CrowdStrike 2025 Threat Hunting Report: Inside the Most Dangerous Cyber Threats

The Evolving Threat Landscape: 2024-2025 Overview

The CrowdStrike 2025 Threat Hunting Report, covering July 2024 through June 2025, reveals a cybersecurity landscape that has fundamentally shifted toward human-operated, intelligence-driven attacks that bypass traditional security measures. The report, compiled from CrowdStrike’s OverWatch threat hunting team’s direct observations across thousands of customer environments, documents a world where adversaries are more sophisticated, faster, and more creative than ever before—and where the traditional perimeter-based defense model has become dangerously inadequate.

The headline statistics paint a stark picture: interactive intrusions increased 27% year-over-year, with 81% of these intrusions being malware-free. This means that the majority of human-operated attacks now rely on legitimate tools, stolen credentials, and hands-on-keyboard techniques that blend seamlessly with normal system administration activities. eCrime actors account for 73% of interactive intrusions, while nation-state operations make up most of the remainder. The shift toward malware-free techniques represents a fundamental challenge for organizations that still rely primarily on signature-based or even behavioral malware detection.

For security professionals, CISOs, and technology leaders, this report provides essential intelligence for threat modeling, security investment prioritization, and cybersecurity strategy development. The findings demand a fundamental rethinking of how organizations detect, respond to, and hunt for threats in an era where the adversary operates with increasing speed, sophistication, and creativity.

Interactive Intrusions: 27% Year-Over-Year Surge

The 27% increase in interactive intrusions represents more than just volume growth—it signals a qualitative shift in how adversaries operate. Interactive intrusions involve human operators making real-time decisions about how to navigate compromised environments, escalate privileges, move laterally, and achieve objectives. Unlike automated attacks that follow predetermined scripts, interactive intrusions are adaptive, responsive, and much harder to detect because the attacker can adjust tactics based on the specific defenses encountered.

The dominance of malware-free techniques within these intrusions has profound implications for detection strategies. When 81% of hands-on-keyboard attacks avoid traditional malware, organizations cannot rely on endpoint protection platforms alone. Instead, defenders must hunt for behavioral anomalies—unusual authentication patterns, unexpected discovery commands, suspicious use of legitimate administrative tools, and other indicators that distinguish attacker activity from normal operations. This requires both technology (next-generation SIEM, cross-domain telemetry) and skilled human analysts who understand attacker tradecraft.

The 52% of observed vulnerabilities tied to initial access confirms that getting in remains the critical first step. Attackers are investing heavily in identifying and exploiting internet-facing vulnerabilities, compromising credentials through phishing and vishing, and leveraging trusted relationships to bypass perimeter defenses. Once inside, the malware-free approach means the attacker is difficult to distinguish from a legitimate administrator—making initial access prevention and rapid detection of unauthorized access the highest-priority defensive investments.

The Malware-Free Revolution: 81% of Attacks

The shift to 81% malware-free interactive intrusions represents the culmination of a multi-year trend that the security industry has been slow to address. Adversaries have learned that living-off-the-land—using legitimate tools already present in the environment—dramatically reduces their detection footprint. PowerShell, WMI, rundll32, regsvr32, and other system utilities provide everything an attacker needs for reconnaissance, lateral movement, persistence, and data exfiltration without ever deploying custom malware.

This trend renders traditional antivirus and even many next-generation endpoint protection solutions insufficient as standalone defenses. When the attack tools are the same tools that system administrators use daily, detection must be based on context rather than content: who is running the command, when are they running it, what preceded the command, and does the pattern match expected administrative behavior? Building and maintaining this contextual awareness requires investment in identity security, behavioral analytics, and cross-domain correlation that many organizations have not yet made.

FAMOUS CHOLLIMA and GenAI-Powered Employment Fraud

Perhaps the most alarming finding in the report is the scale and sophistication of FAMOUS CHOLLIMA’s (DPRK-nexus) GenAI-assisted insider threat operations. The group investigated more than 320 incidents in 12 months—a 220% increase year-over-year—involving fraudulent employment of remote IT workers who use AI-generated resumes, synthetic identities, deepfake face-swapping for video interviews, and GenAI code assistants while on the job.

This operation represents a novel threat category that most organizations are completely unprepared for. The attack targets the hiring process itself—an area that has traditionally been outside the scope of cybersecurity teams. FAMOUS CHOLLIMA’s operators blend into legitimate business workflows by producing genuinely useful work (aided by AI tools), making detection based on work quality alone insufficient. The purpose is long-term access to corporate networks and data through insider accounts and remote access systems, creating persistent footholds that are extremely difficult to identify and remediate.

The implications for hiring practices are significant. Organizations must implement more rigorous identity verification procedures for remote workers, including multi-factor identity proofing, in-person verification where possible, and ongoing behavioral monitoring of remote employee activities. The Cybersecurity and Infrastructure Security Agency has issued specific guidance on defending against this type of state-sponsored insider threat operation.

SCATTERED SPIDER: From Vishing to Ransomware in 24 Hours

SCATTERED SPIDER demonstrated alarming operational acceleration in the reporting period. In at least one documented incident, the group moved from initial account takeover to full ransomware deployment within 24 hours—32% faster than their 2024 pace. This compression of the attack timeline gives defenders an increasingly narrow window for detection and response, making proactive threat hunting and automated detection essential.

