries repurposed), commercial RMM tool deployment, C2 communications via legitimate cloud services, use of commercial proxies and the Tor network to conceal attack infrastructure (Laundry Bear employs all three simultaneously).

A particularly significant technique is ‘self-patching’: in an ANSSI-handled incident, an attacker patched the vulnerabilities CVE-2024-8190, CVE-2024-8963, and CVE-2024-9380 on the compromised devices after exploiting them rendering subsequent vulnerability scans inoperable and complicating compromise detection.

The use of generative AI to create legitimate-looking websites hosting malicious payloads constitutes an emerging vector documented by ANSSI in its Private Offensive Cyber Warfare (LIOP) investigations.

5.7 Lateral Movement

Lateral Movement in 2025 relies primarily on exploiting compromised legitimate accounts and interconnections between information systems. ANSSI documents multiple incidents where an attacker compromised a service provider hosting client resources, then laterally moved into multiple client systems via existing interconnections and stolen credentials. This vector is particularly difficult to detect because lateral traffic uses legitimate administration channels (contractor VPN, RDP, monitoring tools).

In cloud environments, compromising a single account with broad permissions can enable lateral movement across all hosted resources. ANSSI documents an October 2025 ransomware attack targeting a French SaaS solution hosted on AWS illustrating the transposition of on-premise compromise techniques to cloud environments.

5.8 Command & Control

The C2 infrastructure of actors observed in 2025 is characterized by its resilience and opacity. Russian state actors (APT28) use legitimate storage services (Koofr, Icedrive, Filen.io) to host payloads and manage C2 communications rendering traffic indistinguishable from normal office use. Cybercriminal actors use CDNs (Cloudflare) to mask the real IPs of their C2 servers, with domain rotation multiple times per week (Lumma Stealer case).

The Adversary-in-the-Middle technique exploited by Turla in Moscow leverages the SORM system the FSB-controlled lawful telecommunications interception infrastructure to insert itself into communications between diplomatic personnel and local telecom operators, deploying the ApolloShadow backdoor without exposing external C2 infrastructure.

5.9 Data Exfiltration

Data exfiltration constitutes the fastest-growing phase observed in 2025. Preferred tools include rclone (cloud service synchronization), 7-Zip/WinRAR (pre-exfiltration compression), MEGA, Dropbox, and Google Drive (legitimate transfer channels). Cl0p exploits vulnerabilities in managed file transfer solutions (CVE-2025-6182 in Oracle E-Business Suite) to conduct simultaneous mass exfiltration affecting hundreds of companies.

The recovery of SharePoint Machine Keys during ‘Toolshell’ vulnerability exploitation incidents illustrates attackers’ growing sophistication in identifying and exfiltrating high-value secrets. These keys potentially enable post-hoc decryption of sensitive data.

5.10 Impact Logic

The final impact of 2025 attacks is diversified. For cybercriminal actors: system encryption and unavailability (ransomware); data exfiltration and publication (double/triple extortion); service disruption for compromised provider clients (cloud incidents, SaaS providers). For state-sponsored actors: strategic intelligence collection (diplomatic, industrial, military espionage); pre-positioning for future sabotage operations; critical infrastructure destruction (wipers in Ukraine, attacks on Polish energy).

One documented case illustrates the side effects of containment measures: an entity that proceeded to electrically disconnect its datacenter following early detection before encryption suffered a total shutdown and long-duration disruption illustrating that containment modalities themselves constitute a major operational risk requiring prior preparation.

6. Detection Engineering Perspective

6.1 Detection Surface

The relevant detection surface in 2025 concentrates on five priority zones: (1) edge devices (authentication logs, administration interface anomalies, vulnerability exploitation patterns); (2) communications toward legitimate services used as C2 (abnormal volumes, atypical schedules, unusual destinations for Google Drive, Dropbox, MEGA); (3) RMM tool deployments not referenced in the official inventory; (4) lateral movements via privileged accounts (Windows events 4624, 4648, 4768, 4769); (5) exfiltration activities (large volume transfers to cloud destinations, use of rclone or compression tools on sensitive data servers).

6.2 Blind Spots

Several structural blind spots limit defenders’ detection capability. First, C2 communications via legitimate cloud services (HTTPS to googleapis.com, dropbox.com, etc.) are practically undetectable via content inspection only behavioral analysis (volume, frequency, destination) can generate signals. Second, legitimate RMM tools carry no malicious signature their offensive use can only be detected via contextualization (account used, time, source machine). Third, Safe Mode exploitation bypasses EDRs that do not initialize in this mode.

‘Self-patching’ by attackers post-exploitation creates a specific blind spot: vulnerability scans detect the device as patched while it is actually compromised distorting the exposure surface assessment.

