CrowdStrike 2025 Global Threat Report: Key Cybersecurity Findings and Analysis

CrowdStrike 2025 Threat Report Executive Summary

The CrowdStrike 2025 Global Threat Report delivers a stark warning to cybersecurity professionals worldwide: adversaries are becoming faster, stealthier, and more business-like than ever before. Published by CrowdStrike’s Counter Adversary Operations team, this annual report draws on trillions of telemetry events from the AI-native CrowdStrike Falcon platform to map the evolving cyber threat landscape across nation-state, eCrime, and hacktivist motivations.

The report’s central theme — “the enterprising adversary” — captures a fundamental shift in how threat actors operate. Like well-run enterprises, modern adversaries are streamlining tactics, scaling successful strategies, and learning from both their own mistakes and those of their peers. During 2024, CrowdStrike Intelligence introduced 26 newly named adversaries, bringing the total tracked to 257, alongside more than 140 active malicious activity clusters.

Key statistics paint a sobering picture: 79% of detections were malware-free, the average breakout time fell to 48 minutes, vishing attacks surged 442%, and China-nexus activity increased 150% across all sectors. For organizations struggling to keep pace with these developments, understanding the data behind these trends is the first step toward building effective defenses. The interactive analysis of enterprise technology trends provides additional context on how organizations are adapting to digital threats.

CrowdStrike 2025 Report: Malware-Free Attacks Dominate Cyber Threats

Perhaps the most striking finding in the CrowdStrike 2025 Global Threat Report is the continued rise of malware-free attack techniques. In 2024, 79% of all detections observed by CrowdStrike were malware-free — a dramatic escalation from 40% in 2019. This six-year trend represents a fundamental transformation in how adversaries operate, moving from malicious binaries to sophisticated hands-on-keyboard intrusions that mimic legitimate user activity.

Interactive intrusion campaigns, where adversaries execute manual actions within compromised environments, increased 35% year-over-year in 2024. These intrusions are exceptionally difficult to detect because attackers use legitimate tools already present in enterprise environments. Remote monitoring and management (RMM) tools like Microsoft Quick Assist, TeamViewer, and AnyDesk have become the weapon of choice for eCrime adversaries who no longer need malware to achieve their objectives.

The technology sector remained the most targeted industry for the seventh consecutive year, accounting for 23% of all interactive intrusions. Consulting and professional services followed at 15%, with manufacturing (12%), retail (11%), and financial services (10%) rounding out the top five. Geographically, North America bore the brunt of attacks at 53%, followed by Europe at 11% and East Asia at 7%.

This shift has profound implications for security teams. Traditional antivirus and signature-based detection approaches are increasingly ineffective against adversaries who operate entirely within the bounds of legitimate system tools. Organizations must pivot toward behavior-based detection frameworks such as those outlined by NIST, endpoint detection and response (EDR) solutions, and proactive threat hunting capabilities that can identify anomalous patterns in seemingly normal activity.

CrowdStrike 2025 Breakout Time Drops to Record 51 Seconds

The breakout time — the interval between an adversary’s initial access and their first lateral movement to another system — reached alarming new lows in 2024. The average breakout time for interactive eCrime intrusions fell to just 48 minutes, down from 62 minutes in 2023. Even more concerning, the fastest observed breakout occurred in a mere 51 seconds, meaning defenders had less than one minute to detect and respond before the attacker established deeper network control.

The CrowdStrike report details a particularly illustrative case involving CURLY SPIDER, one of 2024’s fastest and most adaptive eCrime adversaries. In one documented attack, the entire chain — from initial social engineering contact through backdoor account creation — took under four minutes. The adversary did not even need to break out to another device; they compromised the network by securing persistent access before the victim realized what was happening.

CURLY SPIDER’s methodology is emblematic of the modern approach: a spam bombing campaign creates urgency, a follow-up vishing call posing as IT support establishes trust, and the adversary guides the victim through installing a legitimate RMM tool. Once connected, the attacker validates connectivity (3 minutes 43 seconds), deploys malicious scripts (6 seconds), and creates a backdoor user (6 seconds). This adversary frequently collaborates with WANDERING SPIDER, the group behind Black Basta ransomware.

