CrowdStrike 2025 Threat Hunting Report: Critical Findings Every Organization Must Know

The Rise of the Enterprising Adversary in 2025

CrowdStrike introduces the concept of the “enterprising adversary”—threat actors who operate with business-like efficiency, sophistication, and scalability. These adversaries have evolved beyond opportunistic attacks to run structured operations that rival legitimate enterprises in their organizational maturity.

The numbers tell a compelling story. Interactive intrusions—attacks requiring hands-on-keyboard activity—increased 27% compared to the previous year. Of these, a staggering 81% were malware-free, meaning adversaries achieved their objectives using legitimate tools, stolen credentials, and living-off-the-land techniques that evade traditional security controls. eCrime operations accounted for 73% of all interactive intrusions, confirming that financially motivated threat actors remain the dominant force in the threat landscape.

The technology sector maintained its position as the most targeted industry for the eighth consecutive year, reflecting the high value of intellectual property and the broad attack surface presented by technology organizations. However, the report documents significant increases across virtually every sector, with government intrusions rising 71% overall and 185% for nation-state activity specifically.

Cloud Intrusions Surge 136%: The New Attack Frontier

Perhaps the report’s most alarming finding is the explosion in cloud-targeted intrusions. In just the first half of 2025, cloud intrusions increased 136% compared to all of 2024. China-nexus adversaries drove a significant portion of this growth, with their cloud intrusions rising 40% year-over-year.

GENESIS PANDA, suspected to be an initial access broker, demonstrated sophisticated cloud exploitation capabilities by targeting cloud control planes for lateral movement and persistence. The group exploited Instance Metadata Service (IMDS) endpoints to harvest credentials and pivoted across cloud environments spanning 11 or more countries.

MURKY PANDA took a different approach, abusing trusted relationships between organizations to compromise cloud tenants. By exploiting zero-day vulnerabilities and establishing backdoors in Entra ID (formerly Azure Active Directory), MURKY PANDA achieved persistent access to victim environments that survived standard remediation efforts. The group also leveraged the ORB07 network for Azure password spraying operations.

These findings underscore the critical need for organizations to treat cloud environments as core infrastructure requiring the same—or greater—security investment as on-premises systems. Cloud-native application protection platforms (CNAPPs) with cloud detection and response (CDR) capabilities are no longer optional.

How Adversaries Are Weaponizing Generative AI for Cyberattacks

The threat hunting report 2025 identifies three primary vectors through which adversaries are weaponizing generative AI, marking 2025 as the year AI-powered attacks moved from theoretical to operational.

Social Engineering: Threat actors are using large language models to craft highly convincing phishing emails, generate synthetic identities, and optimize social engineering scripts. CHARMING KITTEN, an Iranian threat group, deployed AI-assisted phishing campaigns against EU and U.S. entities with notably improved success rates. RENAISSANCE SPIDER used GenAI for Ukrainian translation in ClickFix lures—though they inadvertently left LLM artifacts in their output, revealing the AI-generated nature of the content.

Technical Operations: Adversaries leverage AI for reconnaissance, vulnerability research, malware development, and technical support during active operations. The FunkLocker ransomware was reportedly created using WormGPT, an unguardrailed AI model available on underground forums. SparkCat mobile malware incorporated AI-powered optical character recognition for selective image exfiltration from compromised devices.

Information Operations: State-sponsored groups use GANs and LLMs to create deepfake content, operate networks of fake news websites, and generate multilingual propaganda at scale. North Korea’s FAMOUS CHOLLIMA represents the most sophisticated operational use of GenAI, applying it across the entire fraudulent employment lifecycle from application to interview to on-the-job performance.

FAMOUS CHOLLIMA: Inside North Korea’s GenAI-Powered Insider Threat

The most alarming GenAI threat documented in the report comes from North Korea’s FAMOUS CHOLLIMA operation. Over the past 12 months, this group infiltrated more than 320 companies—a 220% year-over-year increase—by placing operatives as fraudulent IT workers using AI-generated identities and deepfake technology.

The operation spans the complete employment lifecycle. FAMOUS CHOLLIMA uses generative AI to create convincing résumés, synthetic photographs, and professional profiles. During video interviews, operatives employ real-time deepfake technology to match their appearance to fabricated identities. Once hired, they use AI tools to maintain work performance while simultaneously exfiltrating sensitive data and intellectual property.