6.3 Telemetry Requirements

Effective defense in 2025 requires at minimum: complete authentication logs (including VPN and cloud service authentications); EDR telemetry with Safe Mode process coverage; network flow logs (NetFlow) enabling volumetric exfiltration detection; logs of monitoring and remote access tools deployed; edge device logs (authentications, errors, configuration changes); and, for cloud environments, API activity logs with sufficient retention for post-hoc investigations.

6.4 SOC Correlation Logic

Priority correlation rules for 2025 include: RMM tool deployment on a device not registered in inventory; RMM connection from a residential or anonymized IP (Tor, commercial VPN); transfer of volumes exceeding N GB to unauthorized MEGA, Dropbox, or WebDAV services; successful VPN authentication from an unknown geolocation followed by access to sensitive resources; modification of Safe Mode startup registry keys by a non-system process.

6.5 Threat Hunting Hypotheses

Priority threat hunting hypotheses for 2025 are as follows:

  • H-TH1: Legitimate RMM tools are currently deployed on workstations without known user action, as part of an undetected intrusion.
  • H-TH2: A contractor VPN account is being used outside the contractor’s normal business hours to access sensitive internal resources.
  • H-TH3: An edge device exhibits configuration changes not tracked in the CMDB, potentially indicating exploitation or post-compromise self-patching.
  • H-TH4: Volumetric data is transiting to unreferenced cloud destinations from file servers or workstations containing sensitive data.

6.6 IoC versus IoB

The generalization of LOTL renders traditional IoCs (malware hashes, C2 IPs) increasingly irrelevant as primary indicators. Indicators of Behavior (IoB) action sequences, behavioral patterns constitute the most robust detection surface against modern attackers. The use of a legitimate RMM tool (AnyDesk, AteraAgent) is only detectable as an IoB: unauthorized account, unreferenced machine, abnormal schedule, preceded by a phishing action. This transition to IoB imposes a significant analytical maturity uplift requirement on SOC capabilities.

7. Risk Modeling

7.1 Operational Risk Critical

Operational risk is assessed as CRITICAL. The probability of a significant incident occurring is very high, confirmed by ANSSI data (1,366 incidents in 2025, stable level). Initial access vectors are multiple, widely accessible (published vulnerabilities, commercial RMM tools, compromised credentials), and adapted to attackers of varying sophistication levels. Potential impact includes service interruption, business continuity disruption, compromise of personal or sensitive data, and cascading effects via the supply chain.

The primary risk amplifier is the concentration of the exposure surface on a small number of device categories (Ivanti, Fortinet, SharePoint, VMware) whose vulnerabilities are actively exploited at scale. The exploitation window post-publication is continuously shrinking: in 2025, approximately 29% of exploited vulnerabilities were exploited on or before their publication day.

7.2 Strategic Risk Critical

Strategic risk is assessed as CRITICAL for entities in the government, diplomatic, defense, energy, and telecommunications sectors. State espionage campaigns (Salt Typhoon, RedDelta, APT31, Turla) explicitly target long-term strategic intelligence collection network configuration secrets, diplomatic secrets, defense intellectual property. Exfiltrated data fuels subsequent attack campaigns, creating a self-perpetuating compromise cycle.

The erosion of actor boundaries amplifies this risk: uncertain attribution delays response, complicates crisis communication, and may generate incorrect arbitrations in remediation decisions.

7.3 Regulatory Risk High

Regulatory risk is assessed as HIGH and growing. NIS2 transposition imposes mandatory incident notification on essential and important entities within constrained timelines (early warning within 24 hours, notification within 72 hours, final report within a month). Personal data exfiltration incidents generate parallel GDPR obligations (CNIL notification within 72 hours). The CRA entering into force on 11 September 2026 will impose additional obligations on digital product vendors. Non-compliance exposes organizations to significant financial penalties and amplified reputational risk.

7.4 Supply Chain Risk Critical

Supply chain risk is assessed as CRITICAL. Incidents documented in 2025 illustrate the reality of cascading compromise: a compromised provider enables access to all client systems via existing interconnections. Cloud generalization amplifies this vector: compromising a single SaaS provider can simultaneously affect hundreds or thousands of downstream clients.

The targeting of the French Defense Industrial and Technological Base (BITD) via ransomware between January and June 2025 illustrates the specific vulnerability of defense subcontractors entities holding sensitive information but whose cyber maturity level is generally lower than prime contractors.

7.5 Risk Amplification Scenarios

Three amplification scenarios are to be anticipated: (1) simultaneous compromise of a major cloud services provider affecting all clients in a critical sector (healthcare, energy) already partially documented in 2025; (2) combined exploitation of a zero-day vulnerability in a massively deployed edge device and a cloud service C2 tunnel, enabling a mass initial access campaign before patch publication; (3) offensive use of a compromised generative AI system in a software development environment, constituting a next-generation supply chain attack.

