During its Q4 2025 Quarterly Cyber Threat Report (QCTR) webinar, the Centre for Cybersecurity Belgium (CCB) presented the key cyber threat developments observed in the final quarter of 2025 and outlined what organisations can expect in 2026. Held under the theme “What Q4 reveals about 2026”, the session brought together public and private sector experts to analyse trends shaping Belgium’s cyber threat landscape.
Opening the webinar, Miguel De Bruycker, Director General of the CCB, shared the year’s key figures. In 2025, the CCB received 635 incident notifications, representing a 70% increase compared to 2024. In Q4 alone, 170 notifications were submitted, of which 149 concerned cyber incidents.
This rise reflects multiple factors. While new regulatory frameworks such as NIS2 and DORA have broadened reporting obligations, the increase also signals greater digital interconnection, improved detection capabilities, and growing awareness among organisations. Notably, almost half of the notifications originated from entities not formally subject to NIS2, highlighting stronger voluntary reporting practices.
Public administration remained the most targeted sector, followed by transportation, energy and healthcare, in line with wider European trends focusing on critical services.
Continuity in core threats
The Belgian cyber threat landscape in 2025 was marked less by disruption than by continuity. The dominant risks in Q4, and throughout the year, were operational disruption and data theft.
The most reported incident types were:
- Account compromise, the largest category
- Ransomware
- Phishing, with DDoS and spear phishing alternating as key contributors
Account compromise increased notably following the entry into force of NIS2. Often enabled by phishing and social engineering, it is increasingly supported by AI-enhanced lures that improve credibility and scale. Crucially, account compromise frequently acts as an entry point for more severe incidents, including ransomware and data exfiltration.
Ransomware remained a persistent and cross-sectoral threat. Both established and emerging criminal groups targeted Belgian organisations. Extortion methods evolved, with some actors adopting “quadruple extortion” models to intensify pressure. The combination of ransomware-as-a-service (RaaS) and accessible AI tools continues to lower technical barriers for attackers.
Unlike ransomware, DDoS attacks followed geopolitical cycles. In 2025, five major campaigns were observed, including two in Q4. These campaigns, often attributed to pro-Russian hacktivist groups, were generally short-lived but reflected the continued influence of geopolitical tensions in cyberspace.
Familiar techniques, increasing sophistication
Across 2025, threat actors relied largely on established attack methods. These included exploitation of known vulnerabilities, particularly in edge devices and widely used platforms such as SharePoint, as well as remote access trojans (RATs), infostealers and compromised credentials.
Belgium also faced supply chain attacks, malvertising campaigns and fake software distribution, including a fraudulent PDF editor campaign affecting both individuals and organisations. CEO fraud via messaging platforms such as WhatsApp gained further traction.
State-sponsored activity observed in Q4 was primarily linked to actors associated with China, Russia and North Korea. These groups focused on long-term access, intelligence gathering and exploitation of known vulnerabilities. AI and large language models (LLMs) are increasingly accelerating reconnaissance and social engineering activities.
Looking ahead to 2026
According to the CCB’s assessment, 2026 is unlikely to bring fundamentally new threat categories. Financially motivated actors, hacktivists and state-sponsored groups will remain active. Account compromise, ransomware, phishing and DDoS are expected to continue dominating incident reporting.
What will evolve is the scale and speed of operations. AI and LLMs are expected to become standard tools for attackers, automating malware development and enhancing social engineering campaigns. Combined with criminal “as-a-service” models, this trend will further reduce entry barriers and increase operational tempo.
For Belgium, the priority remains clear: strengthening resilience through robust fundamentals: effective patch management, strong credential security, phishing resistance and ransomware preparedness, while adapting defensive strategies to an AI-accelerated threat environment.