Countermeasures require a multi-layered approach: enhanced identity verification during hiring, real-time deepfake challenges during video interviews, geolocation monitoring of remote access sessions, USB and peripheral device validation, and specialized training for hiring managers on insider threat indicators. For organizations in technology, defense, and financial services, the FAMOUS CHOLLIMA threat demands immediate attention to hiring security protocols.

The Vishing Epidemic: Social Engineering Attacks Explode in 2025

Voice phishing (vishing) attacks have reached epidemic proportions. Vishing volumes in H1 2025 already surpassed all of 2024, following a 442% increase from H1 to H2 2024. SCATTERED SPIDER, one of the most prolific eCrime groups, has perfected the help desk social engineering playbook.

SCATTERED SPIDER’s methodology is devastatingly efficient. Operatives call target organization help desks impersonating employees, use social engineering to reset MFA credentials and gain initial access, then move from account takeover to full ransomware deployment in as little as 24 hours—32% faster than their 2024 operations. In some cases, bulk data export began within just 5 minutes of authentication.

The group targets retail, aviation, and insurance sectors, operating through residential proxies to mask their true location and timing attacks during after-hours periods when security staffing is reduced. CURLY SPIDER has adopted similar vishing-based tactics, targeting retail and manufacturing organizations with ransomware campaigns that begin with a phone call. Explore related cloud security challenges in our Google Cloud cybersecurity forecast analysis.

China-Nexus Threat Actors: Patient, Persistent, and Increasingly Sophisticated

China-nexus adversaries demonstrated remarkable operational maturity throughout 2025, with multiple groups conducting patient, long-term intelligence collection campaigns across critical infrastructure sectors.

GLACIAL PANDA targets the global telecommunications sector with extraordinary stealth. Using living-off-the-land techniques and a custom trojanized OpenSSH variant called ShieldSlide, GLACIAL PANDA maintained persistent access to telecom networks across 12 countries. Their primary objective: exfiltrating call detail records for intelligence purposes. The group’s ability to operate undetected for extended periods exemplifies the advanced persistent threat at its most challenging.

OPERATOR PANDA (also known as Salt Typhoon) targeted telecommunications and consulting entities by exploiting Cisco networking equipment. By chaining CVE-2023-20198 and CVE-2023-20273, the group compromised network switches and routers to establish persistent access points within victim infrastructure—positions that provided visibility into all network traffic flowing through the compromised devices.

Multiple other PANDA groups—CIRCUIT, PHANTOM, SUNRISE, NOMAD, VAULT, KRYPTONITE, MUSTANG, and ETHEREAL—were active across multiple sectors globally, demonstrating the breadth and depth of China’s cyber espionage capabilities.

Ransomware in 2025: Shifting Players, Persistent Threats

Despite significant law enforcement disruptions—including actions against ALPHA SPIDER and BITWISE SPIDER—the ransomware ecosystem demonstrated remarkable resilience. New players rapidly filled the void left by disrupted operations, and established groups refined their tactics to increase speed and impact.

Common ransomware TTPs in 2025 include remote encryption via SMB network shares, which allows attackers to encrypt data without deploying ransomware directly to target machines. Veeam Backup & Replication credential dumping has become a standard technique, enabling attackers to eliminate recovery options before encryption. Targeting unmanaged systems—devices outside the organization’s security tooling coverage—provides attackers with blind spots from which to operate.

BLOCKADE SPIDER exemplifies the cross-domain ransomware threat, deploying EMBARGO ransomware across VPN infrastructure, ESXi hypervisors, and cloud environments in a single operation. This multi-platform capability ensures maximum disruption and eliminates fallback recovery options that rely on a single infrastructure layer.

Vulnerability Exploitation and Zero-Day Defense Strategies

The report reveals that 52% of observed vulnerabilities in 2024 were related to initial access, confirming that internet-facing application exploitation remains the primary entry vector for sophisticated adversaries. The speed of exploitation continues to accelerate, leaving defenders with shrinking windows for patch deployment.

GRACEFUL SPIDER’s zero-day exploitation of Cleo MFT products (CVE-2024-55956) demonstrates the threat. The group discovered that a previous patch for CVE-2024-50623 was incomplete, developed a bypass, and launched widespread attacks over a weekend when security teams were understaffed. CrowdStrike OverWatch detected the intrusion within 10 minutes, and CrowdStrike’s sensor provided automated prevention within two days—but organizations without comparable detection capabilities remained exposed for significantly longer.

