CrowdStrike's 2025 Global Threat Report: China's Cyber Espionage Surges Amid Rising AI-Driven Threats

Five Big Takeaways From CrowdStrike's 2025 Threat Report

Cyberattacks attributed to China's government are soaring while threats powered by GenAI and manually executed hacking are growing rapidly as well, according to the cybersecurity giant. Cyberattacks attributed to China's government are soaring while threats powered by GenAI and manually executed hacking are growing rapidly as well, according to findings from cybersecurity giant CrowdStrike released Thursday. While CrowdStrike's 2025 Global Threat Report provided new insights into a range of threats and malicious actors, the report pinpointed China as the major threat actor to be watching for in the immediate term. [Related: CrowdStrike's Adam Meyers On 'Up-Leveled' Hacking By China, Threats To MSPs] "China is, I think, the story that everybody needs to be focused on right now," said Adam Meyers, head of counter adversary operations at CrowdStrike, during a recent call with media on the report. What follows are five of the biggest takeaways from CrowdStrike's 2025 Global Threat Report. CrowdStrike observed a major surge in attacks connected to the Chinese government in 2024, with intrusions by China-nexus adversaries up 150 percent from the year before, according to the report. Targeted sectors included financial services, media and manufacturing, as well as industrials and engineering -- all of which saw between a 200-percent and 300-percent spike in intrusions in 2024, CrowdStrike reported. The "scariest" aspect of the situation, Meyers told reporters during the recent call, is that "after decades of investment into China's offensive capabilities, they're now on par with other world powers." "China has really gone from the smash-and-grab kind of chaos of the early 2010 timeframe to now [where] they are really a fully functioning, offensive cyber capability," he said. And ultimately, "they're driven by political ambitions." In addition to threats from the theft of intellectual property, certain China-linked groups also pose a threat to critical infrastructure, Meyers said, pointing to threat actors such as the group tracked as Volt Typhoon / Vanguard Panda. Vanguard Panda has been "targeting critical infrastructure of logistical networks related to maritime operations, related to air transportation and intercontinental travel," Meyers said -- which is a particular concern amid the ongoing potential for a conflict with China over Taiwan. CrowdStrike's findings related to GenAI-powered attacks included a surge in voice phishing in 2024, with such attacks jumping 442 percent during the second half of the year compared to the first half. The report also highlighted 2024 academic research showing that emails generated using Large Language Models saw a 54-percent click-through rate, versus just 12 percent for a human-composed email. Meanwhile, Iran-based threat groups have been particularly aggressive in utilizing GenAI including for vulnerability research and development of exploits, according to CrowdStrike. At this point, there's no doubt that GenAI "really lowers the barrier for entry to conducting effective cyberattacks," Meyers said. Even with the increased usage of AI, however, manually executed cyberattacks are also growing in popularity, according to CrowdStrike. Such hacking activity, referred to as "hands-on-keyboard," does not use malware and thus is far harder to detect. "If you stay just [with] hands-on-keyboard, you look like a user," Meyers said. In 2024, 79 percent of detections tracked by CrowdStrike did not include malware, suggesting that attackers were carrying out the attacks manually, according to the vendor's report. The threat actors that provide initial access to an environment -- known as access brokers -- have also been far more active of late, according to the CrowdStrike findings. Access broker advertisements touting available access to compromised environments were up 50 percent in 2024 from a year earlier, the vendor reported, in a major factor responsible for the intensifying threat environment. Increased activity from access brokers is undoubtedly a "major driver" behind the continued expansion of identity-based attacks, CrowdStrike said in the report. While attacks targeting the cloud have been expanding for a number of years now, 2024 saw some particularly troubling signs in this area, according to the CrowdStrike report. For instance, cloud intrusions considered to be new and unattributed grew 26 percent during the year over 2024 -- "indicating more threat actors seek to exploit cloud services," the company said in the report. Key "cloud-conscious" tactics employed by threat actors included gaining initial access through valid accounts, achieving lateral movement using tools for managing cloud environments and maintaining persistence using "alternate" mechanisms authentication, the company said in the report.

