Leader: Throughout 2025, China, Russia, North Korea, and Iran employed similar tactics to gain access to critical systems through vulnerabilities and maintained a prolonged control. These operations highlight the urgency for a multifaceted defensive strategy.
What happened: Talos Intelligence reported that investigations related to state-sponsored threats increased in China in 2025 with a 75% increase compared to the previous year. New vulnerabilities were exploited almost immediately after their disclosure, sometimes even before patches became widely available. The same persistent techniques for maintaining access—web shells, custom backdoors, and tunneling tools—were used to control systems over an extended period.
There was also a greater overlap between state-sponsored and financially motivated activities. In some cases, state actors conducted operations to benefit personally alongside espionage activities. In others, cybercriminals gathered information during attacks that they later sold to espionage actors.
In Russia, cyberactivity remained strongly linked to the Ukraine conflict and global sanctions. Many operations continued using unpatched vulnerabilities in network devices to gain initial access. Malware families such as Dark Crystal RAT (DCRAT), Remcos RAT, and Smoke Loader frequently appeared, reflecting their close correlation with geopolitical events.
In North Korea, operations emphasized social engineering and internal access for financial and espionage purposes. Campaigns like Contagious Interview (orchestrated by Famous Chollima) used social engineering techniques to deceive real employees into executing code or delivering credentials, generating significant profits and establishing persistent access.
In Iran, operations combined visible disruptions with long-term access. Hacktivist operations increased in response to geopolitical events, while groups like ShroudedSnooper implemented compact backdoors to stay hidden and conduct persistent espionage.
Why it matters: These operations underscore the need for a multifaceted defensive strategy. Defenders should prioritize patches, identity security, and network infrastructure visibility to counter both immediate and prolonged access.
Technical details: State-sponsored operations continued leveraging recently discovered vulnerabilities to gain initial access. These threats often translate into a significant increase in geopolitically related cyber activities, underscoring the need for a multifaceted defensive strategy.
Common tactics include the use of backdoors and tunneling tools to maintain persistent access. The use of social engineering techniques and internal access allowed non-state actors to gather valuable information and establish persistent operations.
What they should monitor: Defenders should inspect old systems for exploitation of newly discovered vulnerabilities and strengthen identity security and network infrastructure visibility. Continuous monitoring of the correlation between geopolitical events and cyber activities is necessary.
What's next: Observed trends suggest that long-term persistence and the common use of similar tactics will remain a central concern. Defenders and businesses should be vigilant about new vulnerabilities and any correlations with geopolitical events.