CyberLeveling Logo
Top Cyber Threat Actors Impacting Europe (2025 → 2026)

Top Cyber Threat Actors Impacting Europe (2025 → 2026): Tactics, Techniques, Playbooks, and Tools

Introduction

In 2026, cyber threat activity in Europe continues to evolve toward identity-centric intrusions, cloud exploitation, and human-driven tradecraft. Modern adversaries increasingly rely on valid credentials, trusted platforms, and legitimate administrative tools, reducing their dependence on traditional malware.

This post analyzes four of the most impactful threat actors affecting Europe during this period, focusing on:

  • Observed tactics and techniques (TTPs)
  • End-to-end intrusion playbooks
  • Malicious and legitimate tools used by attackers
  • Operational patterns and targeting trends

The actors covered are:

  • SCATTERED SPIDER (eCrime / ransomware)
  • VIXEN PANDA (APT15) (China-nexus espionage)
  • HAYWIRE KITTEN (Iran-nexus espionage and hacktivism)
  • LAZARUS GROUP (North Korea-nexus espionage and financial crime)

1. SCATTERED SPIDER

Cl0p-linked Ransomware | Eastern Europe | eCrime

Overview

SCATTERED SPIDER is an English-speaking cybercriminal syndicate active since 2022. Initially focused on CRM providers and telecom/BPO environments, the group rapidly expanded into retail, insurance, aviation, manufacturing, and healthcare across Europe and the UK.

By 2024–2025, the group became especially known for:

  • VMware ESXi ransomware operations
  • Identity compromise through help-desk social engineering
  • Double-extortion campaigns involving large-scale data theft

Its motivation is strictly financial, with operations designed for speed, scale, and operational disruption.

Common Targets

  • VMware vCenter / ESXi
  • Microsoft Entra ID (Azure AD)
  • Okta and SSO platforms
  • VPN infrastructure
  • IT help desks and privileged accounts

MITRE ATT&CK v13 – Common Techniques

TacticTechnique
Initial AccessSpearphishing Attachment (T1566.001), Valid Accounts (T1078)
ExecutionUser Execution (T1204.002), PowerShell (T1059.001)
PersistenceAccount Manipulation (T1098), Remote Access Tools (T1219)
Privilege EscalationDCSync (T1003.006)
Defense EvasionLog Deletion (T1070), Obfuscated Files (T1027)
Credential AccessLSASS Dumping (T1003.001), Credential Phishing (T1566.003)
DiscoveryAccount Discovery (T1087), Network Share Discovery (T1135)
Lateral MovementRemote Services (T1021), Cloud Session Abuse (T1530)
Command & ControlTunneling (T1572), HTTP/S (T1071.001)
ExfiltrationCloud Storage (T1567.002), Web Services (T1567.001)
ImpactData Encryption (T1486), Data Destruction (T1485)

Intrusion Playbook

Initial Access

Attackers impersonate employees in voice-based help-desk attacks, requesting MFA resets for Entra ID or O365 accounts. SIM-swapping is often used to intercept SMS-based MFA, resulting in valid credential access.

Execution and Discovery

With legitimate credentials, attackers log directly into cloud and on-prem environments. They enumerate Active Directory and virtualization infrastructure using PowerShell, ADExplorer, and ADRecon.ps1.

Persistence

Legitimate remote management tools such as AnyDesk and TeamViewer are installed. Administrative accounts may be modified or new accounts created. Persistent access to vCenter is established.

Privilege Escalation

With vCenter or ESXi administrative access, attackers attach domain controller virtual disks to attacker-controlled VMs and dump ntds.dit using DCSync. Additional credentials are extracted using Mimikatz.

Defense Evasion

Audit logs are deleted. Exchange transport rules are created to silently remove MFA reset and security alert emails. Network traffic is tunneled through Chisel, ngrok, Teleport, and Pinggy, often via *.trycloudflare.com infrastructure.

Command and Control

Custom HTTP/S tunnels and cloud-based proxies are used for remote access and command execution. Tools such as MobaXterm are frequently observed.

