2025 CrowdStrike Threat Hunting Report: Adversaries Weaponize AI for Large-Scale Attacks

08/04/2025 – 03:04 AM

DPRK-linked hackers infiltrate 320+ companies using GenAI-boosted attacks, exposing AI agents as the latest enterprise vulnerability.

Black Hat USA, Las Vegas — As enterprises increasingly adopt Artificial Intelligence to automate and streamline operations, a new report from cybersecurity firm CrowdStrike (CRWD) reveals a disturbing trend: adversaries are now actively weaponizing Generative AI (GenAI) to scale their attacks and target the very AI agents reshaping the modern business landscape. CrowdStrike’s 2025 Threat Hunting Report, released today, sounds the alarm on this escalating cyber warfare, highlighting how threat actors are exploiting vulnerabilities in AI development tools to gain access, steal credentials, and deploy malicious software.

The key takeaway? Autonomous systems and machine identities have become prime targets, forming a new and critical attack surface that businesses must defend.

CrowdStrike’s Threat Hunting Report—gleaned from the real-world intel of their seasoned analysts, who track over 265 named adversaries—contains the following insights:

• AI Arms Race: Bad Actors Scale Up: North Korean hacking group FAMOUS CHOLLIMA leveraged GenAI to automate every single facet of their insider threat program. From crafting plausible-sounding resumes and carrying out convincing deepfake interviews to completing intricate technical tasks under the guise of false identities. Separately, Russian-backed EMBER BEAR has been using GenAI to amplify its pro-Russian disinformation campaigns, while Iranian group CHARMING KITTEN has targeted U.S. and EU entities with phishing lures crafted with the aid of LLMs (Large Language Models).

• Autonomous Agents: The New Battleground: CrowdStrike’s research uncovers evidence of cybercriminals weaponizing holes in AI agent toolsets, gaining unauthorized access, embedding themselves in the system, pilfering credentials, and injecting ransomware. These attacks dramatically highlight the AI-agent revolution is radically changing the attack landscape.

• GenAI-Powered Malware: No Longer Sci-Fi: Lower-tier cybercriminals and opportunistic hacktivists are now leveraging AI to write malicious scripts, troubleshoot roadblocks, and assemble malware, automating tasks that once required deep technical expertise. Funklocker and SparkCat are proof that AI-built malware is not just academic; it’s here.

• SCATTERED SPIDER Speeds Up Sophisticated Attacks: The group reappeared in 2025 with escalated aggressive tactics. The group is using vishing and help desk impersonation to circumvent MFA and maneuver laterally through SaaS and cloud infrastructure, demonstrating the growing menace of ID-based cyberattacks. In one case, the group went from initial penetration to complete encryption in 24 hours.

• China Drives Surge in Cloud Attacks: The rate of cloud intrusions grew by 136%. Chinese-backed groups GENESIS PANDA and MURKY PANDA accounted for 40% of the gains, evading detection because of misconfigured cloud environments and overly-trusted access protocols.

“The AI era has redefined how businesses operate and how adversaries attack. We’re seeing threat actors use GenAI to scale social engineering, accelerate operations, and lower the barrier to entry for hands-on-keyboard intrusions,” warns Adam Meyers, head of counter adversary operations at CrowdStrike. “At the same time, adversaries are targeting the very AI systems organizations are deploying. Every AI agent is a superhuman identity: autonomous, fast, and deeply integrated, making them high-value targets. Adversaries are treating these agents like infrastructure, attacking them the same way they target SaaS platforms, cloud consoles, and privileged accounts. Securing the AI that powers business is where the cyber battleground is evolving.”

Additional Resources:

About CrowdStrike

CrowdStrike (CRWD), a global cybersecurity leader, has redefined modern security with the world’s most advanced cloud-native platform for protecting critical areas of enterprise risk – endpoints and cloud workloads, identity and data.

Powered by the CrowdStrike Security Cloud and world-class AI, the CrowdStrike Falcon® platform leverages real-time indicators of attack, threat intelligence, evolving adversary tradecraft and enriched telemetry from across the enterprise to deliver hyper-accurate detections, automated protection and remediation, elite threat hunting and prioritized observability of vulnerabilities.

Purpose-built in the cloud with a single lightweight-agent architecture, the Falcon platform delivers rapid and scalable deployment, superior protection and performance, reduced complexity and immediate time-to-value.

CrowdStrike: We stop breaches.

Learn more: https://www.crowdstrike.com/

Follow us: Blog | Twitter | LinkedIn | Facebook | Instagram

Start a free trial today: https://www.crowdstrike.com/free-trial-guide/

© 2025 CrowdStrike, Inc. All rights reserved. CrowdStrike and CrowdStrike Falcon are marks owned by CrowdStrike, Inc. and are registered in the United States and other countries. CrowdStrike owns other trademarks and service marks and may use the brands of third parties to identify their products and services.

View source version on businesswire.com: https://www.businesswire.com/news/home/20250803570128/en/

Source: CrowdStrike, Inc.