CrowdStrike’s 2025 Threat Hunting Report presents a chilling portrait of the modern cyber landscape, where the lines between human and machine, deception and automation, are increasingly blurred. The report doesn’t just warn of evolving threats—it signals the start of an entirely new era in cybersecurity, one where generative AI isn’t merely a tool in the hands of defenders but a weapon being rapidly adopted by adversaries. Drawing from intelligence gathered by its elite team of threat hunters and analysts tracking over 265 named threat actors, CrowdStrike reveals how cybercriminals, state-sponsored groups, and hacktivist collectives are transforming their operations using GenAI technologies—and increasingly setting their sights on the AI systems themselves.
Among the most striking revelations is the scale and sophistication of AI weaponization. North Korean-linked adversary FAMOUS CHOLLIMA exemplifies this new threat paradigm, using generative AI to orchestrate a deeply layered insider attack campaign. From fabricating resumes and deepfake interviews to completing technical tasks under stolen identities, the group leveraged AI to convert traditional insider threats into long-running, scalable attack operations. Meanwhile, Russia-linked EMBER BEAR used GenAI to inject pro-Kremlin narratives into global information channels, and Iran’s CHARMING KITTEN relied on LLMs to create highly targeted phishing lures aimed at U.S. and EU institutions. These aren’t isolated cases but evidence of a systematic adoption of AI to automate, augment, and accelerate cyberattacks.
But perhaps more alarming than how AI is being used by attackers is what they’re targeting: the agentic AI systems that organizations are beginning to rely on for critical operations. CrowdStrike’s report identifies a sharp rise in attacks against the tools and platforms used to build and deploy autonomous AI agents. These agents—task-oriented, self-operating systems integrated deeply into enterprise workflows—are now being treated by attackers as prime targets, not unlike traditional infrastructure assets. Threat actors are exploiting vulnerabilities in these platforms to gain backdoor access, plant malware, steal credentials, and even deploy ransomware. As enterprises increasingly depend on AI agents to execute key functions without human intervention, each autonomous system becomes both a new productivity engine and a potential liability—an “identity” that must be secured just like a human user.
The emergence of GenAI-built malware also points to a broader democratization of offensive cyber capabilities. Groups like Funklocker and SparkCat are building and deploying malware generated by AI, showcasing how attackers no longer need elite skills to create effective malicious code. With AI helping to bridge the expertise gap, even lower-tier criminals can now generate scripts, debug code, and orchestrate technically sophisticated attacks with minimal experience. The boundaries that once separated script kiddies from nation-state actors are dissolving, replaced by a new class of AI-empowered cyber operatives.
CrowdStrike also highlights the resurgence of SCATTERED SPIDER, a group known for identity-based attacks. In 2025, the group adopted an even more aggressive approach—resetting credentials through vishing (voice phishing), bypassing multi-factor authentication, and spreading laterally across cloud and SaaS environments. In one case, they went from initial access to deploying ransomware in under 24 hours, demonstrating just how compressed the attack lifecycle has become when supported by GenAI-driven tactics.
Another area of concern is the surge in cloud intrusions, particularly by China-linked adversaries. Cloud-based attacks rose by 136%, with groups like GENESIS PANDA and MURKY PANDA exploiting misconfigured services and trusted access paths to bypass detection. As organizations increasingly shift to hybrid and multi-cloud infrastructures, adversaries are quick to adapt, finding and exploiting weak points with surgical precision.
Adam Meyers, head of counter adversary operations at CrowdStrike, frames the findings with stark clarity: “Every AI agent is a superhuman identity: autonomous, fast, and deeply integrated, making them high-value targets.” He underscores how adversaries are no longer treating AI systems as novel curiosities but as critical digital infrastructure—assets to be compromised, manipulated, and leveraged. These AI agents, once hailed as enterprise accelerators, now represent a new front in cyber warfare.
What this report ultimately makes clear is that the cybersecurity battlefront has evolved. It’s no longer just about protecting data or endpoints—it’s about defending the very algorithms, agents, and identities that define modern business. As GenAI blurs the boundaries between automation and intrusion, enterprises must rethink how they secure not only their people and networks but also their machines—before the machines are turned against them.
Leave a Reply