Exfiltration

Sensitive data is staged and exfiltrated using AWS S3. Attackers have used S3 Browser to download data from victim buckets and re-upload it to attacker-controlled infrastructure.

Impact

ESXi ransomware is deployed across virtualized environments. Victims are threatened with public data leaks if ransom demands are not met.

Activity Trends (2025 → 2026)

  • Faster intrusion timelines
  • Increased reliance on identity abuse
  • Continued focus on VMware environments
  • Large-scale campaigns across Europe using extortion-only or encryption-plus-leak models

2. VIXEN PANDA (APT15 / Ke3chang)

China-Nexus | Strategic Espionage

Overview

VIXEN PANDA is a long-running China-linked advanced persistent threat group active since at least 2010. The group conducts long-term intelligence collection operations targeting:

  • Government and diplomatic organizations
  • Defense and aerospace firms
  • Energy and critical infrastructure
  • Biotech and healthcare research

Motivation is geopolitical espionage and intellectual property theft, not immediate disruption.

MITRE ATT&CK v13 – Common Techniques

TacticTechnique
Initial AccessSpearphishing Attachment (T1566.001)
ExecutionUser Execution (T1204.002), Scheduled Tasks (T1053.005)
PersistenceValid Accounts (T1078)
Privilege EscalationLSASS Dumping (T1003.001)
Defense EvasionObfuscated Files (T1027), Masquerading (T1036)
Credential AccessPassword Store Access (T1555), Input Capture (T1056)
DiscoverySystem and Network Discovery (T1033, T1016)
Lateral MovementRemote Services (T1021)
Command & ControlWeb Services (T1071.001 / .003)
ExfiltrationWeb Services (T1567.001), Cloud Storage (T1567.002)

Intrusion Playbook

Initial Access

Highly targeted spear-phishing emails deliver malicious Office or RTF documents, often themed around geopolitical events or government communications.

Execution

When opened, documents install custom backdoors such as iWebRAT, Mirage/MagicFire, RoyalCli, or BS2005. Payloads are often signed or masquerade as legitimate binaries.

Persistence

Backdoors are installed for long-term access. Scheduled tasks, registry keys, and service accounts are commonly used.

Privilege Escalation and Credential Access

Tools like Mimikatz extract credentials from memory. Token theft and known Windows privilege escalation vulnerabilities may be leveraged.

Discovery and Lateral Movement

The group performs extensive environment mapping and moves laterally via RDP and SMB using harvested credentials.

Command and Control

C2 traffic typically uses HTTPS. In some campaigns, email protocols (IMAP/SMTP) or compromised websites act as covert channels.

Exfiltration and Impact

Data is compressed using 7-Zip or WinRAR and exfiltrated over encrypted channels. Operations focus on long-term data theft rather than immediate damage.

3. HAYWIRE KITTEN

Iran-Nexus | Espionage and Hacktivism Hybrid

Overview

HAYWIRE KITTEN is an Iran-linked threat actor active since around 2020. The group combines credential-focused espionage with public-facing hacktivist operations, including data leaks and DDoS attacks.

Targets include:

  • Technology firms
  • Renewable energy companies
  • Manufacturing
  • News media and public institutions

MITRE ATT&CK v13 – Common Techniques

TacticTechnique
Initial AccessSpearphishing Attachment (T1566.001)
ExecutionUser Execution (T1204.002), DLL Side-Loading (T1574.002)
PersistenceWeb Shells (T1505), Social Media Accounts (T1585)
Credential AccessPhishing for Credentials (T1531)
Command & ControlHTTP/S (T1071.001)
ExfiltrationExfiltration Over C2 (T1041)
ImpactDenial of Service (T1498), Data Leakage (T1565)

Intrusion Playbook

Initial Access

Microsoft-themed phishing emails deliver PDFs or links impersonating Microsoft login or career portals.

Execution

Attachments or links lead to credential harvesting pages or install lightweight malware via sideloaded DLLs.

