The AI-Powered Threat: Key Findings from the CrowdStrike Global Threat Report 2025

by · Published · Updated

CrowdStrike has released its Global Threat Report 2025, documenting a profound shift in the behavior of both cybercriminals and state-sponsored groups. Analysts have described 2024 as “the year of the enterprising adversary”—threat actors are now operating with the sophistication of mature business enterprises, innovating continuously, establishing resilient access supply chains, and aggressively deploying artificial intelligence.

A key metric, the so-called breakout time—the interval between initial intrusion and the start of lateral movement within a network—has plummeted to a historic low, averaging 48 minutes compared to 62 minutes the previous year. The fastest recorded case was a mere 51 seconds, effectively depriving defenders of any meaningful window to respond.

In 79% of incidents, attackers eschewed malware altogether, relying instead on legitimate administrative tools and hands-on-keyboard operations. This approach allows them to blend seamlessly with normal user activity and bypass Endpoint Detection and Response (EDR) systems. Remote administration utilities such as Microsoft Quick Assist and TeamViewer were among the most frequently abused.

The report highlights a staggering 442% surge in vishing attacks in the second half of 2024 compared to the first. Groups such as CURLY SPIDER, CHATTY SPIDER, and PLUMP SPIDER leveraged phone calls as their primary attack vector, often combined with “spam bombing”—mass complaint emails serving as a pretext for fraudulent support calls. These campaigns frequently culminated in backdoor installations and the deployment of Black Basta ransomware.

Attackers also refined help desk social engineering, impersonating company employees to persuade operators to reset passwords or disable multi-factor authentication. This tactic, employed notably by SCATTERED SPIDER, has already become one of the principal means of compromising cloud accounts and SaaS platforms.

2024 marked a turning point in the exploitation of generative AI (GenAI) by both criminal and state-aligned operators. LLM models were harnessed for:

  • Crafting fake identities and images (e.g., by North Korea’s FAMOUS CHOLLIMA).
  • Writing phishing emails and websites with a 54% higher click-through rate than human-crafted content.
  • Producing deepfakes for Business Email Compromise (BEC), including a case resulting in the theft of $25.6 million.
  • Developing malicious scripts and attack tools.
  • Creating decoy websites, such as those used in NITRO SPIDER campaigns.

A new phenomenon emerged as well: LLMJacking—the theft of access to corporate AI services in the cloud, which are then resold or repurposed in subsequent attacks.

The number of China-linked operations increased by 150% overall, and by as much as 200–300% in finance, media, manufacturing, and engineering sectors. Newly identified groups—including LIMINAL PANDA, LOCKSMITH PANDA, OPERATOR PANDA, VAULT PANDA, and ENVOY PANDA—each displayed sector-specific targeting, from telecommunications and finance to diplomatic institutions.

Chinese operators have increasingly leveraged ORB networks of thousands of compromised devices to obscure traffic, while also deploying novel tools such as the KEYPLUG malware.

Meanwhile, FAMOUS CHOLLIMA expanded its campaigns by planting fake IT workers inside foreign companies, who then received corporate devices and funneled them into “laptop farms” for backdoor installation. CrowdStrike documented 304 incidents involving this group, with 40% linked to insider threats.

Cloud intrusions surged by 26%, with 35% originating from compromised legitimate accounts. In many cases, attackers refrained from altering passwords to avoid detection. Credential theft via infostealers such as Stealc and Vidar, along with abuse of trusted inter-company connections, were prominent entry points.

Exploit chaining and abuse of legitimate software functions became cornerstones of modern attack strategies. For instance, OPERATOR PANDA used a chain of vulnerabilities in Cisco IOS to target telecommunications providers and consulting firms in the United States.

Tags: