2025 CrowdStrike Global Threat Report: Rising Cyber Espionage, AI-Driven Attacks, and Identity-Based Threats
CrowdStrike (NASDAQ: CRWD) has released its 2025 Global Threat Report, shedding light on the escalating sophistication of cyber threats worldwide. The report highlights a dramatic 150% surge in China’s state-sponsored cyber espionage activities, a sharp rise in AI-powered social engineering tactics, and an alarming increase in malware-free, identity-based attacks. These trends underscore the growing complexity of the threat landscape and the urgent need for organizations to adopt advanced cybersecurity measures.
China’s Aggressive Cyber Espionage Campaigns
The report reveals that China-nexus adversaries have significantly escalated their cyber operations, with a staggering 150% increase in espionage attacks. Critical industries such as financial services, media, manufacturing, and industrial sectors experienced up to a 300% spike in targeted attacks. CrowdStrike identified seven new China-nexus adversaries in 2024, underscoring the nation’s growing focus on stealing intellectual property and sensitive data to bolster its strategic interests.
“China’s increasingly aggressive cyber espionage is forcing organizations to rethink their approach to security,” said Adam Meyers, Head of Counter Adversary Operations at CrowdStrike. “Adversaries exploit identity gaps, leverage social engineering, and move across domains undetected—rendering legacy defenses ineffective.”
The Weaponization of AI-Powered Deception
One of the most concerning trends highlighted in the report is the weaponization of generative AI (GenAI) by adversaries. Social engineering attacks, particularly voice phishing (vishing), surged by 442% between H1 and H2 2024. Sophisticated eCrime groups like CURLY SPIDER, CHATTY SPIDER, and PLUMP SPIDER leveraged AI-driven impersonation tactics to steal credentials, establish remote sessions, and evade detection. This shift demonstrates how AI is being used to craft highly convincing deception campaigns, making it harder for defenders to identify and stop threats.
Additionally, Iran-nexus actors have begun exploring GenAI for vulnerability research, exploit development, and patching domestic networks. This aligns with government-led AI initiatives aimed at strengthening Iran’s cyber capabilities while simultaneously targeting foreign entities.
Surge in Malware-Free, Identity-Based Attacks
The report underscores a troubling shift toward malware-free attacks, with 79% of initial access attempts now leveraging compromised credentials. Access broker advertisements surged by 50% year-over-year (YoY), highlighting the growing underground market for stolen identities. Once inside, adversaries operate undetected using hands-on keyboard activities, exploiting trusted access to move laterally across networks.
This trend is compounded by record-shattering breakout times—the time it takes for attackers to escalate privileges after gaining initial access. The average eCrime breakout time dropped to just 48 minutes, with the fastest recorded at a mere 51 seconds. Such rapid escalation leaves defenders with little room for error, emphasizing the need for real-time detection and response capabilities.
Insider Threats and Cross-Domain Attacks
Insider threats remain a significant concern, with North Korea-nexus adversary FAMOUS CHOLLIMA responsible for 304 incidents uncovered in 2024. Notably, 40% of these incidents involved insider threat operations, where adversaries posed as legitimate employees to gain system access and carry out malicious activities. This tactic highlights the risks posed by malicious insiders who exploit their positions to infiltrate and compromise organizations.
Adversaries are also increasingly executing cross-domain attacks, exploiting gaps across endpoints, cloud environments, and identities to bypass traditional security controls. Valid account abuse accounted for 35% of cloud incidents in H1 2024, reflecting the growing importance of securing cloud environments against unauthorized access.
Unpatched Vulnerabilities Remain a Key Target
Despite advancements in cybersecurity technology, unpatched vulnerabilities continue to be a prime target for attackers. The report found that 52% of observed vulnerabilities were related to initial access, reinforcing the critical need for organizations to prioritize patch management and secure entry points before adversaries can establish persistence.
Recommendations for Stopping Modern Attacks
To combat these evolving threats, CrowdStrike emphasizes the importance of adopting a unified cybersecurity platform capable of delivering real-time protection across identity, cloud, and endpoint environments. The CrowdStrike Falcon® cybersecurity platform leverages AI-powered behavioral analysis, machine learning, and industry-leading threat intelligence trained on trillions of security events to detect and stop advanced threats in real-time.
Key recommendations include:
- Eliminate Visibility Gaps: Gain comprehensive visibility across hybrid environments to detect adversary movement early.
- Leverage Real-Time Intelligence: Correlate endpoint, cloud, and identity activity to uncover hidden threats.
- Prioritize Patch Management: Address vulnerabilities proactively to prevent adversaries from gaining initial access.
- Adopt AI-Powered Solutions: Utilize advanced AI and machine learning to stay ahead of rapidly evolving attack techniques.