Credential Access

Victims are redirected to convincing fake Entra ID login pages. Submitted credentials are harvested and reused.

Persistence and Infrastructure Abuse

Social media platforms and legitimate hosting services are used to host phishing kits and manage stolen credentials.

Command and Control

C2 often consists solely of phishing infrastructure and HTTPS callbacks.

Impact

Stolen data may be publicly leaked. DDoS attacks are occasionally launched against media organizations to amplify messaging.

4. LAZARUS GROUP

North Korea | Espionage and Financial Crime

Overview

The Lazarus Group is North Korea’s most prominent cyber actor, active since at least 2009. It conducts espionage, sabotage, and large-scale financial theft, including cryptocurrency heists.

In Europe, Lazarus has recently focused on:

  • Defense and aerospace
  • UAV and drone development
  • Cryptocurrency platforms

MITRE ATT&CK v13 – Common Techniques

TacticTechnique
Initial AccessSpearphishing (T1566.001), Supply Chain Compromise (T1195)
ExecutionDLL Side-Loading (T1574.002), User Execution (T1204.002)
PersistenceRegistry Run Keys (T1547.001), Services (T1050)
Credential AccessKeylogging (T1056), Credential Dumping (T1003)
DiscoveryNetwork and Service Discovery (T1016, T1595)
Lateral MovementRemote Services (T1021)
Command & ControlHTTPS (T1071.001), In-Memory Execution (T1620)
ExfiltrationEncrypted C2 Channels (T1041)
ImpactData Destruction (T1485), Encryption (T1486), Crypto Theft (T1496)

Intrusion Playbook

Initial Access

Spear-phishing campaigns pose as recruiters offering job opportunities. In supply-chain cases, trojanized software installers are used.

Execution

Malicious DLLs are side-loaded by legitimate executables, deploying custom RATs such as ScoringMathTea, LightlessCan, or BlindingCan entirely in memory.

Persistence and Privilege Escalation

Registry keys, services, and scheduled tasks ensure persistence. Local and domain privileges are escalated using stolen credentials or exploits.

Discovery and Lateral Movement

Systems and networks are mapped extensively. Lateral movement occurs via RDP, SSH, and administrative tooling.

Command and Control

C2 traffic uses encrypted HTTPS, DNS, or anonymization networks. Payloads are dynamically loaded in memory.

Exfiltration and Impact

Data is compressed and exfiltrated. In financial operations, cryptocurrency is stolen and laundered through complex blockchain chains. In some cases, destructive wipers are deployed.

What We Can Learn from Top Threat Actors (2025 → 2026)

When you strip away names, regions, and motivations, the top actors affecting Europe in 2025 → 2026 are converging on the same operating model. Here’s what they all have in common—and what it tells us about modern cyber operations.

1. Identity Is the Primary Attack Surface

All actors prioritize valid credentials over exploits.

Common across:

  • SCATTERED SPIDER
  • VIXEN PANDA
  • HAYWIRE KITTEN
  • LAZARUS

They consistently abuse:

  • Entra ID / Azure AD
  • Okta and SSO platforms
  • VPN credentials
  • Help desk workflows
  • MFA reset processes

Why this works

  • Credentials bypass EDR
  • Cloud identity provides immediate, broad access
  • Logging and visibility are fragmented across services

Lesson: The modern intrusion starts with who you are, not what you run.

2. Social Engineering Outperforms Technical Exploits

Every actor uses human manipulation as a first-class tactic:

  • Phone-based help desk impersonation
  • MFA fatigue and reset abuse
  • Fake recruiters and job offers
  • Microsoft-themed phishing
  • Trust-based pretexts using real employee data

Even state-sponsored actors rely heavily on:

  • PDFs
  • Office documents
  • Email and phone trust

Where zero-days fit

Zero-day exploits are not the primary entry vector, but they are still used when:

  • Social engineering fails
  • Targets are hardened
  • Scale or speed is required (e.g., mass exploitation)

Lesson: Humans remain the most reliable initial access vector—even when exploits exist.

