Cyber Insights 2025 examines expert opinions on the expected evolution of more than a dozen areas of cybersecurity interest over the next 12 months. We spoke to hundreds of individual experts to gain their expert opinions. Here we discuss what to expect with Malware Directions.

Malware directions: motivation and purpose in 2025

Palo Alto Networks’ Cyberpedia describes malware as “any software intentionally designed to harm, exploit, or otherwise compromise devices, networks, or data. Cybercriminals use malware to steal sensitive information, disrupt operations, gain unauthorized access, or demand ransoms from individuals or organizations.”

We define software as instructions that are processed by a computer system. This excludes social engineering, such as phishing emails, that are instructions processed by a human brain. Social engineering is discussed in a separate Cyber Insights article in this series.

Malware is the cyber tool used by adversaries for financial gain, system disruption, cyber espionage, and IP theft. The adversaries are bog-standard criminals, elite nation state hackers, or a mixture of both. However, both the adversary and the tool are influenced by the changing cyber ecosphere.

We will concentrate on three areas that will influence the use of malware through 2025: criminal exploitation (aka, ransomware); the effect of AI on the use of malware; and the influence of geopolitics through 2025.

Ransomware has been the malware du jour for many jours. 

Will it continue to be so in 2025? 

Undoubtedly. 

The term was coined to define a new form of cybercriminal extortion that involves encrypting system files and demanding payment for a decryption key. The important word is ‘extortion’ – encryption is simply one method of operating extortion. Others exist – such as actually stealing sensitive or confidential proprietary data and demanding payment for its safe return; or adding DDoS either as an additional extortion club or a method of disguising cyber operations, data extraction and criminal departure. 

The precise form of ransom-based extortion will depend on what works best for the criminals – and right now there seems little need to change things. From the criminal viewpoint, this methodology ain’t broken so there’s no need to fix it.

Calum Baird, digital forensics and IR consultant at Systal Technology Solutions

That doesn’t mean it won’t change at all in 2025. “Cybersecurity is very much a cat-and-mouse game,” says Calum Baird, digital forensics and IR consultant at Systal Technology Solutions, “with cyber threat actors developing new tactics and techniques to achieve their goals, and cybersecurity professionals developing skills and technology to prevent, detect, contain, and respond to threats. With this in mind, we can expect to see changes in ransomware (and other cyber threats) throughout 2025.”

Ransomware will adapt as soon as defenders become adept at preventing its success.

In the meantime, most of the changes to ransomware will likely be refinements to an already successful attack methodology. For example, the exfiltration of large amounts of victim data takes time and can expose the attack to the victim. “I predict that ransomware will evolve to include an algorithm, possibly even an AI algorithm, to identify and exfiltrate only the most sensitive data found on a system,” suggests John Wilson, senior fellow, threat research at Fortra. “By prioritizing the data to be exfiltrated, the attacker is more likely to obtain monetizable kompromat without triggering any volume-based alerts.”

Nevertheless, “Anytime the word extortion is used, by definition it is ransomware,” explains Darren Williams, founder and CEO at BlackFog. “The methods that are utilized don’t really dictate the categorization.” 

Extortion-based attacks are still increasing. “Critical sectors like healthcare and manufacturing will likely remain primary targets, with these industries experiencing a sharp rise in attacks. Ransomware-as-a-service could expand, making it easier for less skilled attackers to launch sophisticated campaigns,” says Kevin Curran, IEEE senior member and professor of cybersecurity at Ulster university.

Kevin Curran, IEEE senior member and professor of cybersecurity at Ulster university

The threat and the malware we loosely categorize as ransomware will continue to grow in 2025.

But – and there is always a ‘but’ in cyber predictions – what we call ransomware is less than a stone’s throw away from what we call ‘wipers’. Encrypted files that cannot be retrieved are effectively destroyed (or wiped). “Most contemporary ransomware builders (shared across numerous actors and operations) include parameters to overwrite (that is, wipe) data as opposed to just encrypting that data. That ability is, and has been for years, just a command-line option away,” warns Jim Walter, senior threat researcher at Sentinel Labs.

