Malware 2025: The most dangerous groups of the year

The cybercriminals' arsenal is extensive: social engineering, deepfakes and AI-supported chat tools have turned everyday communication into attack vectors. Stolen passwords or intercepted calls are often enough to gain access to internal systems.

Manipulating identities with AI

With the help of artificial intelligence, which enables phishing, voice cloning and fake job interviews, cybercrime has developed into an instrument of identity manipulation. Attackers use seemingly legitimate credentials to bypass traditional security mechanisms. Although ransomware is no longer constantly setting new records, the market has stabilized at a high level. Today, the blackmail economy relies less on brute force encryption and more on stolen data and strategic pressure.

The six most dangerous offender groups

According to the annual Nastiest Malware Report from OpenText six groups have significantly shaped the year 2025.

1. Qilin (also known as Agenda) is behind over 200 confirmed attacks on hospitals, laboratories and community facilities. In one case, the failure of diagnostic services demonstrably led to the death of a patient. A function in the ransomware control panel that allowed partners to chat directly with a negotiation consultant provided by Qilin was conspicuous. The aim was to standardize extortion and offer professional support even to inexperienced perpetrators. This form of professionalization sets a new benchmark for ransomware-as-a-service and shows how much the criminal infrastructure in the digital underground has evolved.
2. Akira focused on financially strong companies and managed service providers and was responsible for almost one in five documented ransomware incidents worldwide. The group operates with technical precision and clear processes, including support structures and controlled negotiations. Discount campaigns and fixed rules are intended to signal reliability - an approach that is more reminiscent of corporate processes than cybercrime. Akira makes targeted use of VPN vulnerabilities, operates internationally and has developed into a professional ransomware-as-a-service platform.
3. Scattered Spider is one of the most influential groups in 2025. They used social engineering, SIM swapping and deepfake voice imitations to compromise large companies and even bypass modern identity and access systems.
   In September, coordinated arrests broke up the core team, but copycats and spin-offs continue the methods. The combination of technical sophistication, psychological manipulation and targeted identity abuse made the group a key player in the area of access procurement.
4. Play Ransomware was one of the most destructive groups despite receiving little media attention. It compromised entire customer environments by attacking more than 900 managed service providers. It is characterized by the use of intermittent encryption, in which only parts of files are affected. This speeds up execution and makes detection more difficult. In addition, the group uses customized binary files and expanded its toolkit to include modules for virtualized environments such as Linux and ESXi. The targeted exploitation of IT dependencies made Play one of the most dangerous actors of the year.
5. ShinyHunters is one of the most dangerous actors in 2025. The group infiltrates cloud platforms, often remains undetected for months and only publishes stolen data when it can be exploited. Global brands such as Google, Salesforce and Kering have been affected. A key feature is the targeted exploitation of regulatory obligations. In Europe, ShinyHunters often timed the disclosure to coincide with official GDPR notifications. As a result, reputational damage and compliance risks became part of the extortion. The attacks show how closely cybercrime and regulation are now linked.
6. Lumma Stealer is considered the backbone of many modern ransomware operations. The malware collects masses of access data, cookies and tokens from infected systems. This data circulates quickly on darknet marketplaces and is used by groups such as Akira, Qilin and Play as an entry point for targeted attacks. Particularly effective is the combination with social engineering campaigns, such as fake CAPTCHA messages or error messages that trick users into executing malicious commands. This hybrid method undermines many classic protection mechanisms. Lumma shows that even well-secured environments can become vulnerable if a single compromised account gets caught up in the collection routine.

What matters now

Despite improved protection measures and a growing number of organizations refusing to pay, the ransomware scene remains extremely lucrative. Although ransom demands and payments have leveled off at a high level after an increase at the beginning of the year, overall financial losses continue to rise. While some groups are struggling to enforce their claims, well-organized players continue to negotiate settlements in the millions with frightening precision.

This development underlines the extent to which ransomware has professionalized as a business model and how important it is to act in a structured manner on the defence side as well. Many effective measures are known: regular patches, credible backup strategies, robust access controls, hardened remote access and targeted awareness of social engineering. Those who firmly establish these principles in practice not only improve their own ability to react, but also reduce the attack surface in the long term.

Source: OpenText