3. Legitimate Tools Are the New Malware

Across all groups, living-off-the-land and legitimate software dominate.

Commonly abused legitimate tools

  • PowerShell
  • AnyDesk / TeamViewer
  • ADExplorer / ADRecon
  • VMware vCenter
  • S3 Browser
  • 7-Zip / WinRAR
  • MobaXterm
  • ngrok / Cloudflare tunnels

Custom malware is used only when necessary (primarily by Lazarus and VIXEN PANDA).

Role of zero-days here

Zero-days often:

  • Enable initial footholds into otherwise inaccessible systems
  • Provide privilege escalation when credentials are insufficient
  • Enable silent lateral movement without triggering controls

But once access is gained, legitimate tools take over.

Lesson: Modern attacks look like IT administration until it’s too late.

4. Cloud and Virtualization Are High-Value Targets

All actors increasingly target:

  • VMware ESXi
  • Azure / AWS environments
  • SaaS data stores
  • Cloud IAM roles and sessions

Cloud platforms offer:

  • Massive data concentration
  • Weak segmentation
  • Inconsistent logging
  • Shared-responsibility blind spots

Zero-days against:

  • VPNs
  • Hypervisors
  • Cloud connectors
  • Identity federation components

…dramatically reduce time to full compromise.

Lesson: Cloud compromise often equals organization-wide compromise.

5. Speed and Stealth Are Balanced Differently — But the Path Is the Same

Actor TypePriority
eCrime (SCATTERED SPIDER)Speed, disruption, extortion
China-nexus APTStealth, persistence
Iran-nexus actorsAccess and visibility
DPRK (Lazarus)Precision and monetization

Despite different goals, the entry, movement, and expansion techniques are nearly identical.

Zero-days adjust tempo, not direction.

Lesson: Motivation changes the end, not the path.

6. Data Theft Happens Before Any “Impact”

Across all actors:

  • Data is enumerated early
  • Sensitive repositories are identified
  • Exfiltration happens quietly

Impact (ransomware, leaks, sabotage) comes last.

Even ransomware groups treat encryption as leverage, not the objective.

Zero-days may:

  • Accelerate access to sensitive systems
  • Enable stealthy data collection
  • Bypass controls protecting high-value data

Lesson: By the time impact is visible, the operation is already complete.

7. Attribution Is Harder — and Less Important — Than Ever

Shared infrastructure, overlapping tooling, and reused techniques mean:

  • Multiple actors look identical at early stages
  • Initial access tradecraft is indistinguishable
  • Names matter less than behaviors

Zero-day use does not guarantee attribution clarity—exploits are reused, sold, and shared.

Lesson: Defending against techniques is more effective than defending against actors.

8. The Big Pattern: Convergence

The most important insight:

State-sponsored APTs and elite cybercrime groups are converging into a single operational model.

That model is:

  • Identity-first
  • Human-driven
  • Cloud-native
  • Tool-light
  • Data-centric

Zero-days are force multipliers, not foundations.

This convergence will accelerate into 2026.

Final Takeaway

If you remember one thing from all of this:

Modern cyber operations succeed not because they are technically complex, but because they exploit trust, identity, and normal business processes.

The attackers winning today:

  • Don’t need zero-days
  • Don’t need loud malware
  • Don’t need persistence on disk

But when they have zero-days, their lives become easier, faster, and quieter.

They ultimately just need:

  • One identity
  • One trusted workflow
  • One blind spot

Conclusion

In 2026, the most impactful threat actors affecting Europe continue to demonstrate a shared reliance on:

  • Identity compromise over exploits
  • Legitimate administrative tools over custom malware
  • Cloud services and trusted platforms for command, control, and exfiltration
  • Social engineering as a primary entry point

Understanding these playbooks, tools, and techniques is essential for tracking adversary behavior as operations continue to accelerate and converge across criminal and state-sponsored ecosystems.