“It is not beyond reason to expect actors to be more aggressive with the capability, as opposed to reserving wipers for scenarios where the goal is disruption rather than financial gain. Wipers are good leverage, but not always the best logistical means to their end. Again, most modern ransomware – and many commodity RATs – can already wipe, but this level of destruction is rarely the true goal in the grand scope of offensive cyber operations.” Nevertheless, it is worth noting in a time of rising geopolitical tensions (discussed later) and increasing activity from adversarial nation states.

The use of AI (both LLMs and more contained ML models) will pervade cyber in 2025, and will affect almost every aspect of cybersecurity. The morality and ethics of AI is irrelevant. It exists and it isn’t going away – we simply need to maximize its benefits and minimize its dangers. Automated malware generation and use at scale is one of the dangers; more rapid detection and mitigation of compromise is one of the benefits.

Michael Sikorski, CTO and VP of engineering of Unit 42 at Palo Alto Networks, has little doubt that bad actors will use AI to automate attacks at scale. “In 2025, cybercriminals are expected to further exploit gen-AI to speed up and streamline every stage of the attack lifecycle – from reconnaissance to exfiltration. We expect to see faster, more advanced attacks, like AI-powered ransomware, automated social engineering, and hyper personalized phishing campaigns,” he says.

“Gen-AI is projected to cut attack times dramatically, with incident response data suggesting the mean time to exfiltrate data could drop to just 25 minutes – over 100 times faster compared to 2021. It will also enable attackers to move quickly through networks, automating processes that help them maintain access and spread to other vulnerable systems.”

This is not yet AI-generated malware, but primarily AI assistance in the use of human-made malware attacks. “There is no evidence to suggest that cybercriminals are leveraging AI to develop malware,” suggests Mick Baccio, global security strategist at Splunk SURGe. Rather, “We’ve seen attackers leverage AI systems in other stages of the attack chain, like reconnaissance and phishing to gain initial access to a victim network.” For the moment, attackers are largely exploring the automation potential of AI to scale up existing attack methodologies.

That said, it is equally clear that cybercriminals are also exploring the potential of using AI to automate and speed the process of developing new malware. As long ago as the summer of 2023, Hyas Labs announced “we have built a simple proof of concept (PoC) exploiting a large language model to synthesize polymorphic keylogger functionality on-the-fly, dynamically modifying the benign code at runtime – all without any command-and-control infrastructure to deliver or verify the malicious keylogger functionality. Given the threat posed by this sort of malware, we call our PoC BlackMamba.”

It is not entirely clear how much AI was used to build the malware or simply used within it to enhance the malware. 

BlackMamba was not groundbreaking malware. Nevertheless, it was an early indication of what could happen, and there are signs that what could happen will begin to happen in 2025 – although 2025 may yet be more of a cusp year than a deluge year for AI-generated malware. 

“We may see some AI generated malware,” suggests John Bambenek, president at Bambenek Consulting, “but anyone who has used an AI copilot knows, it can do simple things but maybe only 70% of complicated things. Malware authors may use it to augment and accelerate their work but there probably won’t be sophisticated malware created entirely by AI.”

John Bambenek, president at Bambenek Consulting

Baird tends to agree. “It is possible we will see more malware being generated; however, the likelihood of this is uncertain. Hallucinations are still a challenge for gen-AI, meaning that it can provide false data and incorrect code, often with misplaced confidence in its accuracy,” he notes. 

“Cyber threat actors have limited opportunities when compromising systems, and if ineffective AI-generated malware is deployed, it can reduce their chances of success. Such malware can create noise and trigger alerts to security teams without achieving their intended objectives, potentially undermining the attackers’ efforts.”

