CrowdStrike released its 2025 Threat Hunting Report on August 4, 2025, at Black Hat USA, exposing a new era of cyberattacks where adversaries weaponize generative AI (GenAI) to scale operations and target autonomous AI agents. Based on intelligence from tracking over 265 named adversaries, the report highlights how AI-driven tactics are reshaping the enterprise attack surface, with a 136% surge in cloud intrusions and sophisticated social engineering campaigns.
DPRK Attacks: FAMOUS CHOLLIMA infiltrated 320+ companies using GenAI, up 220% year-over-year.
AI as Attack Surface: Adversaries exploit AI agent tools for unauthorized access and malware deployment.
GenAI Malware: Funklocker and SparkCat show operational GenAI-built malware.
Cloud Intrusions: 136% increase, with 40% driven by China-nexus actors like GENESIS PANDA and MURKY PANDA.
SCATTERED SPIDER: Deploys ransomware in under 24 hours via identity-based attacks.
Key Sectors: Financial services, media, manufacturing, and telecom face heightened risks.
Adversaries are leveraging GenAI to automate and scale attacks:
FAMOUS CHOLLIMA (DPRK): Used GenAI to create fake resumes, conduct deepfake interviews, and perform technical tasks, infiltrating over 320 companies—a 220% increase from 2024.
EMBER BEAR (Russia): Amplified pro-Russia narratives using GenAI-crafted content.
CHARMING KITTEN (Iran): Deployed LLM-crafted phishing lures targeting U.S. and EU entities.
“AI-powered adversary tradecraft is transforming traditional insider threats into scalable, persistent operations,” said Adam Meyers, Head of Counter Adversary Operations at CrowdStrike.
The report identifies autonomous AI agents as high-value targets due to their deep integration and non-human identities. Adversaries exploit vulnerabilities in AI agent tools to gain unauthenticated access, steal credentials, and deploy malware, treating them like SaaS platforms or privileged accounts. This shift marks AI agents as a core component of the enterprise attack surface.
Lower-tier eCrime and hacktivist groups are using GenAI to automate script generation and malware development. Malware families like Funklocker and SparkCat demonstrate that GenAI-built malware is now operational, lowering the barrier for sophisticated attacks.
The SCATTERED SPIDER group has accelerated identity-based, cross-domain attacks, using vishing and help desk impersonation to bypass MFA and deploy ransomware in under 24 hours. Their ability to pivot across SaaS and cloud environments highlights the need for unified security platforms.
Cloud intrusions rose 136% in H1 2025, with 40% attributed to China-nexus actors like GENESIS PANDA and MURKY PANDA, who exploit misconfigurations and trusted access. Additionally, GLACIAL PANDA drove a 130% surge in telecom sector attacks.
“The AI era has redefined how adversaries attack,” Meyers noted. “Every AI agent is a superhuman identity: autonomous, fast, and deeply integrated, making them high-value targets.” The report emphasizes the need for real-time, AI-native security platforms like CrowdStrike’s Falcon, which leverages threat intelligence and behavioral analysis to counter these evolving threats.
CrowdStrike, a global cybersecurity leader, has redefined modern security with the world’s most advanced cloud-native platform for protecting critical areas of enterprise risk – endpoints and cloud workloads, identity and data.
Powered by the CrowdStrike Security Cloud and world-class AI, the CrowdStrike Falcon® platform leverages real-time indicators of attack, threat intelligence, evolving adversary tradecraft and enriched telemetry from across the enterprise to deliver hyper-accurate detections, automated protection and remediation, elite threat hunting and prioritized observability of vulnerabilities.
TechIntelPro empowers B2B technology decision-makers with the latest industry trends, deep insights, leadership perspectives and actionable intelligence to drive both organizational and professional milestones—and thrive on the tech pulse.