Hacktivist alliances, backdoored AI, and supply chain attacks: predictions for the 2025 APT landscape

In its latest report, Russian cybersecurity company Kaspersky has outlined its predictions for the 2025 APT landscape. By monitoring over 900 APT groups and operations worldwide, the firm provides a roadmap for organizations and cybersecurity professionals to prepare for the year ahead.

Hacktivist alliances

Hacktivist alliances are collaborative groups or networks of hackers united by a shared political or social agenda. These alliances typically use their technical expertise to engage in cyberattacks, digital protests, or other online activities to promote their cause or disrupt opposing entities.

Over the last couple of years, these groups have begun to closely tie their operations to socio-political conflict, the report says. Initially, their efforts were aimed at garnering public attention, but hacktivist groups have since shifted toward more impactful objectives, such as targeting GNSS systems.
 

Hacktivism has evolved, with groups forming alliances like the ‘Holy League’, uniting dozens of hacker groups. These alliances often respond to fast-moving events, such as the defacement of French websites after Telegram CEO Pavel Durov's arrest. Beyond shared motivations, they also exchange tools and infrastructure, enabling more ambitious and organized campaigns. This strategy has strengthened hacktivism, paving the way for increasingly impactful actions, including potential ransomware deployment, and often exposing vulnerabilities in underfunded security systems, the report warns.

Open-source supply chain attacks

A significant campaign this year involved the backdooring of XZ, a popular open-source compression tool for Linux distributions. Using social engineering, attackers gained persistent access to the development environment, remaining undetected for years.

This incident underscores vulnerabilities in the open-source ecosystem, where critical projects are often maintained by a small, under-resourced team, making them targets for advanced persistent threat (APT) groups. The XZ case has drawn attention to the need for better monitoring of open-source projects, the report says, which could lead to more discoveries of ongoing supply chain attacks.

C++ and Go malware

With the growing adoption of C++ and Go in open-source projects, threat actors are expected to adapt their malware to these languages, Kaspersky warns. By 2025, a notable shift toward C++ and Go is anticipated among APT groups and cybercriminals, leveraging their strengths and increasing prevalence. 

While other languages will see less frequent use, C++ and Go are likely to dominate malware development, as attackers exploit their features to penetrate systems and evade defenses.

Broadening the use of AI

The use of LLMs will become a standard practice for attackers, the report warns, much in the same way defenders have increasingly incorporated AI and machine learning tools into their cybersecurity strategies. Attackers use LLMs for reconnaissance, by automating vulnerability identification, and gathering target-specific information. They also employ AI for creating malicious scripts and post-exploitation commands, boosting their success rates.

To evade detection by companies like OpenAI, attackers are likely to develop local LLMs or disguise activities on public platforms through tactics such as using multiple accounts, careful input management, and limiting data exposure to corporate systems like Google, Microsoft, and OpenAI.

In addition to these threats, Kaspersky also warns of the rise of deepfakes, the rise of BYOVD (bring your own vulnerable driver) exploits in APT campaigns, and the IoT becoming a growing attack vector for APTs in 2025. The full report and a review of last year’s predictions can be found here.