These compressed timelines place extraordinary pressure on security operations centers (SOCs). Manual triage processes that take hours are fundamentally incompatible with adversaries who operate in seconds. Real-time detection, automated response capabilities, and AI-driven threat hunting are no longer aspirational — they are existential necessities for organizations seeking to defend against modern attacks.

Vishing and Social Engineering Attacks Surge 442%

The CrowdStrike 2025 Global Threat Report documents an extraordinary explosion in voice phishing (vishing) attacks, with a 442% increase between the first and second half of 2024. This surge represents what may be the most significant shift in the eCrime ecosystem’s initial access methodology, as adversaries increasingly target human psychology rather than technical vulnerabilities.

Throughout 2024, CrowdStrike tracked at least six distinct campaigns in which threat actors posing as IT support staff called targeted users to persuade them into establishing remote support sessions. In most campaigns, attackers used Microsoft Teams calls from external tenants. At least four campaigns leveraged “spam bombing” — flooding targets with thousands of spam emails — as a pretext for the follow-up vishing call, claiming the spam indicated a malware infection requiring immediate IT assistance.

The report highlights three primary adversary groups using these techniques. CURLY SPIDER combines spam bombing with vishing to deploy backdoors and ultimately deliver ransomware via their collaboration with WANDERING SPIDER. CHATTY SPIDER, a long-standing Russia-based group, uses callback phishing for data theft and extortion, primarily targeting legal and insurance sectors with ransom demands reaching $8 million. PLUMP SPIDER, based in Brazil, uses vishing to conduct wire fraud by compromising payment systems.

Help desk social engineering expanded in parallel, with multiple eCrime actors impersonating employees to convince IT help desks to reset passwords and MFA credentials. SCATTERED SPIDER pioneered this technique in 2023, and it was widely adopted across the ecosystem in 2024. Attackers typically call outside business hours, register their own MFA devices for persistence, and delete suspicious-activity emails to avoid detection. The growing demand for English-speaking callers with RMM tool knowledge on eCrime forums signals that this threat vector will intensify through 2025.

Generative AI Powers Next-Generation Cyberattacks

Generative AI has emerged as a transformative tool in the adversary toolkit, with the CrowdStrike 2025 Global Threat Report documenting its adoption across nation-state, eCrime, and hacktivist operations. While AI-assisted attacks remain largely evolutionary rather than revolutionary, the technology’s low barrier to entry and capacity to produce convincing content at scale make it an increasingly potent weapon.

Perhaps the most alarming data point comes from academic research cited in the report: LLM-generated phishing emails achieved a 54% click-through rate, compared to just 12% for human-written phishing messages. This 4.5x improvement demonstrates that AI is not merely augmenting social engineering — it is fundamentally outperforming human attackers at their own craft. For a broader understanding of how AI is transforming enterprises, explore our interactive analysis of McKinsey’s AI transformation research.

DPRK-nexus adversary FAMOUS CHOLLIMA stands out as a particularly innovative AI adopter. This group deployed AI-generated LinkedIn profiles, used LLMs to support job interviews for their malicious insider campaign, and operated at extraordinary scale — CrowdStrike OverWatch responded to 304 FAMOUS CHOLLIMA incidents in 2024, with nearly 40% representing insider threat operations. Their operatives obtain software development jobs using stolen or fraudulent identities, send company laptops to third-party facilitator “laptop farms” in the United States, and exfiltrate code or intellectual property.

Nation-state information operations also leveraged AI extensively. The China-aligned Green Cicada network used a Chinese-language LLM to operate more than 5,000 inauthentic social media accounts amplifying politically divisive content before the 2024 U.S. presidential election. Russia-aligned operators used LLMs for tailored content generation and workflow automation in IO campaigns targeting the U.S., Israel, and European countries. In the cybercrime space, adversaries used LLMs to generate malicious scripts, create convincing decoy websites, and even attempt exploit development — though with limited success so far.

Cloud-conscious attackers have begun exploring “LLMJacking” — compromising cloud credentials to access enterprise AI services and resell model access on criminal markets. As AI services become more deeply integrated into cloud platforms like Azure AI Foundry, CrowdStrike expects these attacks to increase in both frequency and sophistication.

China-Nexus Cyber Espionage Surges 150%

The CrowdStrike 2025 Global Threat Report identifies China-nexus cyber espionage as the most significant targeted intrusion threat of 2024, with activity surging 150% across all sectors compared to the previous year. Even more striking, certain industries — including financial services, media, manufacturing, and industrials and engineering — experienced 200-300% increases in observed intrusions.

This escalation reflects decades of strategic investment by the Chinese government. The CCP’s cyber ecosystem draws on university systems that produce a highly trained workforce, private sector contracting pipelines supporting People’s Liberation Army (PLA) and Ministry of State Security (MSS) cyber units, vulnerability discovery competitions, and industry networking that enables operators to share closed-access tooling and tradecraft. General Secretary Xi Jinping’s 2014 call for China to become a “cyber power” (网络强国) and the broader strategy of “national rejuvenation” (伟大复兴) have accelerated these capabilities throughout the 21st century.

CrowdStrike identified seven new China-nexus adversaries in 2024, five of which demonstrate remarkable specialization. LIMINAL PANDA demonstrates extensive knowledge of telecommunications networks and uses compromised telecom infrastructure to move across regions. OPERATOR PANDA targets telecom and professional services entities through exploiting internet-facing appliances like Cisco switches. VAULT PANDA focuses specifically on the financial services sector worldwide. These specialized adversaries represent a shift from historical “smash-and-grab” operations to focused, mission-specific intrusions.

Operational security has intensified dramatically, with multiple China-nexus adversaries employing Operational Relay Box (ORB) networks — consisting of hundreds or thousands of compromised devices — to proxy and route their traffic. Despite law enforcement attempts to disrupt these ORB networks, they remain a cornerstone of Chinese cyber operations. Tool sharing has also expanded, with at least five distinct adversaries now using the once-unique malware KEYPLUG, demonstrating the maturity and interconnectedness of China’s cyber ecosystem.

Cloud Security Threats and Identity-Based Attacks

The CrowdStrike 2025 Global Threat Report reveals a 26% increase in new and unattributed cloud intrusions in 2024 compared to the previous year. Valid account abuse has become the primary initial access vector, accounting for 35% of cloud incidents in the first half of 2024. This trend signals a fundamental shift: adversaries are not breaking into cloud environments through technical exploits — they are logging in with stolen credentials.

The cloud threat landscape has also diversified significantly. In 2023, SCATTERED SPIDER accounted for 30% of all cloud-based intrusions. By 2024, this dropped to 13% — not because SCATTERED SPIDER became less active, but because numerous nation-state and opportunistic actors entered the cloud attack space. Both China-nexus and DPRK-nexus adversaries developed cloud-conscious techniques throughout the year, with LABYRINTH CHOLLIMA consistently compromising developer workstations via backdoored GitHub projects before pivoting to cloud environments using cached credentials.

Access broker activity continued to surge, with advertised accesses increasing nearly 50% over 2023, totaling 4,486 advertisements across the year. In the broader initial access landscape, 52% of all vulnerabilities observed by CrowdStrike were related to initial access, reinforcing that the perimeter remains the critical attack surface. Information stealers like Stealc and Vidar were updated to specifically target cloud account credentials, providing attackers with instant access to cloud environments. Our analysis of the World Economic Forum’s Global Risks Report provides further context on how cybersecurity risks rank among global threats.

SaaS exploitation emerged as another critical vector. After compromising SSO identities, adversaries like SCATTERED SPIDER systematically test access to all available SSO-integrated applications — chat platforms, credential managers, document storage, and productivity tools. In one campaign, an adversary obtained API keys to a commercial SMS distribution application and used it to send more than 700,000 smishing messages. Microsoft 365 remains a prime target, with SharePoint accessed in 22% and Outlook in 17% of relevant intrusions.

