threat_intelligence1018 wordsRead on Arc Codex

Cyberattacks on France Are Rising

Executive Summary The Global Cyber Alliance was recently asked about the surge of cyberattacks affecting France and if we see evidence that French infrastructure is being attacked more than before. We analyzed events observed through GCA’s AIDE platform, which provides visibility into large-scale distributed attack activity, including automated scanning, exploitation attempts, botnet propagation, infrastructure concentration, and repeated targeting patterns. Studying data from May 2025 to February 2026, we saw an approximately threefold increase in attacks targeting French networks and a distinct surge in attacks originating from French infrastructure in December 2025. Malware signatures are consistent with Mirai-family botnet activity. Taken together, the data indicated sustained and growing pressure on France-facing infrastructure, consistent with broader industry observations of increased botnet-driven activity during this period. These external assessments do not constitute direct confirmation of activity observed in AIDE telemetry. This article includes data and charts that illustrate the key patterns observed in AIDE telemetry, highlighting trends in attack volume, infrastructure distribution, and persistence of activity targeting France-based sensors. External Reporting and Corroboration of Attacks Cyber activity affecting French entities has been documented by French authorities and external cybersecurity reporting, including ANSSI assessments of state-linked targeting and public reporting on disruptive attacks affecting French infrastructure. Public reporting from 2024 through early 2026 reflects two distinct trends: targeted intrusions affecting French government and institutional networks, and broader high-volume botnet or DDoS activity affecting French-facing infrastructure. Separate industry reporting has also documented continued use of Mirai-family malware in large-scale scanning, exploitation, and DDoS campaigns, providing useful context for interpreting distributed attack activity observed in telemetry. What We See in AIDE Data Analysis of AIDE telemetry showed two distinct France-related patterns. First, attacks targeting France-based AIDE sensors increased from baseline levels of 400K–500K monthly events (May–August 2025) to over 1.3M in February 2026, representing an approximately 3x increase, with a steadily rising trend over the study period. A small set of IPs show sustained activity, repeatedly targeting France-based sensors across multiple consecutive months, indicating persistent infrastructure rather than one-off events. Second, attacks originating from French infrastructure and observed by AIDE sensors elsewhere showed a distinct surge in December 2025, peaking at over 1.3M hits before declining in subsequent months. Malware signatures are consistent with Mirai-family botnet activity, including variants linked to large-scale distributed campaigns (for example, LZRD, SORA, and related strains). From an infrastructure perspective, attack traffic targeting France-based sensors is broadly distributed across residential and access networks (Cable/DSL/ISP at approximately 30%) and network service providers (NSPs) (approximately 18%), with a large unattributed segment (approximately 37%). However, peak attack volumes are typically driven by a smaller set of hosting providers, indicating a distinction between distributed activity and concentrated high-intensity sources. The charts below illustrate the key patterns we saw in AIDE telemetry, highlighting trends in attack volume, infrastructure distribution, and persistence of activity targeting France-based sensors. 1. Sustained Growth in Targeting France-Based Sensors Monthly attack volume increased from 400K–500K to over 1.3M by February 2026, showing a steady upward trend that peaked in February. This growth is driven primarily by unwanted traffic (attacks). 2. France as a Source: Outbound Attack Activity Activity originating from French infrastructure shows a distinct spike in December 2025, reaching over 1.3M hits before dropping sharply in January. Unlike the sustained upward trend observed in attacks targeting France-based sensors, this pattern is short-lived and concentrated, indicating a burst of high-volume activity from French networks rather than persistent growth. In some cases, such outbound spikes can reflect compromised or infected devices within weaker or exposed infrastructure being leveraged as sources of attack traffic. 3. Geographic Distribution of Attack Infrastructure Targeting AIDE France Sensors Attack traffic targeting France is concentrated in a small number of infrastructure hubs. The Netherlands alone accounts for 33.5% of activity, with Vietnam and Germany contributing an additional 29% combined, while France itself represents only 1.5% of inbound traffic. 4. Infrastructure Types Attacks are widely distributed across ISP and NSP networks, but high-volume activity is concentrated in a smaller set of hosting infrastructure. 5. Persistent Infrastructure Targeting France Sensors A small set of IPs repeatedly target France-based sensors across multiple consecutive months, indicating persistent infrastructure rather than one-off activity. This sustained presence is consistent with coordinated botnet operations maintaining access and continuously executing attacks over time. 6. Mirai-like Activity Observed via Payload Analysis Payload analysis and VirusTotal enrichment confirm that the observed activity is consistent with Mirai-family botnet operations. Multiple Mirai variants, including LZRD, Cult, SORA, and related strains, were identified across attack sessions. Detection labels consistently map to known Mirai behaviors such as automated scanning, payload downloaders, and DDoS-enabled botnet recruitment, reinforcing that the activity represents coordinated, large-scale botnet campaigns. Representative detection labels include: - DDoS:Linux/Mirai.A# - ELF/Mirai.D!tr - Trojan.Gen.NPE - elf.downloader.mirai - Trojan.UKP.Generic.4!c - Mal/Generic-S What This Means The AIDE data makes it clear that the increase in activity targeting France is real, measurable, and aligned with broader botnet-driven trends. Rather than reflecting an isolated issue in a single network or entity, it highlights the extent to which Internet infrastructure is interconnected and interdependent. Because these independent networks are so closely linked, weaknesses across hosting environments, edge devices, and access networks can easily be exploited at scale and generate high-volume attack traffic that impacts governments, businesses, individuals, and entire economies. Catching these waves of intrusions before they escalate requires coordinated action across the ecosystem. Strengthening baseline security practices, improving visibility into early-stage infrastructure abuse, and deepening collaboration among network operators will be critical to limiting the scale and real-world impact of distributed botnet activity. Operated by the Global Cyber Alliance, AIDE helps surface these attacks by monitoring global network traffic, detecting potential threats, and delivering actionable insights to improve network security. Read more about AIDE and how it fits into GCA’s work here. To access our telemetry or explore opportunities to work with us, please contact us using the form on the AIDE website. References ANSSI APT28 Report: https://www.cert.ssi.gouv.fr/uploads/CERTFR-2025-CTI-007.pdf Interior Ministry Intrusions: https://www.bleepingcomputer.com/news/security/france-interior-ministry-confirms-cyberattack-on-email-servers/ La Poste DDoS Attacks: https://techcrunch.com/2025/12/23/frances-postal-and-banking-services-disrupted-by-suspected-ddos-attack/ and https://www.lemonde.fr/en/france/article/2025/12/22/suspected-cyberattack-disrupts-france-s-postal-service_6748757_7.html Mirai Botnet Campaigns: https://www.fortinet.com/blog/threat-research/iot-malware-gayfemboy-mirai-based-botnet-campaign Data Sources and Enrichment This analysis is based on AIDE telemetry, with additional enrichment from external sources including AbuseIPDB, PeeringDB, and VirusTotal.

How it works

Once you click Generate, Ollama reads this article and crafts 5 comprehension questions. Your answers are graded against the article content — general knowledge won't be enough. Score 70+ to count toward your certificate.

Questions are cached — you'll always get the same 5 for this article.