The group’s primary initial access technique is sophisticated social engineering, including help-desk attacks and voice phishing (vishing). Their ability to convincingly impersonate employees to IT help desk staff, combined with their technical sophistication in rapid privilege escalation and environment navigation, makes them one of the most dangerous eCrime groups currently operating. The explosion of vishing as an attack vector—442% increase from H1 to H2 2024, with H1 2025 already exceeding total 2024 volumes—is significantly driven by groups like SCATTERED SPIDER.

Cloud Intrusions Explode: 136% Increase

Cloud intrusions rose 136% in the first half of 2025 compared to all of 2024, with China-nexus actors showing a 40% year-over-year increase in cloud-targeting operations. This surge reflects the growing importance of cloud infrastructure as both a target and an attack vector. Adversaries are increasingly skilled at navigating cloud control planes, exploiting misconfigurations, abusing service principals, and leveraging cloud-native services for persistence and lateral movement.

The cloud threat extends beyond traditional infrastructure exploitation. Attackers are targeting AI orchestration tools and LLM infrastructure deployed in cloud environments. In April 2025, exploitation of Langflow (CVE-2025-3248) by multiple threat actors led to remote code execution, persistence establishment, credential theft, and deployment of cryptominers, RATs, and Cerber ransomware. This demonstrates that AI tooling deployed in cloud environments creates new attack surfaces that many organizations have not adequately secured.

The Vishing Epidemic: 442% Growth

Voice phishing attacks experienced explosive growth, surging 442% from the first to second half of 2024, with H1 2025 volumes already exceeding total 2024. Vishing has become a primary initial access vector for both eCrime groups and nation-state actors because it exploits the human element in ways that email-based phishing filters cannot prevent. Attackers call help desks, impersonate employees, and use social engineering to obtain password resets, MFA enrollment changes, or direct account access.

The effectiveness of vishing stems from its ability to create urgency, exploit trust in voice communication, and bypass automated email security controls. Organizations defending against this threat must implement strict identity verification procedures for all help desk interactions, train staff to recognize social engineering tactics, and implement callbacks to verified phone numbers before performing any account modifications. Technical controls including conditional access policies, impossible travel detection, and anomalous authentication monitoring provide defense-in-depth against successful vishing attacks.

Industry Targeting: Technology Leads for Eighth Year

The technology sector remained the most targeted industry for the eighth consecutive year, valued by adversaries for its connectivity to other sectors and broad attack surface. Consulting and professional services, manufacturing, retail, and financial services consistently ranked among the top-targeted sectors.

The government sector experienced dramatic targeting increases: 71% overall growth in interactive intrusions and a stunning 185% increase in nation-state attacks. Russia-nexus actors (PRIMITIVE BEAR, VENOMOUS BEAR) drove much of this activity through espionage operations targeting government entities and those connected to conflict theaters. Telecommunications saw a 53% overall increase and 130% surge in nation-state targeting, primarily driven by China-nexus actors seeking subscriber data, traffic collection capabilities, and downstream customer exposure. Manufacturing (+55%) and retail (+41%) increases were driven primarily by eCrime actors pursuing ransomware and quick monetization.

AI Tools as Attack Vectors: The Langflow Exploitation

The exploitation of Langflow (CVE-2025-3248) represents a harbinger of threats to come as organizations deploy AI infrastructure at scale. Multiple threat actors exploited this AI orchestration tool vulnerability to achieve remote code execution, establish persistence through reverse shells and SSH modifications, harvest credentials (including cloud credentials), and deploy malware. The attack chain demonstrated that AI tools—often deployed with broad permissions and access to sensitive data—create high-value attack surfaces.

Security teams must treat AI orchestration tools, LLM infrastructure, and agent frameworks as critical assets requiring the same security posture as CI/CD systems and developer tools. This includes restricting network exposure, maintaining current patches, auditing API keys and cloud credentials accessible to AI tools, and monitoring for anomalous prompts and high-volume generation tasks. The NIST AI Risk Management Framework provides guidance for securing AI deployments against adversarial exploitation.

Defense Strategies and Hunting Recommendations

The report’s defensive recommendations center on four priorities. First, expand cross-domain visibility by consolidating endpoint, identity, cloud, and network telemetry into a next-generation SIEM for correlated threat detection. Second, prioritize identity protection by monitoring for unusual authentications, privilege escalations, and help-desk manipulation, while implementing strong MFA everywhere. Third, harden cloud environments by monitoring API activity, protecting backup configurations, and securing AI tooling. Fourth, detect living-off-the-land activity through behavioral detection of process injection, masquerading, suspicious scheduled tasks, and unusual tool transfers.

For organizations seeking to operationalize these recommendations, the key is recognizing that no single security control addresses the modern threat landscape. Defense requires layered visibility, human expertise in threat hunting, and the organizational discipline to continuously update detection capabilities as adversaries evolve their techniques. The 81% malware-free attack rate makes it clear: the era of relying on malware detection alone is definitively over.