The 2025 Kaspersky Security Bulletin provides a review of the major cybersecurity trends of the year and offers a look towards the future of cybersecurity, including within the financial sector.
According to the report, in 2025, the financial sector navigated a rapidly evolving cyber landscape, with malware spreading through messaging apps, AI-assisted attacks, supply chain compromises, and NFC-based fraud.
Based on Kaspersky Security Network statistics for the year (from November 2024 to October 2025), 8,15% of users in the finance sector globally faced online threats and 15,81% faced local (on-device) threats.
During the year, 1 338 357 banking trojan attacks were detected by the company’s solutions. And 12,8% of B2B finance sector companies faced ransomware this year – that marks a 35,7% increase in unique users in 2025 compared to the same period of 2024.
The company’s experts highlight the following cybersecurity trends and cases shaping the financial sector in 2025:
- Large-scale supply chain attacks: the financial sector faced a series of unprecedented supply chain attacks, which are incidents that exploit vulnerabilities in third-party providers to reach their primary targets. The breaches demonstrated how vulnerabilities in third-party providers can cascade through national payment networks, affecting even central systems.
- Organised crime converging with cybercrime: organised crime is increasingly combining physical and digital methods, creating more sophisticated and coordinated attacks. Financial institutions faced threats that blend social engineering, insider manipulation, and technical exploitation.
- Old malware, new channels: cybercriminals increasingly exploit popular messaging apps to spread malware, shifting from email phishing to social channels. Banking trojans are being rewritten to use messaging platforms as a new distribution vector, enabling large-scale infections.
- AI scales malware to new heights: this year, AI-enabled malware has increasingly incorporated automated propagation and evasion techniques, allowing attacks to spread faster and reach a larger number of targets. This automation also shortens the time between malware creation and deployment.
- Mobile banking attacks and NFC fraud: Android malware using ATS (Automated Transfer System) techniques automate fraudulent transactions, altering transfer amounts and recipients in real time without the user noticing. NFC-based attacks have also emerged as a key trend, enabling both physical fraud in crowded places and remote fraud via social engineering and fake apps mimicking trusted banks.
- Blockchain-based C2 infrastructure is on the rise: crimeware attackers increasingly embed malware commands in blockchain smart contracts, targeting Web3 to steal cryptocurrencies. This method ensures persistence and makes the infrastructure extremely difficult to remove. Using blockchain for C2 operations allows attackers to maintain control even if conventional servers are shut down, highlighting a new level of resilience in cyberattacks.
- Ransomware presence: these types of attacks remained a persistent threat for the financial sector with 12,8% of B2B finance organisations globally affected in November 2024 through October 2025. The figure for Africa is similar, with 12,9% of B2B finance organisations affected by ransomware from November 2024 through October 2025.
- Disappearance of certain malware families: some malware families are likely to disappear, as their activity depends directly on the operations of specific criminal groups.
“In 2025, financial cyber threats evolved into a complex landscape, with attacks hitting businesses and end users alike,” says Fabio Assolini, head of the Americas and Europe units at Kaspersky GReAT. “Criminal groups increasingly combined digital tools, insider access, AI and blockchain to scale operations, forcing organisations to secure not only their systems but also the human networks that support them.”
Kaspersky’s predictions for what finance cybersecurity might face in 2026 include:
- Banking Trojans will be rewritten for WhatsApp distribution: criminal groups will increasingly rewrite and scale banking trojans distribution and abuse messaging apps like WhatsApp to target corporate and government organisations that still rely on desktop-based online banking. These environments are where Windows-based banking trojans thrive.
- Growth of deepfake/AI services for social engineering: the trade in realistic deepfakes and AI-powered campaigns is expected to expand even more, fueling scams around job interviews and offers, driving underground demand for tools that fully bypass Know Your Customer (KYC) verification.
- Appearance of regional info stealers: as Lumma, Redline and other stealers are still active, we expect to see the appearance of regional info stealers, targeting specific countries or regions, expanding the use of malware-as-a-service model.
- More attacks on NFC payments: as a key technology used in payments, we’ll see more tools, more malware and attacks directed against NFC payments, in all types.
- The advent of Agentic AI malware: agentic AI malware is characterised by its ability to dynamically alter behaviour mid-execution. Unlike conventional malware that relies on pre-defined instructions, agentic variants are designed to assess their environment, analyse their impact, and adapt their tactics on the fly. This means that a single piece of malware could exhibit a range of behaviours, from initial infiltration to data exfiltration or system disruption, all in response to the specific defences and vulnerabilities it encounters.
- Classic fraud will obtain new delivery: fraud will remain a major threat to end users, but its delivery methods will keep evolving. As new services and messaging platforms emerge, attackers will continue to adapt their tactics to the channels where their target audience is most active.
- The persistence of ‘out of box’, pre-infected devices: the threat of counterfeit smart devices sold already infected with trojans (such as Triada) will continue to evolve. These trojans often come with extensive capabilities, including the ability to steal banking credentials, and affect not only “gray” Android smartphones but also other smart devices such as TVs.