The cybersecurity landscape is set to undergo significant transformations. The rise of artificial intelligence (AI) in both defense and attack, shifting tactics from state actors, and the evolution of ransomware are just a few of the crucial elements shaping the upcoming year in cybersecurity. Google Cloud’s Cybersecurity Forecast 2025 sheds light on what organisations can expect and how they can prepare to tackle emerging threats head-on.
Artificial Intelligence
Attacker Use of AI
Anticipation of malicious actors will continue their rapid adoption of AI-based tools to augment and assist their online operations across various phases of the attack lifecycle. The use of AI and large language models (LLMs) will continue to grow, enabling attackers to develop and scale more convincing phishing, vishing, SMS, and other social engineering attacks. Cyber espionage and cyber crime actors continue to leverage deep fakes for identity theft, fraud, and bypassing know-your-customer (KYC) security requirements. We expect to observe more evidence of malicious actors experimenting with LLMs and deep fake applications for other use cases, including vulnerability research, code development, and reconnaissance. Additionally, it is anticipated that there can be more demand in underground forums for LLMs that lack security guardrails, allowing threat actors to query for illicit topics without limit. As AI capabilities become more widely available throughout 2025, enterprises will increasingly struggle to defend themselves against these more frequent and effective compromises.
AI for IO
Information Operations (IO) threat actors will increasingly leverage gen AI tools to support their efforts. Deployment of AI capabilities has expanded beyond early use of generative adversarial network (GAN)-created profiles to backstop inauthentic personas, and has shifted to include the use of large language models (LLMs) to support content creation, and the manufacturing of seemingly genuine articles published to inauthentic websites. This is a significant force multiplier that increases the scale at which actors engaged in this space can produce content, and create additional layers of obfuscation. This trend is expected to continue; actors likely using increasingly available gen AI tooling for a variety of ends, including scaling content creation, producing more persuasive content, and backstopping inauthentic personas.
Next Phase of AI and Security
In 2025, it is expected to see a second phase of AI and security in action. This past year, practitioners have been using AI to democratise security, meaning they’ve begun using AI-driven tools to automate the summarisation of complex reports, querying vast datasets with ease, and obtaining real time assistance for a multitude of tasks, thereby augmenting their capabilities and streamlining workflows. Reducing the toil on defenders performing repetitive tasks by integrating AI into processes and procedures is allowing investigations to run more efficiently, and security decision-makers see AI as a key tool in combatting threats. Before AI helps us get closer to fully autonomous security operations, 2025 will usher in an intermediate stage of semiautonomous security operations. This will require enough capabilities in our security workflows that are being done by the system itself, smartly, but there still needs to be a human being who can now accomplish much more with AI support. This includes being able to parse through alerts—even with false positives—to create a list of the highest priority items, enabling security teams to further triage and remediate the risks that matter most.
The “Big Four”
Russia
In 2025, the Ukraine conflict will likely remain a primary focus of Russian cyber espionage, cyber attack, and information operations efforts. In 2024, it was observed that increased targeting of Ukrainian soldiers’ mobile devices, with operators likely seeking tactical insight to support kinetic operations and other conventional military activities. While less frequent than in 2022 and 2023, we continued to observe disruptive attacks, including a range of different critical infrastructure operators, as well as use of hacktivist personas such as CyberArmyofRussia_Reborn to publicise threat activity. It is expected that these types of operations to continue into next year.
China
It is anticipated that institutional investments China has made in equipping its cyber threat operators over the last decade will continue to fuel the volume of threat activity and capability development trends into 2025. Pro-People’s Republic of China (PRC) actors using stealthy tactics will be observed, including operational relay box (ORB) networks to obscure operator traffic to and from target environments, targeting of network edge devices to take advantage of vulnerable Internet-exposed attack surface and reduce their footprint in target environments, and exploitation of zero day vulnerabilities as a byproduct of industrialising collection of software vulnerabilities at a national scale. Additionally, it is expected that Chinese state sponsored actors to continue to be aggressive, and demonstrate a high risk tolerance.
Iran
So long as it remains active, the Israel-Hamas conflict will likely continue to dominate Iranian state sponsored cyber threat activity, fueling cyber espionage, disruptive and destructive attacks, and information operations. However, this focus will not prevent Iranian threat actors from continuing operations consistent with long-term patterns, including targeting government and telecommunications organisations across the Middle East and North Africa, or dabbling in cyber crime. The longstanding objectives of regime stability, economic development, and regional influence will continue to drive monitoring of dissidents, key individuals and organisations linked to Iranian or regional politics, and technologies that could support Iran’s military capabilities.