The recommended approach combines adversary-centric vulnerability prioritization with exposure management. Rather than attempting to patch every vulnerability simultaneously, organizations should focus patching efforts on vulnerabilities actively exploited by adversaries relevant to their sector and geography. Exposure management extends this by identifying and reducing the attack surface before vulnerabilities are discovered. Learn more about vulnerability management approaches in our DevSecOps security practices guide.

Top Sectors Under Siege: Government, Telecom, Manufacturing, and Retail

The 2025 threat hunting data reveals dramatic increases in targeting across critical sectors, with nation-state and eCrime actors driving growth in different verticals.

Government: Interactive intrusions against government entities surged 71% overall, with nation-state intrusions increasing 185%. Russia-nexus groups PRIMITIVE BEAR and VENOMOUS BEAR drove the increase through espionage operations against Ukrainian government entities, while the conflict’s spillover effects impacted NATO and broader European government targets.

Telecommunications: The sector experienced a 53% overall increase and 130% increase in nation-state intrusions. China-nexus groups dominate telecom targeting, driven by the intelligence value of call metadata, network infrastructure access, and the ability to intercept communications of interest.

Manufacturing: eCrime intrusions against manufacturers rose 55%, reflecting the sector’s combination of high ransom-paying capacity, operational technology (OT) exposure, and low tolerance for operational disruption. Retail followed a similar pattern with 42% eCrime growth, driven by SCATTERED SPIDER and CURLY SPIDER campaigns.

Logistics saw the highest overall increase at 58%, while real estate was the only sector to decline at -12%. These sector-specific trends underscore the importance of tailoring threat hunting programs to the specific adversaries and TTPs most relevant to each industry.

Six Essential Recommendations for Defending Against 2025 Threats

CrowdStrike’s recommendations reflect the evolved threat landscape where speed, stealth, and cross-domain operations define modern attacks. These six strategic imperatives should guide security investment and operational planning.

1. Adopt AI-Powered Solutions — Operationalize agentic AI for alert triage, investigation, and response. As adversaries use AI to accelerate attacks, defenders must use AI to accelerate detection and response at machine speed.
2. Secure the Entire Identity Ecosystem — Deploy phishing-resistant MFA, implement just-in-time access provisioning, and deploy identity threat detection capabilities. With 81% of intrusions being malware-free, identity is the primary attack surface.
3. Eliminate Cross-Domain Visibility Gaps — Implement extended detection and response (XDR) and next-generation SIEM to unify visibility across endpoints, networks, cloud environments, and identity systems. Adversaries exploit visibility gaps between domains.
4. Defend Cloud as Core Infrastructure — Deploy CNAPPs with cloud detection and response, enforce strict access controls, and conduct regular cloud security audits. The 136% increase in cloud intrusions demands dedicated cloud security investment.
5. Prioritize Vulnerabilities with an Adversary-Centric Approach — Use threat intelligence to focus patching on vulnerabilities actively exploited by relevant adversaries. Implement exposure management to reduce attack surface proactively.
6. Know Your Adversary and Be Prepared — Integrate MITRE ATT&CK threat intelligence into security operations, conduct regular tabletop exercises against realistic scenarios, and build user awareness programs focused on the social engineering techniques adversaries actually use.

Access More Threat Intelligence Resources

MITRE ATT&CK Analysis: Most Observed Techniques in 2025

The report maps observed adversary behavior to the MITRE ATT&CK framework, providing actionable intelligence for detection engineering and threat hunting programs. Defense Evasion was the most observed tactic, with Masquerading and Disable/Modify Tools being the top techniques—reflecting adversaries’ focus on avoiding detection rather than deploying malware.

Five of the top ten observed techniques were Discovery techniques: Account Discovery, System Network Configuration Discovery, Remote System Discovery, and related reconnaissance activities. This pattern reveals that adversaries invest significant time mapping victim environments before taking action, providing defenders with detection opportunities during the reconnaissance phase.

For Initial Access, Valid Accounts and Exploit Public-Facing Application dominated—consistent with the 81% malware-free finding and the 52% vulnerability exploitation statistic. PowerShell and Windows Management Instrumentation (WMI) remained the primary execution methods, while Web Shells and Scheduled Tasks provided persistence. These technique patterns should directly inform detection rule development and hunting hypothesis creation.