The latest Global Threat Report from CrowdStrike makes clear that as innovation accelerates, adversary exploitation follows. CrowdStrike has found that AI is accelerating adversaries and expanding the enterprise attack surface. The average e-crime breakout time fell to 29 minutes in 2025, with the fastest-observed breakout occurring in 27 seconds. Adversaries are also actively exploiting AI systems themselves, injecting malicious prompts into generative AI tools at more than 90 organisations and abusing AI development platforms.
AI-enabled adversaries increased operations by 89% year-over-year, weaponising AI across reconnaissance, credential theft, and evasion. Intrusions now move through trusted identities, software-as-a-service (SaaS) applications, and cloud infrastructure, blending into normal activity while compressing defenders’ time to respond. AI is both the accelerant and the target.
Based on frontline intelligence from CrowdStrike’s elite threat hunters and intelligence analysts tracking more than 280 named adversaries, the report reveals that AI is the new attack surface:
Prompts are the new malware
Adversaries exploited legitimate generative AI (gen AI) tools at more than 90 organisations by injecting malicious prompts to generate commands for stealing credentials and cryptocurrency. They also exploited vulnerabilities in AI development platforms to establish persistence and deploy ransomware, and published malicious AI servers impersonating trusted services to intercept sensitive data.
Fastest breakout time on record
As AI accelerated attacks, the average e-crime breakout time fell to 29 minutes – a 65% increase in speed from 2024 – with the fastest observed breakout ever occurring in just 27 seconds. In one intrusion, data exfiltration began within four minutes of initial access, CrowdStrike said.
Nation-state and e-crime AI use accelerates
AI-enabled adversaries increased their activity by 89%. Russia-nexus FANCY BEAR deployed LLM-enabled malware (LAMEHUG) to automate reconnaissance and document collection; e-crime actor PUNK SPIDER used AI-generated scripts to accelerate credential dumping and erase forensic evidence, and North Korea-nexus FAMOUS CHOLLIMA leveraged AI-generated personas to scale insider operations.
China- and North Korea-nexus operations surge
China-nexus activity increased 38% in 2025, with the logistics vertical having the greatest increase with targeting up 85%. Over two third (67%) of all exploited vulnerabilities by China-nexus actors delivered immediate system access, while 40% targeted Internet-facing edge devices.
North Korea-linked incidents rose more than 130% as FAMOUS CHOLLIMA activity more than doubled. PRESSURE CHOLLIMA’s US$1.46 B cryptocurrency theft was the largest single financial heist ever reported. Zero day and cloud exploitation grow: 42% of vulnerabilities were exploited before public disclosure as adversaries weaponised zero days for initial access, remote code execution, and privilege escalation. Cloud-conscious intrusions rose by 37% overall, with a 266% increase from state-nexus threat actors targeting cloud environments for intelligence collection.
“This is an AI arms race,” said Adam Meyers, Head of counter adversary operations at CrowdStrike.
“Breakout time is the clearest signal of how intrusion has changed. Adversaries are moving from initial access to lateral movement in minutes. AI is compressing the time between intent and execution while turning enterprise AI systems into targets. Security teams must operate faster than the adversary to win.”
Explore
Download the CrowdStrike 2026 Global Threat Report at https://www.crowdstrike.com/en-us/global-threat-report/
No comments:
Post a Comment