Cyber Threat Intelligence perspectives on 2025

Multivariate signatures based on identification schemes

 View all
Cybersecurity

Cyber Threat Intelligence perspectives on 2025

Threat Discovery Telsy TS WAY Cyber Threat Intelligence

Threat Discovery is an editorial space of Telsy and TS-WAY dedicated to in-depth analysis in cyber threat intelligence at the global level.

The information reported is the outcome of the collection and analysis work carried out by TS-WAY specialists for the TS-Intelligence platform.

This article reconstructs by thematic headings an overview of some of the perspectives toward which Cyber Threat Intelligence is heading in 2025.

 

AI as a threat and as an asset

The star of all the forward-looking reports on Cyber Threat Intelligence released in the months between 2024 and 2025 is artificial intelligence (AI). Beginning with the first discoveries of threats such as FraudGPT and WormGPT-dating back to 2023 now-and early reports of the use of deepfakes in fraud and influence campaigns, the use of AI has been emerging in numerous forms of cyber threats.

AIThe case history of uses is broad, but can be concentrated in the most egregious. Attackers can hone social engineering techniques, especially in BEC and CEO fraud, by increasingly selecting targets and increasing the credibility of messages with deepfake. They can also increase the volume of phishing campaigns by automating both the creation of emails and SMS messages and their distribution.

LLMs (Large Language Models), which are already being used to compile legitimate code, will increasingly be used to compile malware or to enhance existing malware. It can be expected that criminals will train LLM models on databases of compromised credentials to generate those likely to be used by specific targets (brute forcing and password spraying).

In addition, the use of deepfake in influence campaigns, now systematic for Russian and Chinese ones, could become pervasive. Finally, the discovery of vulnerabilities that can be exploited for malicious purposes will be facilitated.

Conversely, and fortunately, AI is already emerging as a “homeopathic” solution at numerous junctures. One example out of all, precisely the legal discovery of vulnerabilities.

Last November, Google unveiled the Big Sleep project, a collaboration between Project Zero and DeepMind, in which a large language model was used to detect a vulnerability in SQLite. And also, in Microsoft’s Patch Tuesday released in January, it was reported that some of the public but untapped flaws — the Remote Code Execution CVE-2025-21186, CVE-2025-21366, CVE-2025-21395 in Microsoft Access — were discovered by Unpatched.ai, an artificial intelligence-driven platform.

From now on, the 0-day race will be contested between multiple parties, human and technological, on both sides of the legalities.

 

Ransomware attacks: a fluid and expanding phenomenon

The context of adversaries operating for extortionate purposes is becoming more and more articulated, and this threat is expected to grow, both quantitatively and qualitatively.

New entities claiming attacks on sites activated in the underground are appearing almost daily, and some of them manage to establish themselves as threats with well-defined contours. New ransomware operators, such as RansomHub TeamLynx Team and Fog Team have been reported throughout 2024.

In addition, international police operations directed against some of the major players in this area, such as LockBit Team, have led to the discovery of complex networks of collaborations and exchanges, the latter more or less friendly, between groups.

In some cases, interconnections or contiguities have been detected between APTs and ransomware adversaries-a fact long known and growing in recent months-that complicates prevention and defense activities.

 

State-sponsored adversaries, between espionage, self-financing and disinformation

chessOf the four major state actors avowedly opposed to the NATO bloc – Russia, China, North Korea and Iran – Russia is currently a special observer, having perhaps reached a pivotal moment in the conflict with Ukraine. In light of the recent DeepSeek affair, it will be crucial to follow the evolution of Beijing’s strategies, in close dialectic with the new course that President Trump and Elon Musk are setting for U.S. international policy.

Cyberespionage activities and InfoOps will continue to be essential for both Powers, on the one hand to maintain control over areas of interest, and on the other to exert pressure and soft power on domestic and foreign audiences. And the Kremlin will not give up the reinforcements coming to it from hacktivist formations, such as NoName057(16).

