BLOG Featured Recent Video Category Start Free Trial CrowdStrike 2026 Global Threat Report: The Evasive Adversary Wields AI Adversaries combined trusted access paths, AI-enabled techniques, and cross-domain movement to evade detection in 2025. February 24, 2026 | Adam Meyers | Threat Hunting & Intel As cyber defenses become stronger, adversaries continue to evolve their tactics to succeed. In 2025, the year of the evasive adversary, the threat landscape was defined by attacks that targeted trusted relationships, demonstrated fluency with AI tools, and incorporated tradecraft tailored to exploit security blind spots. The CrowdStrike Counter Adversary Operations team spends every day immersed in adversary behavior and tradecraft. Each year, they compile their most critical observations and insights into the CrowdStrike Global Threat Report. When the team looked back on 2025, the most prominent trend was subtlety: Adversaries are shifting away from heavily monitored systems to quietly gain access and deftly move across endpoint, identity, SaaS, and cloud environments. To defend themselves, security leaders need clarity on which adversaries to watch, the details of their behavior, and how to prepare for and respond to an attack. The CrowdStrike 2026 Global Threat Report provides a comprehensive overview of the modern threat landscape so organizations can prepare to face it. Learn more: Download the CrowdStrike 2026 Global Threat Report Inside the Evasive Adversary’s Toolbox In 2025, adversaries became faster than ever before. The average eCrime breakout time — the period between initial access and lateral movement onto another system — dropped to 29 minutes, a 65% increase in speed from 2024. The fastest observed breakout time: 27 seconds. Adversaries of all motivations utilized AI technology throughout 2025 to accelerate and optimize their existing techniques. They explored its use in attack types such as social engineering and information operations, proving their growing proficiency with AI tools. Most threat actors that integrated AI increased their attack volume: CrowdStrike observed an 89% increase in the number of attacks by AI-enabled adversaries compared to 2024. In addition to using AI tools, adversaries are targeting the AI systems underpinning the modern enterprise. As AI is embedded into development pipelines, SaaS platforms, and operational workflows, AI systems become part of the attack surface. In 2025, adversaries exploited legitimate GenAI tools at more than 90 organizations by injecting malicious prompts to generate commands for stealing credentials and cryptocurrency. They also exploited vulnerabilities in AI development platforms to establish persistence and deploy ransomware, and published malicious AI servers impersonating trusted services to intercept sensitive data. In 2025, evasion was defined by the speed at which adversaries exploit trust. They operated using valid credentials, trusted identity flows, approved SaaS integrations, and inherited software supply chains. Notably, 82% of detections were malware-free. Intrusions moved through authorized pathways and trusted systems, where they blended into normal activity. Supply chain attacks were a defining tactic of 2025. Adversaries compromised upstream providers, development ecosystems, and public code repositories to gain broad access to downstream organizations. In one example, PRESSURE CHOLLIMA stole $1.46 billion USD worth of cryptocurrency through trojanized software delivered via supply chain compromise — the largest single financial theft ever reported.1 CrowdStrike observed a 42% year-over-year increase in zero-days exploited prior to public disclosure as adversaries weaponized dozens of them for initial access, remote code execution, and privilege escalation. In parallel with this trend, 67% of vulnerabilities exploited by China-nexus adversaries provided immediate system access; 40% targeted edge devices that typically lack comprehensive monitoring. China-nexus adversaries systematically exploited vulnerabilities in network edge devices such as VPN appliances, firewalls, and gateways to establish long-term access for intelligence collection. CrowdStrike named 24 new adversaries in 2025, bringing the total tracked to 281+. These threat actors continue to become faster, stealthier, and more effective as they adapt to navigate larger environments and bypass sophisticated security controls. Below are more trends and observations we explore in this year’s report: 38% increase in China-nexus intrusions across all sectors, with an 85% increase in logistics targeting 130% increase in North Korea-nexus incidents, as FAMOUS CHOLLIMA’s activity doubled year-over-year and STARDUST CHOLLIMA increased their operational tempo 82% of detections were malware-free as adversaries used valid credentials, trusted identity flows, and approved SaaS integrations to move across domains 37% increase in cloud-conscious intrusions, with a staggering 266% increase among state-nexus actors; valid account abuse accounted for 35% of cloud incidents 563% increase in incidents using fake CAPTCHA lures, demonstrating adversaries’ shift to effective social engineering techniques 141% increase in spam emails, providing adversaries with more opportunities to gain initial access CrowdStrike is committed to understanding adversaries because it’s the most effective way to defend against them. The CrowdStrike 2026 Global Threat Report summarizes our observations throughout 2025 and the themes, trends, and events that defined the cyber threat landscape. Download the full report to understand how today’s adversaries are operating and how to strengthen your defenses. 1 https://www.elliptic.co/blog/bybit-hack-largest-in-history || https://www.ic3.gov/psa/2025/psa250226 Tweet Share CrowdStrike 2025 Threat Hunting Report Adversaries weaponize and target AI at scale. Download report Related Content The Art of Deception: How Threat Actors Master Typosquatting Campaigns to Bypass Detection LABYRINTH CHOLLIMA Evolves into Three Adversaries How CrowdStrike’s Malware Analysis Agent Detects Malware at Machine Speed CATEGORIES Agentic SOC 47 Cloud & Application Security 139 Data Protection 21 Endpoint Security & XDR 349 Engineering & Tech 86 Executive Viewpoint 177 Exposure Management 115 From The Front Lines 197 Next-Gen Identity Security 66 Next-Gen SIEM & Log Management 110 Public Sector 40 Securing AI 25 Threat Hunting & Intel 210 CONNECT WITH US FEATURED ARTICLES October 01, 2024 CrowdStrike Named a Leader in 2024 Gartner® Magic Quadrant™ for Endpoint Protection Platforms September 25, 2024 Recognizing the Resilience of the CrowdStrike Community September 25, 2024 CrowdStrike Drives Cybersecurity Forward with New Innovations Spanning AI, Cloud, Next-Gen SIEM and Identity Protection September 18, 2024 SUBSCRIBE Sign up now to receive the latest notifications and updates from CrowdStrike. Sign Up See CrowdStrike Falcon® in Action Detect, prevent, and respond to attacks— even malware-free intrusions—at any stage, with next-generation endpoint protection. See Demo The Art of Deception: How Threat Actors Master Typosquatting Campaigns to Bypass Detection Copyright © 2026 CrowdStrike Privacy Request Info Blog Contact Us 1.888.512.8906 Accessibility ABOUT COOKIES ON THIS SITE By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. Cookies Settings Reject All Accept All Cookies