North Korea
It is expected that geopolitics and economic need will drive North Korean cyber operations into 2025 and beyond. North Korean cyber espionage operations will continue to support the country’s geopolitical objectives, including targeting government, defense, education, think tank targets primarily in South Korea, and the U.S., with some interest in the UK, Germany, Australia, China, and Russia. North Korean actors placed heavy emphasis on supply chain compromises in 2023 and 2024, usually using trojanised open source software packages in social engineering operations targeting software developers, and we expect these tactics to continue into next year.
Global Forecast
PRC Actors Will Continue to Deploy Custom Malware Ecosystems for Embedded System
Endpoint detection and response (EDR) platforms are essential for monitoring endpoint activity within an organisation’s security architecture. However, PRC-linked espionage actors have developed sophisticated, customised malware ecosystems targeting embedded systems—such as firewalls, VPN gateways, and network devices—where EDR solutions are limited, making detection and response challenging. These malware ecosystems are specifically tailored to exploit the native functions of targeted platforms. In 2025, PRC actors are expected to continue deploying stealthy, custom malware, using tactics like trojanising legitimate services and leveraging rootkits to maintain hidden access and hinder investigations.
No End in Sight: Ransomware and Multifaceted Extortion
Ransomware, data theft, and multifaceted extortion are expected to remain the most disruptive forms of cybercrime in 2025, both in frequency and damage. In 2024, ransomware attacks heavily impacted the healthcare sector, disrupting patient care, blocking prescription refills, halting lab tests, and prompting urgent blood donations. These incidents have affected over 100 countries and all industry sectors. The number of data leak sites doubled from 2023, and new ransomware-as-a-service (RaaS) offerings further underscore the expanding ransomware threat landscape.
The Rising Threat of Infostealer Malware: A Gateway to HighImpact Data Breaches
Infostealer malware, while not new, has grown more sophisticated and effective. In 2024, attackers used credentials stolen through infostealer campaigns to breach numerous prominent organisations. These accessible credentials, often available to low-skilled threat actors, pose a significant risk. This trend is expected to persist into 2025, especially where two-factor authentication is not enforced. Infostealer malware has advanced with anti-evasion techniques and capabilities to bypass endpoint detection, making it a formidable cyber threat.
Democratising of Cyber Capabilities Will Continue to Lower Barriers to Entry for Less-Skilled and Newer Actors
In 2025, organisations will continue to be challenged by a landscape in which an increasing number of barriers to entry will be eroded for cyber criminals and state actors with less sophistication. As more tools, phishing kits, and “as-a-service” resources incorporate advanced capabilities, less skilled threat actors and new entrants into malicious cyber activity will have opportunities to carry out operations with greater efficiency and skill. From web skimming to multifactor authentication (MFA) bypass, the growing professionalisation of such services will expand the number of threat actors defenders will have to contend with. Additionally, increasing experimentation by threat actors with gen AI at different parts of the attack lifecycle will also start playing a greater role in increased efficiencies on the adversary side of the security equation.
Maturing Security Operations
In the Cloud In 2025, it is expected to see more widespread adoption of cloud-native security information and event management (SIEM) solutions. Scalability and cost effectiveness will drive mass adoption, even by those hesitating to move away from on-premises deployments. It is projected SIEM to reemerge as the central nervous system to the security operations center (SOC), ingesting everything from cloud logs to endpoint telemetry. Security orchestration, automation, and response (SOAR), usually a part of SIEM, will likely move beyond basic playbook execution to handle more complex incident response. This includes automated malware analysis, phishing takedowns, and even patching of vulnerabilities before they’re exploited. Additionally, cloud-specific risks such as identity and access management (IAM) misconfigurations, serverless vulnerabilities, and container escapes will be better tackled head-on with purpose-built tools and strategies.
Criticality Drives More Regulations for Cloud Providers
It is anticipated that as more critical infrastructure moves onto hyperscale cloud services, more and more regulators will be directly targeting cloud providers around the world rather than just coming through customers to drive the expected levels of control and resilience on the cloud. In 2025, cloud providers are going to be dealing with more regulation, and also increased expectations. This is appropriate given the extent of their criticality, and how in general an increasing number of services have been moving on to hyperscale cloud, including Google Cloud.
