To defend themselves, security leaders need clarity on which adversaries to watch, the details of their behavior, and how to prepare for and respond to an attack. The CrowdStrike 2026 Global Threat Report provides a comprehensive overview of the modern threat landscape so organizations can prepare to face it.
As cyber defenses become stronger, adversaries continue to evolve their tactics to succeed. In 2025, the year of the evasive adversary, the threat landscape was defined by attacks that targeted trusted relationships, demonstrated fluency with AI tools, and incorporated tradecraft tailored to exploit security blind spots.
In 2025, adversaries became faster than ever before. The average eCrime breakout time — the period between initial access and lateral movement onto another system — dropped to 29 minutes, a 65% increase in speed from 2024. The fastest observed breakout time: 27 seconds.
Supply chain attacks were a defining tactic of 2025. Adversaries compromised upstream providers, development ecosystems, and public code repositories to gain broad access to downstream organizations. In one example, PRESSURE CHOLLIMA stole .46 billion USD worth of cryptocurrency through trojanized software delivered via supply chain compromise — the largest single financial theft ever reported.1
Inside the Evasive Adversary’s Toolbox
In 2025, evasion was defined by the speed at which adversaries exploit trust. They operated using valid credentials, trusted identity flows, approved SaaS integrations, and inherited software supply chains. Notably, 82% of detections were malware-free. Intrusions moved through authorized pathways and trusted systems, where they blended into normal activity.
CrowdStrike observed a 42% year-over-year increase in zero-days exploited prior to public disclosure as adversaries weaponized dozens of them for initial access, remote code execution, and privilege escalation. In parallel with this trend, 67% of vulnerabilities exploited by China-nexus adversaries provided immediate system access; 40% targeted edge devices that typically lack comprehensive monitoring. China-nexus adversaries systematically exploited vulnerabilities in network edge devices such as VPN appliances, firewalls, and gateways to establish long-term access for intelligence collection.
The CrowdStrike Counter Adversary Operations team spends every day immersed in adversary behavior and tradecraft. Each year, they compile their most critical observations and insights into the CrowdStrike Global Threat Report. When the team looked back on 2025, the most prominent trend was subtlety: Adversaries are shifting away from heavily monitored systems to quietly gain access and deftly move across endpoint, identity, SaaS, and cloud environments.
CrowdStrike named 24 new adversaries in 2025, bringing the total tracked to 281+. These threat actors continue to become faster, stealthier, and more effective as they adapt to navigate larger environments and bypass sophisticated security controls. Below are more trends and observations we explore in this year’s report:
1 https://www.elliptic.co/blog/bybit-hack-largest-in-history || https://www.ic3.gov/psa/2025/psa250226
Learn more: Download the CrowdStrike 2026 Global Threat Report
CrowdStrike is committed to understanding adversaries because it’s the most effective way to defend against them. The CrowdStrike 2026 Global Threat Report summarizes our observations throughout 2025 and the themes, trends, and events that defined the cyber threat landscape. Download the full report to understand how today’s adversaries are operating and how to strengthen your defenses.
- 38% increase in China-nexus intrusions across all sectors, with an 85% increase in logistics targeting
- 130% increase in North Korea-nexus incidents, as FAMOUS CHOLLIMA’s activity doubled year-over-year and STARDUST CHOLLIMA increased their operational tempo
- 82% of detections were malware-free as adversaries used valid credentials, trusted identity flows, and approved SaaS integrations to move across domains
- 37% increase in cloud-conscious intrusions, with a staggering 266% increase among state-nexus actors; valid account abuse accounted for 35% of cloud incidents
- 563% increase in incidents using fake CAPTCHA lures, demonstrating adversaries’ shift to effective social engineering techniques
- 141% increase in spam emails, providing adversaries with more opportunities to gain initial access
In addition to using AI tools, adversaries are targeting the AI systems underpinning the modern enterprise. As AI is embedded into development pipelines, SaaS platforms, and operational workflows, AI systems become part of the attack surface. In 2025, adversaries exploited legitimate GenAI tools at more than 90 organizations by injecting malicious prompts to generate commands for stealing credentials and cryptocurrency. They also exploited vulnerabilities in AI development platforms to establish persistence and deploy ransomware, and published malicious AI servers impersonating trusted services to intercept sensitive data.
Adversaries of all motivations utilized AI technology throughout 2025 to accelerate and optimize their existing techniques. They explored its use in attack types such as social engineering and information operations, proving their growing proficiency with AI tools. Most threat actors that integrated AI increased their attack volume: CrowdStrike observed an 89% increase in the number of attacks by AI-enabled adversaries compared to 2024.
