Synopsis

1. AI is being used to adapt cyberattacks in real time. NETSCOUT is reporting how AI is being used to “supercharge” DDoS attacks. Globally, cyberattacks are surging again. Russian hackers have invented Linux malware that attacks Windows computers. Poland and Belgium were subjected to DDoS attacks. Russia has surged cyberattacks against Ukraine and its “strategic partners.” PRC hacking teams are increasingly collaborating, sharing victim data and methodologies. A U.S. think tank warns that the PRC is approaching cyber espionage strategically.

2. It is our assessment that the three major cyber conflicts—Russia vs. Ukraine, Iran vs. Israel, and the People’s Republic of China—are the most likely sources for the creation of next-generation malware and/or primary sources of cyberattacks. This includes government-funded hackers (military, intelligence, and civilian employees), affiliated hackers (criminals and mercenaries), and volunteer “supporters.”

Evolution in Cyber Threats

3. Criminals Using AI to Adapt Attacks in Real Time.
The warning has been clear for months: cybercriminals are increasingly using AI to build malware, plan attacks, and craft phishing lures. Now Google’s Threat Intelligence Group (GTIG) is warning that attackers are deploying AI-powered malware that adapts behavior during execution.

“For the first time, GTIG has identified malware families, such as PROMPTFLUX and PROMPTSTEAL, that use Large Language Models (LLMs) during execution. These tools dynamically generate malicious scripts, obfuscate their own code to evade detection, and leverage AI models to create malicious functions on demand rather than hard-coding them into the malware. … This represents a significant step toward more autonomous and adaptive malware.”

These attacks are also being used by nation-states. The GTIG report warns:
“State-sponsored actors from North Korea, Iran, and the People’s Republic of China (PRC) continue to misuse generative AI tools, including Gemini, to enhance all stages of their operations—from reconnaissance and phishing lure creation to C2 development and data exfiltration.”²

4. DDoS Attacks Are Being Supercharged by AI.
DDoS attacks range from irritating disruptions to havoc-wreaking incidents that can shut down critical infrastructure, businesses, and governments. Attackers compromise computers and devices (such as routers and network servers) to be used as relays and repeaters, greatly increasing attack volume.

Attacks are prolific:
“In the first half of 2025, NETSCOUT³ observed more than 8 million … with vast botnets of tens of thousands of hardware components delivering sustained attacks that lasted an average of 18 minutes.”

AI enhances DDoS attacks in several ways:

• AI reduces the level of technical knowledge required by doing much of the hard work

• AI accelerates automation, making DDoS attacks more effective

• AI enables attackers to adapt attacks in real time, allowing them to “adjust and fine-tune their attacks based on real-time data to bypass defenses, pinpoint vulnerabilities, and increase output”

• AI can control attacks, repeating them for days or weeks

• “AI-driven bots can imitate individuals’ browsing behavior, making it increasingly difficult for established defense measures to thwart attacks”⁴

Analysts’ Comment: Cybersecurity analysts are increasingly convinced they are observing evidence of AI-driven DDoS attacks.

5. Global Cyberattacks Surge in October 2025.
Cybersecurity companies such as Check Point Software Technologies report that:
“In October 2025, the global volume of cyberattacks continued its upward trajectory. Organizations worldwide experienced an average of 1,938 cyberattacks per week, marking a 2% increase from September and a 5% rise compared to October 2024.”

The increase is attributed to “the growing sophistication of ransomware operations and the expanding risks associated with the adoption of generative AI (GenAI).”

Top target sectors were education, telecommunications, government organizations, and hospitality. In ransomware activity, “North America accounted for the majority of incidents (62%), followed by Europe (19%). The United States remained the primary target, responsible for 57% of reported victims and a staggering 56.8% month-over-month increase. … Other heavily impacted countries included Canada (5%), France (4%), and the United Kingdom (3%).”⁵

Russia

6. Russian Hackers Create Linux Malware That Runs on Windows.
Two Bitdefender researchers, aided by Georgia’s CERT, identified a new cyberattack created by Russia’s “Curly COMrades.” Active since 2023, the group developed malware that installs a Linux virtual machine inside Windows, allowing Linux-based malware to run undetected. Microsoft Windows systems are not designed to detect Linux malware.

