2025 CrowdStrike Threat Hunting Report: Adversaries Exploit AI at Scale, Targeting Autonomous Systems as the New Attack Frontier
In a groundbreaking revelation at Black Hat USA 2025, CrowdStrike (NASDAQ: CRWD) unveiled its 2025 Threat Hunting Report, shedding light on a concerning evolution in cyber threats. The report highlights how adversaries are weaponizing generative artificial intelligence (GenAI) to scale operations and accelerate attacks while increasingly targeting autonomous AI agents that are reshaping enterprise workflows. This marks a paradigm shift in cybersecurity, where autonomous systems and machine identities have become integral components of the modern attack surface.
Key Findings from the 2025 CrowdStrike Threat Hunting Report
Drawing on frontline intelligence gathered by CrowdStrike’s elite threat hunters and analysts tracking over 265 named adversaries, the report uncovers alarming trends in adversary tactics:
1. Adversaries Weaponize AI to Scale Attacks
Adversaries are leveraging GenAI to automate every phase of their operations, transforming traditional attack methods into scalable, persistent campaigns. Notably, DPRK-nexus adversary FAMOUS CHOLLIMA utilized GenAI to execute an insider attack program with unprecedented efficiency. From crafting fake resumes and conducting deepfake interviews to completing technical tasks under false identities, this group demonstrated how AI-powered tradecraft can amplify insider threats. Similarly:
- Russia-nexus EMBER BEAR used GenAI to amplify pro-Russia propaganda narratives.
- Iran-nexus CHARMING KITTEN deployed large language model (LLM)-crafted phishing lures targeting U.S. and EU entities.
These examples underscore how state-sponsored and criminal actors are exploiting AI to streamline and expand their operations.
2. Agentic AI Emerges as the New Attack Surface
The report reveals that adversaries are now targeting tools used to build AI agents, exposing vulnerabilities in autonomous systems. Multiple threat actors exploited weaknesses in these platforms to gain unauthenticated access, establish persistence, harvest credentials, and deploy malware or ransomware. These incidents highlight how the rise of agentic AI—autonomous workflows powered by non-human identities—is reshaping the enterprise attack surface. Autonomous systems, once viewed as operational assets, are now high-value targets for exploitation.
3. GenAI-Built Malware Becomes Operational Reality
Lower-tier eCrime groups and hacktivists are using AI to generate scripts, solve technical problems, and construct malware. Tasks that previously required advanced expertise are now being automated, lowering the barrier to entry for hands-on-keyboard intrusions. Early proof points like Funklocker and SparkCat demonstrate that GenAI-built malware is no longer theoretical—it’s already in use. This development poses significant risks as even less sophisticated actors gain access to powerful tools.
4. SCATTERED SPIDER Accelerates Identity-Based Attacks
SCATTERED SPIDER, a notorious threat group, resurged in 2025 with faster and more aggressive tradecraft. The group leveraged vishing (voice phishing) and help desk impersonation to reset credentials, bypass multi-factor authentication (MFA), and move laterally across SaaS and cloud environments. In one alarming incident, SCATTERED SPIDER moved from initial access to deploying ransomware in under 24 hours—a testament to the speed and sophistication of modern attacks.
5. China-Nexus Adversaries Drive Surge in Cloud Attacks
Cloud intrusions surged by 136% in the reporting period, with China-linked adversaries accounting for 40% of the increased activity. Groups like GENESIS PANDA and MURKY PANDA exploited cloud misconfigurations and trusted access to evade detection. Their focus on cloud infrastructure underscores the growing importance of securing these environments against advanced persistent threats.
A New Era of Cybersecurity Challenges
“The AI era has redefined how businesses operate—and how adversaries attack,” said Adam Meyers, Head of Counter Adversary Operations at CrowdStrike. “We’re seeing threat actors use GenAI to scale social engineering, accelerate operations, and lower the barrier to entry for hands-on-keyboard intrusions. At the same time, adversaries are targeting the very AI systems organizations are deploying. Every AI agent is a superhuman identity: autonomous, fast, and deeply integrated, making them high-value targets. Adversaries are treating these agents like infrastructure, attacking them the same way they target SaaS platforms, cloud consoles, and privileged accounts. Securing the AI that powers business is where the cyber battleground is evolving.”
Implications for Enterprises
The findings in the 2025 Threat Hunting Report carry profound implications for enterprises worldwide:
- Autonomous Systems Are High-Value Targets: As AI agents become central to business operations, securing these systems must be a top priority. Organizations need robust strategies to protect machine identities and prevent unauthorized access.
- GenAI Lowers Barriers to Entry: The democratization of advanced tools through GenAI means that even less skilled actors can launch sophisticated attacks. Enterprises must adopt proactive measures to detect and mitigate these threats.
- Speed of Attacks Is Increasing: With adversaries moving from initial access to encryption in under 24 hours, rapid response capabilities are critical. Real-time monitoring and automated defenses will play a crucial role in countering fast-moving threats.
- Cloud Security Remains Paramount: As cloud adoption grows, so does the risk of targeted attacks. Misconfigurations and trusted access remain weak points that adversaries exploit. Strengthening cloud security practices is essential.
About CrowdStrike
CrowdStrike (NASDAQ: CRWD), a global cybersecurity leader, has redefined modern security with the world’s most advanced cloud-native platform for protecting critical areas of enterprise risk – endpoints and cloud workloads, identity and data.
Powered by the CrowdStrike Security Cloud and world-class AI, the CrowdStrike Falcon® platform leverages real-time indicators of attack, threat intelligence, evolving adversary tradecraft and enriched telemetry from across the enterprise to deliver hyper-accurate detections, automated protection and remediation, elite threat hunting and prioritized observability of vulnerabilities.
Purpose-built in the cloud with a single lightweight-agent architecture, the Falcon platform delivers rapid and scalable deployment, superior protection and performance, reduced complexity and immediate time-to-value.