8. Mitigation and Structural Controls

8.1 Immediate Technical Controls

Immediate controls to implement are as follows:

  • Comprehensive inventory and risk-prioritized patch management for Internet-exposed edge devices (Ivanti, Fortinet, Citrix, VMware, SharePoint) with remediation window reduction to 24-48 hours for CVSS ≥ 9.0 actively exploited vulnerabilities.
  • Mandatory MFA deployment on all VPN access, RDP, and administration portals including contractor accounts.
  • RMM tool prohibition or strict whitelisting with automated detection of any deployment outside the approved perimeter.
  • Immediate rotation of Machine Keys and secrets associated with any device affected by an actively exploited vulnerability independently of patch application.
  • Mapping of cloud services and legitimate tools used in the environment, enabling detection of abnormal usage (volume, destination, schedule).

8.2 Tactical Response Adjustments

Crisis management must integrate lessons from 2025 incidents. Precipitous containment measures (electrical disconnection of datacenter) can generate side effects exceeding the initial threat. Priority is orchestrating containment with the crisis cell while preserving forensic artifacts for subsequent investigations. Compromised credential revocation must be coordinated with device isolation, to avoid loss of visibility into still-active adversarial access paths.

8.3 Architectural Redesign

Priority architectural recommendations derived from analysis of 2025 incidents are: (1) reinforced network segmentation between office zones, edge devices, virtualization environments, and cloud services; (2) least-privilege implementation across all contractor accounts, with automatic access revocation outside defined maintenance windows; (3) separation of personal and professional uses, notably to limit infostealer exposure surface; (4) systematic cloud service activity log verification via mechanisms independent of the service provider.

8.4 Governance Adaptation

On the governance front, ANSSI recommends conducting broad audits (not merely red team exercises) aimed at obtaining a comprehensive view of the office IT security level including authentication providers, underlying components, and Internet exposure of administration interfaces. BCPs and DRPs must be formalized, tested, and updated before any crisis decisions made under active incident pressure, without prior preparation, systematically generate significant side effects.

8.5 CERT Maturity Implications

For CERTs and CSIRTs, implications are as follows: reinforcement of Threat Hunting capabilities oriented toward IoB rather than IoC; development of detection rules covering misused legitimate usage (RMM, cloud services, LOLBins); integration of the supply chain dimension into incident response processes (scope extended to interconnected providers and clients); active participation in threat intelligence sharing ecosystems (InterCERT France, FIRST, MISP) to accelerate capitalization on ongoing campaigns.

9. Strategic Outlook (6–12 Months)

9.1 Probable Industrialization

Over the next 6-12 months, several industrialization trends are anticipated. LOTL generalization will intensify, making signature-based detection even less effective. RaaS franchises will continue restructuring following dismantlement operations (ENDGAME, RansomHub, BlackBasta, LockBit) persistent affiliates will migrate to new platforms or create their own operations. The pure exfiltration model (without encryption) will continue its progression, potentially reaching parity with traditional ransomware.

9.2 TTP Evolution

Generative AI usage will progress qualitatively: improved phishing lure credibility (error-free text, coherent visuals), generation of malicious infrastructure sites indistinguishable from legitimate ones, and potentially assistance in exploit code generation. ANSSI does not project a paradigm shift in the short term, but early precursor signals of a qualitative leap in AI-assisted offensive capabilities are already observable.

The Clickfix technique will continue spreading within the criminal ecosystem and be more broadly adopted by state actors its implementation simplicity and effectiveness against insufficiently security-aware users make it a low-cost, high-return vector.

9.3 Weaponization Curve

The window between vulnerability publication and mass exploitation will continue shrinking. ANSSI data indicates that in 2025, approximately 29% of exploited vulnerabilities were exploited on or before their publication day. This trend requires defenders to have emergency patch management capabilities with tested and validated emergency deployment processes, independent of routine maintenance cycles.

9.4 Variant Anticipation

State-criminal hybridization will deepen. The use of commercial RaaS strains by nation-state MOAs (Moonstone Sleet with Qilin, Chinese operators with NailaoLocker and RA World) will normalize, making attribution even more complex. Campaigns combining strategic espionage and financial extortion will emerge as a stabilized hybrid model.

9.5 Sectoral Attack Surface Impact

Education and healthcare sectors will remain priority targets for cybercriminal actors their structurally lower cyber maturity and public exposure make them high yield-to-effort ratio targets. The cloud sector will establish itself as a critical attack vector, as widespread cloud hosting adoption creates increasingly attractive target concentrations for actors seeking to maximize the impact of a single compromise. Internet-exposed OT/ICS devices (renewable energy installations, water) will continue to be targeted by hacktivist actors, with a risk of sophistication escalation in attacks.

