Threat geography of the Western Balkans. Q2 brief.

Sector targeting, language-tuned phishing, and the threat groups currently active across Albania, Kosovo, North Macedonia, Serbia, Bosnia, and Montenegro.

The Western Balkans occupy a peculiar position in the threat landscape. Too small to warrant dedicated coverage from the major intelligence vendors. Too connected to European infrastructure to be ignored by the adversaries who exploit that connection. The result is a gap: the region is actively targeted, poorly monitored, and largely invisible to the global threat feeds that organisations rely on.

This brief covers what our agents observed between January and March 2026 across six countries. The picture is not encouraging, but it is clarifying. The adversaries operating here are not random. They follow patterns. They have preferences. And they are getting better.

Who is targeting the region

Three broad categories of threat actor are active. The first is financially motivated cybercrime, which accounts for roughly 70% of the incidents we track. Ransomware groups, credential harvesters, and business email compromise operators. Nothing exotic. Nothing unique to the Balkans. But the defences here are thinner, the security budgets smaller, and the payoff per hour of effort is higher than in Western Europe.

The second category is state-aligned activity. We track at least two persistent campaigns with infrastructure patterns consistent with Russian-nexus groups, primarily focused on government institutions and energy-sector organisations. Attribution is difficult and we are cautious about it, but the tooling, the targeting, and the operational tempo are consistent with what the broader community tracks under Sandworm and Turla-adjacent clusters.

The third is regional. Threat actors operating within the Balkans, targeting neighbours. This is the least reported category and, in our view, the most underestimated. We see low-sophistication but high-persistence campaigns targeting municipal governments, courts, and media organisations. The tools are commodity. The targeting is not.

Language as a weapon

Phishing in the Western Balkans used to be easy to spot. Poor grammar. Wrong alphabet. Generic lures about packages or invoices written in English or broken local language. That era is over.

In Q1 2026, we observed a measurable shift in the quality of Albanian-language and Serbian-language phishing emails targeting financial institutions. The lures are now locally specific: tax deadlines from the real tax authority, bank notifications that mirror actual bank formatting, government procurement portals that look right because they were cloned from the originals.

Large language models have removed the language barrier that once protected smaller markets. An attacker who speaks no Albanian can now generate fluent, contextually appropriate phishing content in minutes. The cost of localisation has dropped to zero. This changes the economics of targeting small countries permanently.

Sector breakdown

• Financial servicesThe most targeted sector across all six countries. Credential harvesting campaigns against retail banking customers are constant. We also track several active campaigns targeting internal bank staff through spear-phishing, using cloned intranet portals as landing pages.
• Government and public administrationMunicipal and cantonal governments are hit disproportionately. The pattern is consistent: compromise a low-security municipal email account, use it to send lateral phishing to adjacent institutions. Trust in the sender domain does the rest.
• TelecommunicationsTwo major regional telcos showed indicators of credential exposure in dark web markets during Q1. Employee access credentials, not customer data. The concern is upstream: a compromised telco employee account can be a stepping stone to infrastructure that affects millions.
• Energy and utilitiesLimited but targeted. The campaigns we track here overlap with the state-aligned activity described above. The targets are specific: SCADA-adjacent systems, operational technology networks with internet-facing management interfaces.
• MediaJournalists and independent media outlets across the region continue to be targeted by spyware and credential theft campaigns. The operational security of these targets is generally low, and the political motivation for surveillance is high.

Infrastructure patterns

Adversaries targeting the Balkans tend to use infrastructure that is geographically close. We see heavy use of VPS providers in Romania, Bulgaria, and the Netherlands. Domain registration favours cheap registrars with weak abuse-response processes. SSL certificates are almost always free, issued by Let's Encrypt, which provides no identity verification.

The interesting pattern is reuse. Balkan-targeting campaigns frequently recycle infrastructure across countries. A phishing domain that targets a Serbian bank in January will pivot to a Kosovar government portal in March, with only the landing page changed. This suggests small teams operating across the region rather than country-specific operations.

What this means for organisations in the region

Three things.

First, global threat intelligence feeds will not protect you. They are built for markets that generate revenue for the vendors. The Balkans do not. If you are relying on a threat feed from a US or UK vendor for your regional coverage, you are flying blind on the threats most likely to affect you.

Second, the language barrier is gone. Do not assume that a phishing email in fluent Albanian is written by an Albanian speaker. Do not assume that local specificity means local origin. The tooling has caught up, and the old heuristics no longer hold.

Third, the most dangerous threats in the region are not the most sophisticated. They are the most persistent. Commodity malware delivered through well-crafted local phishing, targeting organisations with no security operations centre and no monitoring. The maths is simple. The damage is real.