A recent report from CrowdStrike Holdings Inc. has highlighted a significant increase in the sophistication of cyber adversaries, shedding light on evolving methodologies in the landscape of cybersecurity threats. The report, titled the CrowdStrike 2025 Threat Hunting Annual Report, reveals that cloud-centered attacks, identity-driven breaches, and the advent of generative artificial intelligence (AI) are reshaping the threat environment.
This analysis is grounded in a year’s worth of intelligence gathered up until June 30, which encompasses data from CrowdStrike’s OverWatch managed threat hunting services, threat intelligence team, and telemetry sourced from the CrowdStrike Falcon platform. Its release aligns with the ongoing Black Hat USA 2025 conference in Las Vegas, a prominent event in the cybersecurity sector.
One of the report’s most striking observations is a 27% year-over-year increase in interactive intrusions from July 2024 to June 2025, with a noteworthy 81% of these attacks occurring without malware. According to CrowdStrike, this transition away from traditional malware tactics signifies a shift towards techniques that prioritize stealth, such as credential abuse, lateral movement, and evasion of defenses.
Formal adversaries, including organized e-crime and advanced persistent threat (APT) groups, accounted for 73% of all interactive intrusions recorded. Notably, groups like Scattered Spider and Curly Spider are engaging in extensive campaigns targeting multiple sectors, showcasing a broadening scope of operations.
The report highlights a substantial 136% spike in cloud intrusions during the first half of 2025 when compared to the entirety of 2024. Threat actors have exhibited sophisticated tactics, including the exploitation of misconfigurations, abuse of instance metadata services, and the maneuvering through cloud control planes to secure persistent access. Genesis Panda, for instance, has been noted for hosting malicious payloads on cloud infrastructures to exfiltrate sensitive data, underscoring the advanced capabilities of state-aligned attackers.
Particularly targeted sectors include government and telecommunications, which saw a staggering 185% increase in attacks directed at government entities, primarily attributed to Russia-linked groups like Primitive Bear, along with a 130% rise in telecommunications incidents. These sectors remain lucrative targets due to their possession of sensitive datasets and critical infrastructure.
The strategic incorporation of generative AI into cyber operations by adversaries is also emphasized in the report. The North Korea-linked hacking collective Famous Chollima has distinguished itself as a key player in this realm, conducting over 320 insider threat operations within the past year. This group reportedly utilizes AI tools for crafting convincing resumes, generating real-time deepfakes for interviews, and automating various technical roles.
Scattered Spider has resurfaced in 2025 employing voice phishing and social engineering tactics that effectively bypass multi-factor authentication protocols to achieve initial access. In one documented incident, operatives were able to transition from account compromise to ransomware deployment within a mere 24 hours—significantly quicker than their average timeline last year. The group’s adeptness in compromising privileged accounts and navigating across software-as-a-service platforms reflects a growing trend where adversaries exploit cross-domain vulnerabilities.
The report concludes with recommendations for organizations, stressing the necessity of implementing phishing-resistant multi-factor authentication (MFA), isolating privileged accounts, and enhancing help desk protocols to combat social engineering threats. Continuous monitoring is also advised to identify anomalous activities such as unusual login patterns and privilege escalations, enabling proactive defense measures against evolving cyber threats.
