Enterprising adversaries using GenAI to outpace defenses, reveals CrowdStrike report

CrowdStrike's 2025 Threat Hunting Report warns of "enterprising adversaries" using AI, cloud exploitation, and advanced social engineering to bypass defenses, requiring faster, more adaptive security measures.

A new breed of cybercriminal, described as the “enterprising adversary” in the CrowdStrike 2025 Threat Hunting Report, is operating with a level of planning and efficiency that resembles a business. These actors use scalable, sophisticated methods to reach their goals quickly and with maximum impact.

According to CrowdStrike, to stay ahead of such adversaries, innovation is essential. Modern threat hunting and new defensive technologies are needed to predict their moves, understand their methods, and adapt before they strike.

These actors are skilled at bypassing traditional security measures, often targeting gaps that standard protections overlook. This involves compromising unmanaged devices that are out of IT oversight’s control and taking advantage of human behavior through social engineering, which is now frequently enhanced by generative AI. By focusing on these weaker points, they can gain access, steal data, and launch further attacks without being noticed.

CrowdStrike’s Counter Adversary Operations combines its Intelligence and OverWatch teams with the AI-powered Falcon platform. While intelligence analysts keep tabs on adversary activities and emerging threats, OverWatch leverages this intelligence to proactively hunt for malicious behavior in customer environments. Together, they provide protection and detection capabilities that many organizations cannot match internally.

Some of the most skilled actors now use generative AI as an essential tool. North Korea-linked FAMOUS CHOLLIMA, for example, has used AI to create convincing résumés, generate deepfake videos for interviews, and assist with coding tasks. These techniques allow operatives to pose as legitimate remote workers while gathering intelligence or setting up future attacks.

Other adversaries choose a more stealthy approach, emphasizing long-term access rather than immediate disruption. China-nexus group GLACIAL PANDA has used this method to infiltrate global telecommunications networks, establish persistence, and quietly map out systems. Their low digital footprint makes detection difficult, but targeted hunting can uncover trojanized software and repeated access attempts to sensitive data.

Increase in attacks on cloud environments

Cloud environments are also under growing pressure. In the first half of 2025, OverWatch detected a 136% rise in cloud intrusions compared with all of 2024. China-linked actors GENESIS PANDA and MURKY PANDA have become adept at navigating these environments, prompting CrowdStrike to develop new hunting techniques for cloud services and identity protection.

According to Adam Meyers, Senior Vice President, Counter Adversary Operations at CrowdStrike, cloud environments are attractive targets, particularly to China, as they've moved away from these smash-and-grab operations that define Chinese intrusion for a while, and are really looking to maximize their ability to stay on target and not get caught.

“The cloud really helps them to do that, because within the cloud environment, a lot of defenders don't have that visibility. Many security folks are not cloud experts, and they need to become cloud experts in order to understand how to process the data within that cloud and to be able to identify and to stop those threats. Also, as more organizations have moved to the cloud, the threat actors also need to follow there. They need to be able to effectively operate in the cloud, because that's where the data that they want to steal ultimately resides,” said Meyers.

Social engineering remains a major threat. In the second half of 2024, voice phishing (vishing) attacks increased by 442%, and in the first half of 2025, they had already overtaken the total from the previous year. Groups like SCATTERED SPIDER have refined this approach, using help desk attacks to quickly escalate from account takeover to ransomware.

Initial access vulnerabilities remain a common entry point, with 52% of those tracked in 2024 tied to the first stages of intrusion. When adversaries deploy zero-day exploits, rapid detection of post-exploitation activity is critical to limit damage.

Data from July 2024 to June 2025 shows that 81% of interactive intrusions were malware-free, while eCrime accounted for 73% of such activity. For the eighth straight year, technology continues to be the most targeted industry, with nation-state involvement in telecom and government seeing sharp increases.

CrowdStrike concludes that adversaries are increasingly blending traditional methods with GenAI to enhance speed, reach, and effectiveness — a shift that will demand faster, more adaptable defenses in the months ahead.