Today’s enterprising adversaries are weaponizing AI to scale operations, accelerate attacks, and target the autonomous AI agents quickly transforming modern businesses. The CrowdStrike 2025 Threat Hunting Report details this new chapter in the threat landscape.
Identity is key to cross-domain attacks. When SCATTERED SPIDER impersonates legitimate employees in help desk engagements, they accurately provide employee IDs and answer verification questions. SCATTERED SPIDER and other adversaries have proven their ability to acquire personally identifiable information to pass help desk verification, which can enable them to authenticate to a system. After account takeover, SCATTERED SPIDER operators can often be seen using these accounts to quickly pivot to integrated SaaS applications, including data warehousing, document management, and identity and access management platforms. These serve as a foothold for persistence, lateral movement, and data exfiltration.
AI-powered adversary tradecraft is transforming traditional insider threats into scalable and persistent operations. CrowdStrike observed DPRK-nexus adversary FAMOUS CHOLLIMA infiltrated over 320 companies in the last 12 months — a 220% year-over-year increase — by using generative AI (GenAI) at every stage of the hiring and employment process.
AI Weaponization Accelerates
Cross-domain attacks are the norm. Adversaries are increasingly adept at bypassing traditional security defenses to move across endpoint, identity, cloud, and unmanaged systems. SCATTERED SPIDER, an adversary known for its cross-domain proficiency, resurfaced in 2025 with faster and more aggressive tradecraft. They use vishing and help desk impersonation to reset credentials, bypass multifactor authentication (MFA), and move laterally across SaaS and cloud environments. In one case, they moved from initial access to encryption by deploying ransomware in under 24 hours.
The cloud continues to be a primary target: Cloud intrusions increased 136% in the first half of 2025 compared to all of 2024. CrowdStrike OverWatch observed a 40% year-over-year increase in intrusions by suspected cloud-conscious China-nexus actors, with adversaries GENESIS PANDA and MURKY PANDA evading detection through cloud misconfigurations and trusted access. GLACIAL PANDA, another China-nexus adversary, embedded deep in telecom networks and helped drive a 130% rise in nation-state activity in the telecom sector through long-term, espionage-driven operations.
Lower-skilled adversaries are abusing AI to automate tasks that once required advanced expertise, including script generation, technical problem solving, and malware development. Malware families Funklocker and SparkCat demonstrate the emergence of GenAI-built malware.
Organizations that understand adversaries’ evolving activity are better equipped to stop them. The CrowdStrike 2025 Threat Hunting Report contains the critical insights they need.
Cross-Domain Threats Fuel Adversaries’ Success
Threat actors are using AI to gain unauthenticated access, establish persistence, harvest credentials, and deploy malware and ransomware. As organizations adopt more AI tools and technologies, adversaries are more likely to target them. CrowdStrike has observed multiple threat actors exploiting vulnerabilities in AI software and using it to gain initial access, underscoring the potential for AI to further expand and reshape the enterprise attack surface.
We now track more than 265 named adversaries and more than 150 activity clusters. The CrowdStrike 2025 Threat Hunting Report sheds light on some of these prolific threat actors and the activity we have observed this year. Below are more trends and findings we explore in its pages:
The CrowdStrike 2025 Threat Hunting Report showcases our Counter Adversary Operations team’s relentless pursuit to disrupt the adversary. To learn more, download the full report and register for the CrowdCast: Inside the CrowdStrike 2025 Threat Hunting Report.
FAMOUS CHOLLIMA IT workers use GenAI to create attractive resumes for companies, reportedly use real-time deepfake technology to mask their true identities in video interviews, and use AI code tools to do their jobs. Other adversaries, such as EMBER BEAR and CHARMING KITTEN, use GenAI to amplify pro-Russia narratives and deploy LLM-crafted phishing lures to target U.S. and EU entities.
- 81% of interactive (hands-on-keyboard) intrusions were malware-free.
- Interactive intrusions increased 27% year-over-year, underscoring how adversaries are innovating their operations to bypass legacy detection methods.
- eCrime activity represented 73% of total interactive intrusions.
- Voice phishing (vishing) is on track to double last year’s volume by the end of 2025.
- The government sector was affected by a 71% year-over-year increase in overall interactive intrusions and a 185% year-over-year increase in targeted intrusion activity.
This year’s report, based on frontline intelligence from CrowdStrike’s elite threat hunters and intelligence analysts, examines how threat actors are using AI to do more with less. They’re targeting software used to build AI agents and weaponizing AI at scale, using it to gain access, steal credentials, and deploy malware. eCrime and hacktivist actors abuse AI to automate tasks that once required advanced skill, including malware development and technical problem solving.
Additional Resources
- Learn how CrowdStrike’s threat intelligence and hunting solutions are transforming security operations to better protect your business.
- Tune into the Adversary Universe podcast, where CrowdStrike experts discuss today’s threat actors — who they are, what they’re after, and how you can defend against them.