And yet, in September 2024, HP found an email campaign comprising a standard malware payload delivered by an AI-generated dropper. The AI-generation was assumed by the researchers because of the inclusion of comments in the code – something that no self-respecting novice human bad guy would ever leave behind. But it was the dropper rather than the main payload that was AI-generated. Nevertheless, the implication is that bad actors are experimenting with generative AI to generate malware; and if so, they will have already learned to tune their model to exclude comments from code. They are learning

It will be important to monitor the progress of code generating AI models such as WhiteRabbitNeo to gauge – and indeed, protect against – the potential for new, evasive, AI-generated, vulnerability-focused malware possibly arriving in 2025.

Meanwhile, Randall Degges, head of developer and security relations at Snyk, sees a different effect from AI: the return of injection attacks. “As AI coding tools become a mainstay in development workflows, they introduce fresh security challenges that require vigilant management. Injection attacks are set to re-emerge as a top threat in 2025, fueled by AI-generated code vulnerabilities,” he warns. 

“Once a primary focus in the OWASP Top 10 list, injection vulnerabilities saw a decline in 2021 due to improved security awareness and coding practices. But with AI tools now handling code generation across multiple platforms and frameworks, injection risks are again front and center. AI systems process massive volumes of input data, often without robust validation, creating perfect conditions for injection attacks to resurface.”

The subject we don’t like to talk about, and the influence we don’t like to discuss, is the effect of geopolitics on adversarial cyberattacks. This is surprising since we all suffer from the effects. 

More than 40 groups have been given the ‘APT’ epithet since Mandiant started the series with the Chinese military-linked APT1 (aka PLA Unit 61398, Comment Panda, Comment Crew and other names). Although there is no official rule, the APT epithet is effectively linked to nation-sponsored cyber groups.

If a nation-state group targets organizations outside of its home country, how is that not driven by geopolitics? If a nation-state group targets organizations in ‘Western’ countries, and the nation concerned is traditionally anti-West, can we not expect increasing geopolitically driven attacks whenever geopolitical tensions rise?

That is a valid question for 2025, since arguably, global geopolitics have never been as tense as they are at the outset of 2025, since the Cold War ended in 1991. The problem for cybersecurity defenders in the West is that nation state actors tend to be the elite of the elite cyber aggressors with extensive resources. They do not have the need for a quick financial RoI on their efforts like average cybercriminals – they are mostly driven by ideology and can take the time to go deeper and persist longer than the typical non-state cybercriminal.

And their purpose is more ‘warlike’ than the average cybercriminal, whether it be to steal IP to gain national economic advantage, or to insinuate themselves into critical industry to gain the potential to disrupt and cause economic and social chaos. This is what we need to consider for 2025 – will worsening geopolitical conditions lead to increased activity from nation-state actors; and, if so, how is that activity likely to manifest itself?

Christian Have, CTO at Logpoint, doesn’t believe we’ll see any great escalation in 2025 – largely, perhaps, because hybrid warfare is already rampant, and it is generally accepted that further escalation could trigger a NATO Article 5 response – which is the red line no-one wishes to cross. But he accepts that geopolitics is already affecting cyber: “As European countries begin to activate their industrial base to produce ammunition and weapons, we see that the mid-sized companies that are suppliers or manufacturers increasingly get targeted by more complex attacks than they are used to.”

Nathaniel Jones, VP of threat research at Darktrace, is less certain. He points to Chinese state actors developing specialized malware for embedded systems, targeting routers and firewalls to create persistent backdoors that bypass traditional endpoint protection measures. “The EDR-killer malware we observed in 2024 was just the beginning. We anticipate seeing more AI-generated malware in 2025, but with highly targeted applications.” 

He adds, “The combination of AI-powered development and nation-state resources could create unprecedented challenges for defensive measures. The geopolitical landscape will continue to shape targeting priorities by both nation states and hacktivists.”