Preparing for an Age of Post-Quantum Cryptography
Many organisations in 2025 will be starting their journeys towards adopting new post-quantum cryptography standards finalised by the National Institute of Standards and Technology (NIST) in 2024. The latest guidance from NIST on quantum-safe encryption/key transport and cryptographic signing is designed to help mitigate attacks by adversaries with large-scale quantum computers. These attacks could potentially break encryption, and ultimately compromise sensitive data. Although quantum threats likely won’t have a widespread impact next year, organisations in 2025 will need to start understanding the risks posed by quantum computing, planning their transitions to quantum-resistant solutions, inventorying where they are using cryptography, regularly rotating encryption keys, and generally staying informed of quantum developments using threat intelligence and other guidance
JAPAC Forecast
North Korea Threat Actors Setting Their Sights on JAPAC
As cryptocurrency investments continue to grow in the JAPAC region, it is expcted to see increased targeting of cryptocurrency exchanges, particularly from North Korean threat actors. Throughout 2024, North Korea has continued its attacks against cryptocurrency exchanges, and in September 2024 the FBI issued an alert on the problem. JAPAC has among the highest adoption and growth rates for cryptocurrencies, and this past year there were reports of significant cryptocurrency breaches in the region—including theft of tens and hundreds of millions of dollars’ worth of digital assets. One of the ways North Korea is targeting JAPAC countries is by impersonating remote IT workers. The U.S. Department of Justice and other agencies warned “of attempts by Democratic People’s Republic of Korea (DPRK, a.k.a. North Korea) information technology (IT) workers to obtain employment while posing as non-North Korean nationals”. As part of these operations, some of the fake IT workers worked for organisations located in JAPAC countries.
Chinese-Controlled Websites Posing as Local News Outlets Target Global Audiences with Pro-Beijing Content
In 2022, Google Cloud exposed the Hai Energy campaign, which consisted of a network of 72 suspected inauthentic news sites and a number of suspected inauthentic social media assets, used to disseminate content strategically aligned with the political interests of the People’s Republic of China (PRC). The sites published content in 11 languages. Since then, it has uncovered at least two other campaigns where third-party companies or PR firms have been hired to promote government narratives via fictitious “Local News” outlets. This threat poses a heightened risk of inadvertent amplification by other local media outlets owing to a lack of due diligence or readers who chance upon these fake “Local News” outlets. Even though these campaigns have not been very effective in changing the global perception towards China in 2024, it is believed these campaigns will persist into 2025, and it is crucial to continue to uncover and track these fake news outlets to educate global readers. Therefore, organisations must prioritise understanding and staying informed about geopolitical events as they unfold in the cyber domain.
Conclusion
Cyber Criminals in Southeast Asia Continue to Innovate
In 2025, it is anticipated to see continued innovation by Southeast Asia cyber criminals. A new report by the United Nations Office on Drugs and Crime found that Asian crime syndicates are now integrating new service-based business models and technologies— including malware, gen AI, and deepfakes—into their operations, while establishing new underground markets and cryptocurrency solutions for their money laundering needs. According to the report, organised cyber crime in the region is evolving rapidly, and this trend will likely lead to an escalation of activity in the JAPAC region. It is critical for governments and enterprises to formalise regular intelligence-sharing to understand these tactics, techniques and procedures in greater detail, and to be able to trace it to illicit financial flows.
In 2025, the cybersecurity industry will continue to innovate, while organisations will face evolving challenges across the vast threat landscape. Rapid advancements in technology, particularly in artificial intelligence, are reshaping tactics for both defenders and adversaries. While AI is rapidly bringing new tools for threat detection and response, it also provides malicious actors with powerful capabilities for social engineering, disinformation, and other attacks.
Organisations must prioritise a proactive and comprehensive approach to cybersecurity. This includes adopting cloud-native security solutions, implementing robust identity and access management controls, and staying ahead of emerging threats through continuous monitoring and threat intelligence. It also means preparing for the post-quantum cryptography era,and complying with evolving regulations. The Cybersecurity Forecast 2025 report aims to equip organisations with the insights and knowledge they need to navigate this complex landscape. By understanding evolving trends and potential threats, organisations can strengthen their defenses, and build a more resilient future.