Executive Summary

This report analyzes threat actor posts collected throughout 2025 from monitored sources (Telegram channels, Tor leak sites, and surface web platforms). The analysis covers global activity (50,850 posts) alongside a regional subset focused on the Middle East (3,431 posts). These posts include ransomware victim claims, data leak announcements, DDoS attacks, defacements, initial access sales, and related threats.

Global Key Metrics (Full Year 2025)

•Total Posts: 50,850

•Unique Threat Actors: 5,316

•Claimed Victim Organizations: 34,640

•Targeted Countries: 191

•Targeted Industries: 158

Most Active Global Actors: NoName057(16) (5,228 posts, primarily DDoS), Keymous+, Dark Storm Team, Qilin, Akira, Clop, RansomHub.

 Dominant Threat Types: DDoS Attacks (18,440), Data Breaches (13,640), Ransomware (8,050).

 Top Targeted Sectors: Government & Public Sector (6,916), Education (2,931), Financial Services (1,842).

 Top Targeted Countries: United States (8,680), Israel (3,620), India (3,470).

Source Platforms: Telegram (51%), Surface Web (32%), Tor (17%).

Activity peaked in November–December, driven by hacktivist DDoS campaigns and ransomware operations.

§Middle East Focused Metrics (2025)

•Total Posts: 3,431

•Unique Threat Actors: 794

•Claimed Victim Organizations: 2,520

•Targeted Countries: 14

•Targeted Industries: 124

Most Active Regional Actors: HEZI RASH (344 posts), Keymous+, Dark Storm Team, Fattihon Cyber Team, Arabian Ghosts.

Dominant Threat Types: DDoS Attacks (1,690), Data Breaches (930), Initial Access/Defacement (~260 each).

Top Targeted Sectors: Government & Public Sector (549), Education (208), Telecommunications (131).

Top Targeted Countries: UAE (774), Turkey (563), Iran (411), Egypt (370), Saudi Arabia (369).

Source Platforms: Telegram (66%), Surface Web (27%), Tor (7%).

Regional activity escalated sharply from September onward, with peaks in November–December.