Since the earliest days of the internet, there has never been a let-up in adversarial activity. According to CrowdStrike’s just-released 12th annual Global Threat Report, malicious activity in cyberspace continues to not only accelerate but also expand its scale and increasingly abuse the trust of targeted organizations.
The good news is that, despite discussion of AI democratizing threat activity, the volume of adversaries that government and corporate entities are contending with didn’t grow at an accelerated rate in 2025, according to CrowdStrike’s findings. “We added 24 new adversaries over the course of the last year, which is equivalent to what we did the year before,” Adam Meyers, head of counter adversary operations at CrowdStrike, told reporters during a roundtable discussion about the report. “We track over 281 adversaries today and 150 activity clusters,” he said.
The main message of CrowdStrike’s report is that threat actors have moved into evasion mode after previously expanding their toolkits. “The theme of the overall report is what we say is the evasive adversary. Last year, it was the enterprising adversary. They were starting to experiment with some of the techniques that we observed. And now their focus is on avoiding detection. So, we’re calling them the evasive adversary,” Meyers said.
Adversarial AI use amplifies known tactics
CrowdStrike’s report shows that attacks carried out by AI-enabled adversaries jumped 89% year over year, as threat actors used generative tools to refine phishing lures, generate malware scripts, troubleshoot exploits, and accelerate reconnaissance. The technology did not create entirely new tactics but made existing ones faster, cheaper, and more scalable.
At the same time, AI-enabled intrusions became quieter, according to CrowdStrike. Malware-free techniques accounted for 82% of detections in 2025, up from 51% in 2020, reflecting a decisive shift toward credential abuse and hands-on-keyboard activity that blends into legitimate user behavior.
“In terms of AI as a weapon, you can use it for social engineering,” Meyers said. “We’ve seen groups like eCrime group Renaissance Spider modify their Click Fix lures and localize them to different languages using generative AI.”
CrowdStrike also witnessed AI being used for information operations, Meyers said. “One of the interesting cases that happened over the last couple of months” is a malicious MCP server named postmark-mcp, which impersonated a legitimate server maintained by email delivery service Postmark, he said. “And in this case, the MCP server, which bridges the Postmark API with the LLM, was maliciously created so that it would actually bcc an adversary on every email that was sent.”
Big game hunters tighten their grip
CrowdStrike’s research highlights how big game hunting (BGH) ransomware actors have remained the dominant force in the eCrime landscape.
Punk Spider, a group responsible for developing and maintaining Russian-language Akira ransomware, and its associated Akira dedicated leak site, conducted 198 intrusions in 2025 — a 134% increase year over year. Victim-shaming operations expanded as well, with a 36.8% rise in organizations named on dedicated leak sites.
But the story for BGH actors in 2025 was not just volume; it was also refinement.
Rather than detonate ransomware on heavily monitored endpoints, BGH actors increasingly encrypt data remotely via Windows Server Message Block (SMB) shares, minimizing their footprint and avoiding the need to execute ransomware on managed hosts.
Other big game hunters exploited unmanaged infrastructure. In one incident, eCrime actor Scattered Spider dumped Active Directory credentials from an unmanaged virtual machine within three hours of initial access — interacting with only a single managed endpoint.
Supply chain attacks become a weapon of scale
One big driver of the evasive tactics used by threat actors in 2025 was supply chain attacks, according to CrowdStrike.
The most dramatic example came in February, when North Korea’s state-sponsored threat actor Pressure Chollima, also known as Lazarus, orchestrated the largest cryptocurrency theft in history, stealing $1.46 billion by compromising SafeWallet, a digital asset management platform that supports cryptocurrency exchange Bybit. By injecting malicious code into a trusted frontend and restoring it immediately after execution, the group redirected funds during a legitimate transaction while avoiding detection.
Open-source ecosystems proved equally vulnerable. A compromised npm package distributing self-propagating infostealer ShaiHulud malware was downloaded more than 2 million times before discovery. In another campaign, adversary-linked packages were downloaded over 8,000 times, often spreading through dependency chains that infected downstream users far beyond the original target.
Zero-day exploitation accelerates
During 2025, the race between disclosure and exploitation narrowed to days, sometimes hours, according to CrowdStrike.
The researchers report that zero-day exploitation rose 42% year over year in 2025, as adversaries weaponized dozens of previously unknown vulnerabilities for initial access, remote code execution, and privilege escalation.
More worrisome is that the average e-crime breakout time — the window between initial access and lateral movement — fell to just 29 minutes, a 65% increase in speed from 2024. In the most extreme case, attackers moved in 27 seconds.
China-nexus actors, in particular, demonstrated rapid operationalization. In multiple cases, exploitation began within two to six days of public disclosure. For defenders, that left little room to assess, prioritize, and patch before networks were probed or compromised.
Zero-days became more than tactical advantages. They became strategic accelerants, enabling stealthy entry into edge devices, VPN appliances, mail servers, and enterprise software before defenses could adjust.
And increasingly, those entry points led straight into the cloud.
Cloud becomes the new battleground
As enterprises deepen their reliance on SaaS and hybrid identity systems, adversaries continue to follow.
CrowdStrike said that cloud-conscious intrusions rose 37% overall in 2025, while activity by state-nexus actors surged 266%. Valid account abuse accounted for 35% of cloud incidents, underscoring how attackers leveraged stolen credentials and session tokens rather than malware.
“What’s really interesting is that 35% of the time, cloud intrusions are effectively using legitimate credentials,” Meyers said. “And we’ve noted that nation-state threat actors have had a 266% increase in cloud-related intrusion activity, which indicates nation-states now have recognized what e-crime actors have been noticing for a few years: The cloud is an ideal target.”
Adversary-in-the-middle phishing kits became a preferred tool, allowing threat actors to intercept authentication flows and capture live session tokens for Microsoft 365 and Salesforce environments. Hybrid identity systems, which synchronize on-premises and cloud authentication, became particularly attractive targets, offering broad access once compromised.
Rather than breaking in, attackers increasingly logged in. And nowhere was that strategy more systematic than in campaigns attributed to China-nexus actors.
China-nexus activity expands across regions and sectors
CrowdStrike’s analysis indicates that China-nexus adversaries increased overall targeted intrusion activity by 38% in 2025, maintaining a sustained global tempo. Logistics targeting rose 85%, telecommunications 30%, and financial services 20%, all sectors aligned with long-term intelligence and economic priorities.
Driving much of the activity was “a massive uptick in zero-day vulnerabilities and exploits being leveraged by Chinese threat actors,” Meyers said.
A consistent pattern emerged: perimeter compromise first. Sixty-seven percent of vulnerabilities exploited by China-nexus actors enabled immediate remote code execution, and 40% targeted edge devices such as VPNs, firewalls, and gateways, infrastructure that often lacks robust monitoring and timely patching. In some campaigns, adversaries operationalized exploits within two to three days of disclosure.
“If you think about actors like Salt Typhoon, which we track as Operator Panda and Vanguard Panda, which is also known as Volt Typhoon, targeting network devices is important for China. They find lots of vulnerabilities there, and they’re able to stay under the radar on those devices because they’re not managed,” Meyers said.
China’s intrusions are never smash-and-grab operations. In multiple cases, actors maintained persistent access for months, sometimes years, prioritizing long-term intelligence collection over short-term disruption, CrowdStrike said.
Taken together, the trends of 2025 tell a clear story. Adversaries are faster, quieter, and more willing to exploit the implicit trust embedded in modern infrastructure — from AI tools and SaaS platforms to open-source code and perimeter devices.