10. Analytical Conclusion

The 2025 cyber threat panorama reveals a threat that has become systemic, distributed, and structurally difficult to attribute. Three analytical inflections merit retention as demonstrative conclusions.

First, the erosion of boundaries between state-sponsored and cybercriminal actors is not a transient phenomenon but a structural characteristic of the contemporary cyber ecosystem. It is driven by the public availability of sophisticated offensive tools, delegation of capabilities by states to private offensive cyber warfare providers, and opportunistic adoption of espionage techniques by criminal groups. This convergence requires revising actor taxonomies and the attribution models that derive from them.

Second, the generalization of Living off the Land constitutes the most structural detection challenge for defenders. It shifts the detection perimeter from malicious signatures to anomalous behavior on legitimate tools requiring significant analytical maturity uplift in SOCs, more comprehensive telemetry, and adaptation of correlation rules. Organizations that have not yet made this transition are structurally lagging.

Third, the 51% rise in data exfiltration incidents in 2025 signals a maturation of the cybercriminal extortion model: attackers are optimizing their risk-to-return ratio by avoiding ransomware deployment more visible, more detectable in favor of silent exfiltration monetizable over time. This evolution requires defenders to treat data exfiltration as a top-priority threat, on par with encryption.

The 2026 fiscal year will be structured by the entry into force of the Cyber Resilience Act, French elections and G7 presidency, and the probable intensification of Russian hybrid operations in the context of the ongoing Ukraine conflict. Organizations that will have invested in 2025-2026 in risk-prioritized vulnerability management, advanced Threat Hunting capabilities, and tested incident response plans will possess structurally superior resilience against this threat.

11. References

Primary Sources

SourceURL
ANSSI CERTFR-2026-CTI-002https://www.cert.ssi.gouv.fr/cti/CERTFR-2026-CTI-002/
CERT-FR Security Alerts 2025https://www.cert.ssi.gouv.fr
CERTFR-2025-CTI-009 Houkenhttps://www.cert.ssi.gouv.fr/uploads/CERTFR-2025-CTI-009.pdf
CERTFR-2025-CTI-001 Cloud Threathttps://www.cert.ssi.gouv.fr/cti/CERTFR-2025-CTI-001/
CERTFR-2025-CTI-008 ENDGAME 2025https://www.cert.ssi.gouv.fr/cti/CERTFR-2025-CTI-008/
Mandiant/GTIG Salt Typhoonhttps://s3.documentcloud.org/documents/25998809/20250611-dhs-salt-typhoon.pdf
Sekoia APT28 Operation Phantom Net Voxelhttps://blog.sekoia.io/apt28-operation-phantom-net-voxel/
Sekoia RSF / Callisto campaignhttps://blog.sekoia.io/ngo-reporters-without-borders-targeted-by-calisto-in-recent-campaign/
Microsoft BadPilot Campaign (Sandworm)https://www.microsoft.com/en-us/security/blog/2025/02/12/the-badpilot-campaign-seashell-blizzard-subgroup-conducts-multiyear-global-access-operation/
Orange Cyberdefense NailaoLockerhttps://www.orangecyberdefense.com/global/blog/cert-news/meet-nailaolocker-a-ransomware-distributed-in-europe-by-shadowpad-and-plugx-backdoors
Google GTIG PRC-nexus espionage targets diplomatshttps://cloud.google.com/blog/topics/threat-intelligence/prc-nexus-espionage-targets-diplomats
Eye Security SharePoint Toolshell exploithttps://research.eye.security/sharepoint-under-siege/
Proofpoint RMM tooling attackers first choicehttps://www.proofpoint.com/us/blog/threat-insight/remote-monitoring-and-management-rmm-tooling-increasingly-attackers-first-choice
VulnCheck State of Exploitation 2026https://www.vulncheck.com/blog/state-of-exploitation-2026
AIVD/MIVD Laundry Bearhttps://www.aivd.nl/documenten/publicaties/2025/05/27/aivd-en-mivd-onderkennen-nieuwe-russische-cyberactor
ESET Gamaredon x Turla collaborationhttps://www.welivesecurity.com/en/eset-research/gamaredon-x-turla-collab/
CERT.PL Poland Energy Incident 2025https://cert.pl/en/posts/2026/01/incident-report-energy-sector-2025/
MITRE ATT&CK v16https://attack.mitre.org/
CVSS v3.1 NVD Vulnerability Metricshttps://nvd.nist.gov/vuln-metrics/cvss