Acronis has published its semi-annual report “Acronis Cyberthreats Report H2 2025: From Exploits to Malicious AI”, in which it analyzes the evolution of threats globally based on telemetry collected by the Acronis Threat Research Unit (TRU) and its sensor network.
The report confirms a sustained growth trend in identity-based attacks, phishing, malware and ransomware, as well as the increasingly operational integration of artificial intelligence in malicious advanced malware campaigns.
Coordinated large-scale campaigns
In the European context, Acronis analysis identifies Spain as one of the markets with the highest normalized exposure to malware detections during 2025, with peaks associated with large-scale coordinated malware campaigns. Likewise, the report observes that certain malware campaigns in Spanish, initially active in Latin America, subsequently escalate to Europe, placing Spain in a strategic position within these transcontinental dynamics.
Globally, email-based attacks grew 16% year-over-year per organization and 20% per user. Phishing remained the top malware entry vector, responsible for 52% of attacks targeting MSPs, while advanced malware threats against collaboration platforms increased significantly, rising from 12% in 2024 to 31% in 2025.
Among the main trends identified in 2025 are:
- The malicious use of legitimate tools such as PowerShell, established as one of the utilities most exploited by attackers to deploy malware.
- The prevalence of phishing, which accounted for 83% of all email malware threats in the second half of the year.
- The increasing integration of AI into key phases of attacks, from reconnaissance to negotiation of ransomware and associated malware.
- The persistence of critical vulnerabilities in platforms used by MSPs, which facilitate the spread of malware.
The sustained impact of malware on sectors such as manufacturing, technology and healthcare, due to their need for high availability and the complexity of their environments.
Use of AI for extortion campaigns
During 2025, there was also a significant increase in the use of AI to automate malware-based extortion campaigns, optimize social engineering techniques, and scale operations. Groups such as GLOBAL GROUP or GTG-2002 used AI-assisted capabilities to maximize the impact of their malware, evidencing a transition towards a more automated, scalable and sophisticated cybercrime model.
“The threat landscape is evolving rapidly. Attackers are not only sticking to traditional methods like phishing or ransomware, but are integrating artificial intelligence into their malware operations to act faster and more effectively,” said Gerald Beuchelt, CISO at Acronis. “This new stage requires organizations to combine defensive automation with operational resilience and real recovery capacity.”
Ransomware as the main threat
Ransomware continued to be a dominant threat within the malware ecosystem. More than 7,600 victims were publicly disclosed globally in 2025, with nearly 150 MSPs and telecom sector organizations directly affected by this type of malware. Among the most active groups were Qilin (962 victims), Akira (726) and Cl0p (517). The United States recorded the highest number of victims, although the impact of malware remained high in Europe.
Supply Chain and MSP Attacks Remain a Critical Malware Propagation Vector
Supply chain and MSP attacks remain a critical vector for malware spread. The exploitation of vulnerabilities in remote access and remote management tools led to the compromise of more than 1,200 third-party organizations and vendors, underscoring the importance of strengthening controls against malware in interconnected environments.
In this context, the Acronis report highlights the need to adopt an integrated cyber protection approach that combines prevention, detection, automation and recovery capacity against malware, especially in European markets such as Spain, where regulatory pressure and accelerated digitalization raise the level of exposure.