Vulnerability Exploitation and Network Perimeter Targeting

Network perimeter devices remained high-value targets for threat actors throughout 2024, with the CrowdStrike 2025 Global Threat Report documenting a sophisticated evolution in vulnerability exploitation techniques. Adversaries increasingly employed two layered approaches to achieve remote code execution (RCE): exploit chaining and legitimate feature abuse.

Exploit chaining — combining two or more vulnerabilities into a single attack sequence — proved devastatingly effective. Multiple unattributed threat actors chained a bypass vulnerability (CVE-2024-0012) with a privilege escalation vulnerability (CVE-2024-9474) in Palo Alto Networks PAN-OS Management Web Interface. In a separate campaign, China-nexus adversary OPERATOR PANDA chained two Cisco IOS vulnerabilities to target U.S. telecom and professional services entities, demonstrating the strategic sophistication of state-sponsored operations.

The report identifies a concerning “discovery, rediscovery, and circumvention” trend where threat actors repeatedly exploit the same products through evolving attack vectors. The Windows mskssrv driver attack surface, first highlighted at Pwn2Own Vancouver in March 2023, generated at least 16 vulnerability disclosures since then — with threat actors actively exploiting newly discovered variants. Similarly, Apache OFBiz suffered from a persistent core flaw that enabled multiple sequential vulnerabilities (CVE-2024-32113, CVE-2024-36104, CVE-2024-38856, and CVE-2024-45195) despite vendor patches.

The speed of exploitation following public disclosure is particularly alarming. Within 24 hours of Palo Alto Networks disclosing five Expedition vulnerabilities on October 9, 2024, CrowdStrike captured HTTP requests consistent with exploitation. By October 18, exploitation from IP addresses connected to a China-nexus ORB network was observed. This rapid weaponization underscores why organizations following severity-score-based patching processes remain vulnerable — secondary vulnerabilities receive less attention and can be chained with new discoveries to achieve full compromise. CISA’s Known Exploited Vulnerabilities Catalog provides essential guidance for prioritizing patch deployment.

Cybersecurity Recommendations and Defense Strategies

The CrowdStrike 2025 Global Threat Report concludes with a comprehensive set of cybersecurity defense strategies tailored to the threat landscape it documents. Given that adversaries are moving faster, using fewer malware artifacts, and exploiting human psychology at scale, organizations must fundamentally rethink their security posture.

Identity protection stands as the highest priority. With 79% of attacks malware-free and valid account abuse driving 35% of cloud incidents, the identity layer is the new perimeter. Organizations should deploy hardware-based FIDO2 authentication devices such as YubiKeys, implement number-matching MFA to prevent AITM attacks, and require video authentication with government identification for help desk password reset requests. Monitoring for anomalies such as MFA device registrations, off-hours access patterns, and multiple users registering the same device is critical.

Cloud environment hardening demands equal attention. Organizations must enforce MFA with secure verification methods across all cloud accounts, regularly audit SSO-integrated applications, implement data loss prevention (DLP) solutions, and monitor the data employees upload to cloud storage repositories like SharePoint. Network segmentation, least-privilege access principles, and regular review of trusted zones and restriction exceptions should be foundational policies.

For vulnerability management, the report recommends moving beyond severity-score-based patching to prioritize based on real-world exploitation data. Defense-in-depth approaches — including network-level access controls, server isolation, sandboxing, and XDR technology — can detect and remediate malicious activity even when zero-day vulnerabilities are exploited. Organizations should also implement proactive threat hunting programs to identify pre-attack behaviors and disrupt adversary operations before breakout occurs.

Finally, the human element cannot be neglected. Regular security awareness training focused on vishing, callback phishing, and help desk social engineering scenarios is essential. Employees must understand that IT support will never call unsolicited asking them to install remote access tools. As the report makes clear, in the era of the enterprising adversary, defense must be equally enterprising — leveraging AI-driven detection, real-time response automation, and cross-domain visibility to match the speed and sophistication of today’s threats.