The attack’s file and system-resource footprint is considered “very light,” making it harder to detect.
“The sophistication demonstrated by Curly COMrades confirms a key trend: as EDR/XDR solutions become commodity tools, threat actors are getting better at bypassing them through tooling or techniques like VM isolation,” the report concludes. “To counter this, organizations must move beyond relying on a single security layer and implement defense-in-depth, multilayered security. It is critical to start designing the entire environment to be hostile to attackers.”⁶

7. Poland Suffers Multiple DDoS Attacks.
On 1 November, Poland’s BLIK mobile payment system was struck by distributed denial-of-service (DDoS) attacks. Following the payment outage, the Warsaw-based travel company ITAKA experienced a separate cyberattack, resulting in the leak of login details for some customers.⁷

On 2 November, this was followed by “a large-scale cyberattack that compromised personal data belonging to clients of SuperGrosz, an online loan platform operated by AIQLABS.” Deputy Prime Minister and Minister for Digital Affairs Krzysztof Gawkowski warned that “criminals had gained access to sensitive personal information.”⁸

In a follow-up interview, Minister Gawkowski stated that “the attack originated from outside Poland, most likely hackers from Russia or Belarus.” He added that Poland is “now in a state of absolute war” as it faces “powerful attacks and incidents” in cyberspace every day. Tomasz Siemoniak, Minister-Coordinator of the Polish Special Services, stated on RMF24 that Poland is one of the primary targets for Belarusian special services, which are “concentrated on Poland” and specialize in it.⁹

8. Belgium Receives DDoS Attacks.
On 5 November, “a coalition of eight hacktivist threat groups with pro-Russian and pro-Palestinian affiliations … announced a campaign targeting Belgium’s internet infrastructure.”¹⁰ The resulting cyberattacks targeted Belgian telecom operators Proximus and Scarlet. Although there was a sharp increase in internet traffic, the impact was assessed as very limited.

Around the same time, Ghent University Hospital (UZ Gent) was inconvenienced by a DDoS attack.¹¹ NoName057 claimed responsibility, but none of the Belgian sites reported being hacked or taken offline.

9. Russian Hackers Hide Malware in Fake ESET Installers.
Russia-linked hackers known as “InedibleOchotense” used trojanized ESET installers in phishing attacks against Ukraine. ESET is a cybersecurity company known for producing high-quality security software.

“The hackers’ phishing email impersonated ESET, warning users of suspicious activity linked to their email and urging them to download ‘official threat removal software.’”¹² Some sources link InedibleOchotense to Sandworm, a known Russian government hacking group.

This attack is one component of a “surge in espionage and financially motivated cyber operations” targeting Ukraine and its strategic partners. “Sandworm intensified destructive cyber operations against Ukraine in mid-2025, deploying multiple data-wiping malware variants across government, energy, logistics, and grain sectors.”¹³

People’s Republic of China (PRC)

10. PRC Hacking Teams Improve Collaboration and Malware Tooling.
Trend™ Research has observed instances of hacker cooperation, such as PRC APT Earth Estries providing a compromised asset to PRC APT Earth Naga, also known as Flax Typhoon. This “represents a new level of coordination in cyber campaigns, particularly among China-aligned APT actors.”¹⁴

Analysts’ Comment: Although their target sets overlap, their operations were previously separate and distinct.

11. In a separate report by Broadcom’s Symantec and Carbon Black teams, a legitimate component was used to load the DLL “sbamres.dll.”¹⁵ This DLL was previously used by PRC hackers Space Pirates and later by Salt Typhoon.

“The sharing of tools among groups has been a long-standing trend among Chinese threat actors, making it difficult to say which specific group is behind a set of activities.”¹⁶

Analysts’ Comment: This assessment is inaccurate. Most PRC government hacking teams have historically been highly possessive of their unique malware and methodologies, which enabled attribution. Increasing collaboration among government hackers and hacking organizations represents a new trend.

12. Think Tank Warns the U.S. About Chinese Economic Espionage.
The Information Technology & Innovation Foundation (ITIF) warns:
“China’s campaign of economic espionage against the United States spans cyber intrusions, insider theft, and technology transfer disguised as collaboration. … Washington must recognize that Beijing is operating an elaborate espionage ecosystem and take strategic measures to disrupt it. … The Chinese Communist Party runs the most advanced data-collection and espionage system on earth. … They are combining that with cyber hacking at a scale that Russia or Iran literally do not have the resources to do.”¹⁷