Malware execution declines despite sustained phishing exposure; AI-driven threats reshape the global attack landscape.
New research from Acronis indicates that organisations in the UAE have significantly strengthened their cyber resilience in 2025, successfully interrupting attack chains before threats escalate into full-scale incidents.
According to Acronis’ latest global threat analysis covering the second half of 2025, malware activity in the UAE was heavily concentrated in the early months of the year, peaking around March before steadily declining through the summer. This pattern suggests short-lived, campaign-driven activity rather than persistent, background compromise.
Early spikes were closely aligned with business-themed phishing campaigns commonly observed in the Gulf region. Attackers leveraged familiar lures such as invoices, payment requests, and logistics notifications. Once these campaigns were disrupted or lost credibility, their effectiveness dropped sharply.
High URL Exposure, Lower Endpoint Impact
While exposure to malicious URLs remained consistently high across the UAE, the rate of malware execution declined over time. Phishing links and harmful websites continued to reach users, but increasingly failed to result in payload activation on endpoints.
This trend indicates improved detection capabilities and faster disruption within the attack lifecycle—signaling that defensive measures are working earlier and more effectively.
Email Remains the Primary Attack Vector
Globally, email continued to dominate as the primary delivery mechanism for cyberattacks. In H2 2025, email-based attacks rose by 36% compared to the first half of the year.
Phishing accounted for 83% of all email threats in H2, up from 77% in H1, reflecting attackers’ growing reliance on impersonation and social engineering rather than technically complex malware payloads. Business email compromise (BEC) and broader social engineering activity remained stable, underscoring sustained investment in fraud strategies that exploit human trust over system vulnerabilities.
The research also highlights an evolving divergence between email and collaboration platforms. While email is used for broad, high-volume campaigns, collaboration tools are increasingly exploited for targeted, sophisticated intrusions.
AI-Driven Cybercrime Expands in 2025
The report underscores a dramatic rise in AI-assisted cybercrime throughout 2025. Threat actors leveraged AI to:
- Scale phishing and ransomware campaigns
- Automate reconnaissance and victim profiling
- Optimise extortion negotiations
For instance, ransomware group GLOBAL GROUP reportedly used AI-driven systems to streamline negotiations across multiple victims. Another group, GTG-2002, employed AI-assisted reconnaissance and data exfiltration to amplify operational impact. Social engineering also evolved, with AI-generated “proof of life” imagery used in virtual kidnapping scams to increase psychological pressure on victims.
These developments signal a new phase in cybercrime—characterised by speed, automation, and enhanced sophistication.
Ransomware Consolidation: Fewer Actors, Greater Impact
Ransomware activity in 2025 became increasingly concentrated among a small number of dominant operators. Although nearly 100 ransomware brands were active globally, just three of the top ten groups accounted for more than half of all publicly disclosed victims. This trend reflects the consolidation and operational maturity of ransomware-as-a-service (RaaS) ecosystems.
Manufacturing and technology sectors remained the most frequently targeted, owing to high operational dependency, complex IT/OT environments, and extended supply chain connectivity. Healthcare, financial services, and construction sectors also continued to feature prominently among disclosed victims.
Gerald Beuchelt, Chief Information Security Officer at Acronis, noted that attackers are integrating AI into their operations to increase efficiency and scale. He emphasized that organisations must respond by automating defenses, strengthening predictive capabilities, and building resilient architectures capable of withstanding both traditional and AI-enhanced attack models.
Strengthening Defensive Posture in the UAE
Overall, the findings suggest that while cyber threats remain active and adaptive, UAE organisations are demonstrating measurable improvements in resilience. Faster detection, better endpoint protection, and stronger policy enforcement appear to be reducing the operational impact of attacks—even as threat actors continue to innovate.
The report highlights a clear strategic imperative for organisations: anticipate AI-driven threats, deploy automated defensive controls, and adopt layered security architectures designed for rapid response and containment in an increasingly complex threat environment.
