The Artificial Future: Trend Micro Security Predictions for 2025

Deepfakes are poised to be the biggest AI-related threat because of the vast potential for misuse. Criminals have yet to plumb their full potential, and we predict they will use deepfakes in new scams and criminal schemes in 2025. 'Hot' social engineering scams will be even more believable with the use of deepfakes, while LLM trained on a person’s public posts can mimic their writing style, knowledge and personality. These AI-enabled techniques make for dangerously convincing impersonations to target unwitting victims. We also predict the continuation of AI-based semi-automated scams. For corporations, BEC and 'fake employee' scams should be the most concerning. Bypass-KYC-as-a-service has been popular in the underground for a few years already, sustained by three elements: unintentionally exposed biometrics, leaked and breached PII (particularly from ransomware attacks), and the growing capabilities of AI. This avenue of attack will continue for scammers.

In terms of AI targets - AI agents are increasingly deployed to perform specific tasks or roles, and they will become more attractive targets for malware authors: malicious individuals are likely to exploit vulnerabilities in AI systems to manipulate them into carrying out harmful or unauthorized actions with the appearance of digital entities based on persons impersonated without their awareness, or even with entirely new identities. We will keep seeing new uses for this new technology as it advances, and as criminal actors keep finding new social engineering uses for it, such as building phishing kits that are tailored to specific events. AI helps attackers be more efficient and timelier with the delivery of these toolkits. We have seen it with the recent US elections, and it will likely get more common.

AI-enabled cybercrime and malicious activity to watch out for:

Other AI-enabled activities to watch out for

Enterprises will be introducing AI agents to mainstream to remain competitive; agents might itself be malicious because of their autonomy and logic errors or execution errors. The growing reliance on AI Agents underscores the urgent need for robust security measures to protect against such threats. Users might happily shoot themselves in the foot experimenting with AI agents, and that will remain a threat until better guidelines and execution guide rails are created. The limited number of agent and model providers also means that one flaw in a popular provider can create a persistent vulnerability across numerous organizations. Outside of organizations, the growing prevalence of AI-generated content continues to demand user education for better discernment when consuming and interacting with content online.

Nation-state threat actors such as Lazarus, Turla, and Pawn Storm were particularly active in 2024 and are expected to increase their activity in 2025. These groups will continue to target diplomatic information and military technologies as well as their supply chains for maximum impact. Other criminal and mercenary groups are now doing a significant amount of espionage too, such as Void Rabisu and the DaVinci Group. Operations aligned with Russian propaganda like Doppelganger and pro-China networks such as Spamouflage are seen to continue leveraging disinformation to deepen societal divisions. Salt Typhoon’s recent attack that siphoned phone call audio and data could suggest that nation-state threat actors are exploring audio deepfakes. Earth Hundun and other nation-state threat actors with similar geopolitical alignments will continue their speedy evolution.

Meanwhile, North Korean groups will likely keep focusing on cryptocurrency to help bypass sanctions. APT29 has been targeting cloud environments, an activity expected to rise. Sandworm, primarily involved in operations related to the invasion of Ukraine, could expand its operations depending on future geopolitical developments. The same geopolitical developments will continue to see hacktivist groups impacting enterprises they see as linked to their political or ethical ideals; and in the act are influenced by state actors looking to make use of the free energy they provide.

Organizations must understand their position within the supply chain, address vulnerabilities in public-facing servers, and implement multi-layered defenses within internal networks. It is advisable to require background checks for certain roles during recruitment as state actors have recently leveraged this to place insiders within a target network. Furthermore, collaboration among governments, private companies, and media is essential to uncover the full scope of influence operations. Attack Path Prediction will be critical for enterprises as cloud instances can allow for multi-step kill chain; being able to predict and disrupt these attack paths will boost an organization’s defenses.

2024 saw a rise in ransomware groups leveraging legitimate tools for data exfiltration, credential collection and replication, which can make it easier for attackers to move laterally and escalate privileges. As we move into 2025, legitimate tools will continue to be exploited as cybercriminals realize their potential in disguising attack activity as legitimate and in that they already have access to valuable resources, data, and enterprise networks. With the rise of ransomware attacks starting through vulnerabilities or using compromised accounts, attacks that start with phishing will likely go down, suggesting a shift in techniques for ransomware gangs. More successful attacks from our recent investigations used compromised accounts to connect to a machine in the environment, while other cases saw the attacker bypassing multi-factor authentication (MFA) mechanisms. Ransomware attacks could also drift towards business models that no longer necessitate encryption.

As ransomware groups evolve in their technique of leveraging legitimate tools, organizations should not only rely on malicious files and hash detections but also monitor behavior across layers. Enterprises should opt for solutions that provide enhanced visibility and correlated detection across multiple layers, ensuring that incidents with the potential to cause significant system damage can be addressed as early as possible. Organizations can stay on top of threats by subscribing to CTI platforms to gain insights and information on the tactics, techniques, and procedures of cyberattacks, to prepare prevention and mitigation protocols.

As cybercriminals maximize AI, so should organizations: leverage AI to advance threat detection, automate responses, and predict potential security breaches. Ensure that AI systems are safeguarded against malicious attacks and vulnerabilities by implementing rigorous security measures to protect AI models and data.

In the past, we have seen a one-to-one ratio between loaders and info stealers, where one loader will install just one infostealer, but we have started seeing multiple infostealers installed by a single loader. Information harvested by such threats are useful for threat actors and enable them to carry out other attacks. Ransomware groups will continue to use this as a key part of their attacks: utilize information, such as user accounts harvested by infostealers, in their ransomware attacks.

Malvertising threats have been thrust into the spotlight partly because of the widespread proliferation of infostealers that use this arrival technique, which could lead to attackers seeing its potential for other campaigns. We have already seen ransomware groups use this to get a foothold in a target environment. The stealth mechanisms described in the previous section show how threat actors can innovate and elevate the technique to make it more effective in gaining initial access. In 2025 we predict this trend will continue.

Enterprises should make sure that they comply with new security standards outlined by legal experts. The European Union's (EU) NIS2 Directive is a new legal directive that will help enterprises improve the security of networks and information systems across the EU by focusing on strengthening cybersecurity risk management and incident reporting.The Digital Operational Resilience Act (DORA) will also be implemented in January 2025, which will require financial institutions to follow stringent guidelines for safeguarding against ICT-related incidents. Enterprises should also address vulnerabilities in public-facing servers and implement multi-layered defenses within internal networks.