Wilson takes a similar view. “Sanctions against Iran, North Korea, and Russia have resulted in literal armies of hackers focused on stealing to fund their national aspirations. Every conflict in 2025 and beyond will include a cyberspace component. Malware development is every bit as crucial to national defense as the development of weapons systems.”

However, Nadir Izrael, CTO at Armis, is blunt and direct. “Nation-states and rogue factions are rapidly integrating cyberattacks into their military arsenals, with cyber operations becoming a first-strike option in geopolitical conflicts.” Attacks against critical infrastructure can create national chaos without firing a single physical shot.

In 2025, he continues, “We expect to see an escalation in state-sponsored cyberattacks aimed at creating widespread disruption and psychological stress. These attacks will be characterized by increased sophistication, as governments turn to advanced technologies, including AI-driven malware, to outmaneuver their targets.”

Rodman Ramezanian, global cloud threat lead at Skyhigh Security agrees. “Geopolitics are already influencing malware development and use, and it’s almost certainly something that will intensify in 2025.” He points to the Middle East as an example.

“Many countries throughout the Middle East to Southeast Asian regions will continue to pursue their own geopolitical objectives through greater investments into cyber espionage and disruptive operations. In 2025, it’s easy to see Russia continuing its focus on espionage tied to the Ukraine conflict and destabilizing NATO-aligned countries, while China is likely to prioritize stealthy access to critical infrastructure, especially targeting electoral processes in Taiwan and the United States. As mentioned earlier, ransomware attacks and sophisticated extortion methods will continue to threaten organizations whose security practices aren’t yet matured.”

It is worth considering the Middle East. The two main antagonists have been active in real cyberwar for many years – first with Stuxnet and then with Iranian retaliation, including wipers. So far, this activity has been largely constrained to the Middle East. But there remains the possibility that it might escalate to involve the three major cyber nations: the USA, Russia and China. We have already noted that the move from ransomware to wiper is simple. So, it is worth noting that a major Russian ransomware group, Evil Corp, has close and familial ties to the Russian FSB.

In October 2024, the UK’s National Crime Agency sanctioned 16 individuals tied to Evil Corp, ‘once believed to be the most significant cybercrime threat in the world’. This included the head of Evil Corp (Maksim Yakubets, already indicted in the US) and “Yakubets’ father, Viktor Yakubets, [and] his father-in-law, Eduard Benderskiy, a former high-ranking FSB official”.

Given the fluidity between major cybercriminals and state agencies, especially in Russia, there is always the possibility that a cybercrime group could accidentally go too far and trigger direct and overly aggressive nation-state activity.

We have looked at potential directions for malware and its use under three headings but through a somewhat pessimistic lens. The use of ransomware (extortion) by cybercriminals will continue to expand because it remains successful. In the hands of ideologically driven hacktivists whose purpose is disruption rather than financial gain – and this could include state-sponsored elites from the unpredictable North Korea and Iran – ransomware could easily evolve into unattributable state wipers. The state simply denies involvement and points the finger at criminals they do not control.

Direct nation-sponsored elite groups are likely to increase their activity because of global geopolitical tensions. If the tensions increase, so will the activity; if tensions decrease, we can hope the activity will also decrease. For the most part, we won’t know the extent of nation state activities simply because of the skill, the resources and the patience they can employ. We can be certain it will happen, but we must hope that nobody pulls the cyber trigger.

In the background, the continuing advance of AI brings the likelihood of effective, specific vulnerability-targeted new malware automatically produced in hours rather than days or weeks ever closer.

None of this will necessarily happen in 2025. But all of it could happen.

Related: AI-Generated Malware Found in the Wild

Related: 5.6 Million Impacted by Ransomware Attack on Healthcare Giant Ascension

Related: EU Makes Urgent TikTok Inquiry on Russia’s Role in Romanian Election Turmoil

Related: What is Cyberwar?