North Korea is expected to continue well-known campaigns, with progressive variations, such as those that targeted IT workers and those based on laptop farms, aimed at intelligence and fundraising. As for Iran, the complex and tragic transitional phase that the Middle East is going through could bring about new dynamics and partial repositioning, the repercussions of which could also be seen in the cyber sphere.

 

0-day vulnerabilities and commercial spyware

The recent discovery of alleged illicit activities carried out with monitoring tools from the Israeli-U.S. company Paragon Solutions has rekindled the spotlight on issues related to commercial spyware. Graphite’s alleged 90 targets were reportedly joined by a Libyan activist who may have been targeted with other solutions. Also lingering in the background is the discovery of an internal monitoring campaign that allegedly took place in Serbia through NSO Group’s Pegasus spyware.

Adding to the likelihood of new revelations about spyware campaigns are reports of peculiar vulnerabilities.

In this early part of 2025, at least two 0-days have been fixed whose exploitation may have to do with forensic tools. One of them, CVE-2024-53104 in the Linux kernel, corrected by Google for Android users, was described as an Out-of-bounds Write that would allow “physical” privilege escalation. The other, most recent, is Apple’s CVE-2025-24200, discovered by a researcher at the Citizen Lab in Toronto, which precisely impacts USB Restricted Mode, a feature inserted to protect against unauthorized intrusion via USB devices.

 

The role of post-quantum cryptography in cybersecurity

The 2024 Report on the State of Cybersecurity in the Union, released by ENISA, points out that in terms of emerging technologies, in addition to AI, one of the topics that has gained ground in the past year is post-quantum cryptography (PQC).

Prospettive della Cyber Threat Intelligence sul 2025 quantumAs the paper states,

Cryptography is a fundamental part of cybersecurity, with security properties such as confidentiality, integrity, authentication, and non-repudiation being highly dependent on cryptographic mechanisms. The introduction of quantum technology promises to drive significant advances in multiple areas, as it has the potential to solve problems that current technologies have not yet addressed.

However, it also presents significant challenges for the security infrastructure, particularly in the realm of cryptography. The rise of quantum computing raises concerns about the integrity and security of current cryptographic solutions, leading to the development of the field of post-quantum cryptography.

This field focuses on creating cryptographic solutions designed to be secure against the potential threats posed by quantum computers. While quantum computers have the potential to breach many of the cryptographic systems currently in use, post-quantum cryptography aims to provide secure alternatives that will continue to function in a world with quantum computing.

 

Telsy and TS-WAY

Telsy_TS WAYTS-WAY is a company that develops technologies and services for medium and large-sized organizations, with a unique in Italy for cyber threat intelligence expertise. Founded in 2010, TS-WAY has been part of Telsy since 2023.

Is configured as an effective extension of the client organization, supporting the in-house team for intelligence and investigation activities, cyber incident response, and systems security verification activities.

TS-WAY’s experience is internationally recognized and is corroborated by large private organizations in finance, insurance, defense, energy, telecommunications, transportation, and technology, and by government and military organizations that have used the services of this Italian company over time.

 

TS-WAY’s Services and Solutions

With several vertical teams of security analysts and researchers with technical and investigative expertise, and internationally recognized experience, TS-WAY provides all the assistance needed to align an organization’s security program with its risk management objectives.

Its services offer a preventive and comprehensive approach to security to protect clients’ assets and business continuity.

Its technology solutions transform global threat data into strategic, tactical, operational, and technical intelligence.

 

TS-Intelligence

TS-Intelligence_Telsy_Platform-2TS-Intelligence is a proprietary, flexible, and customizable solution that provides organizations with a detailed risk landscape.

It is presented as a Web-usable, full-API platform that can be operated within an organization’s defensive systems and infrastructure, to strengthen protection against complex cyber threats.

Constant research and analysis on threat actors and emerging networked threats, both in APT and cybercrime, produces a continuous information flow of an exclusive nature that is made available to organizations in real-time and processed into technical, strategic, and executive reports.

 

Learn more about TS-WAY’s services.