China's Cyber Attacks Increase by 150% as AI Driven Threats Escalate: CrowdStrike

Tracking more than 250 named adversaries and 140 emerging activity clusters, CrowdStrike's latest research reveals: · China's Cyber Espionage Grows More Aggressive: CrowdStrike identified seven new China-nexus adversaries in 2024, fueling a 150% surge in espionage attacks, with critical industries seeing up to a 300% spike in targeted attacks. · GenAI Supercharges Social Engineering: AI-driven phishing and impersonation tactics fueled a 442% increase in voice phishing (vishing) between H1 and H2 2024. Sophisticated eCrime groups like CURLY SPIDER, CHATTY SPIDER and PLUMP SPIDER leveraged social engineering to steal credentials, establish remote sessions and evade detection. · Iran Utilizes GenAI for Vulnerability Research and Exploitation: In 2024, Iran-nexus actors increasingly explored GenAI for vulnerability research, exploit development and patching domestic networks, aligning with government-led AI initiatives. · From Breaking in to Logging In - Surge in Malware-Free Attacks: 79% of attacks to gain initial access are now malware-free while access broker advertisements surged 50% YoY. Adversaries exploited compromised credentials to infiltrate systems as legitimate users, moving laterally undetected with hands-on keyboard activities. · Insider Threats Continue to Rise: DPRK-nexus adversary FAMOUS CHOLLIMA was behind 304 incidents uncovered in 2024. 40% involved insider threat operations, with adversaries operating under the guise of legitimate employment to gain system access and carry out malicious activity. · Breakout Time Hits Record Speed: The average eCrime breakout time dropped to 48 minutes, with the fastest recorded at 51 seconds - leaving defenders little time to react. · Cloud Environments Under Siege: New and unattributed cloud intrusions increased by 26% YoY. Valid account abuse is the primary initial access tactic, accounting for 35% of cloud incidents in H1 2024. · Unpatched Vulnerabilities Remain a Key Target: 52% of vulnerabilities observed were related to initial access, reinforcing the critical need to secure entry points before adversaries establish persistence.

2025 CrowdStrike Global Threat Report: China's Cyber Espionage Surges 150% with Increasingly Aggressive Tactics, Weaponization of AI-powered Deception Rises

The industry's preeminent source on adversary intelligence exposes a 442% increase in vishing as GenAI-driven social engineering attacks increase; DPRK insider threats spike CrowdStrike (NASDAQ: CRWD) today released its 2025 Global Threat Report, exposing the growing aggression of China's cyber operations, a surge in GenAI-powered social engineering and nation-state vulnerability research and exploitation, and a sharp increase in malware-free, identity-based attacks. The report reveals that China-nexus adversaries escalated state-sponsored cyber operations by 150%, with targeted attacks in financial services, media, manufacturing and industrial sectors soaring up to 300%. At the same time, adversaries worldwide are weaponizing AI-generated deception, exploiting stolen credentials and increasingly executing cross-domain attacks - exploiting gaps across endpoint, cloud and identity - to bypass security controls and operate undetected in the shadows. The shift to malware-free intrusions that exploit trusted access, combined with record-shattering breakout times, leaves defenders little room for error. To stop modern attacks, security teams need to eliminate visibility gaps, detect adversary movement in real-time and stop attacks before they escalate - because once they're inside, it's already too late. CrowdStrike Global Threat Report Highlights Tracking more than 250 named adversaries and 140 emerging activity clusters, CrowdStrike's latest research reveals: China's Cyber Espionage Grows More Aggressive: CrowdStrike identified seven new China-nexus adversaries in 2024, fueling a 150% surge in espionage attacks, with critical industries seeing up to a 300% spike in targeted attacks. GenAI Supercharges Social Engineering: AI-driven phishing and impersonation tactics fueled a 442% increase in voice phishing (vishing) between H1 and H2 2024. Sophisticated eCrime groups like CURLY SPIDER, CHATTY SPIDER and PLUMP SPIDER leveraged social engineering to steal credentials, establish remote sessions and evade detection. Iran Utilizes GenAI for Vulnerability Research and Exploitation: In 2024, Iran-nexus actors increasingly explored GenAI for vulnerability research, exploit development and patching domestic networks, aligning with government-led AI initiatives. From Breaking in to Logging In - Surge in Malware-Free Attacks: 79% of attacks to gain initial access are now malware-free while access broker advertisements surged 50% YoY. Adversaries exploited compromised credentials to infiltrate systems as legitimate users, moving laterally undetected with hands-on keyboard activities. Insider Threats Continue to Rise: DPRK-nexus adversary FAMOUS CHOLLIMA was behind 304 incidents uncovered in 2024. 40% involved insider threat operations, with adversaries operating under the guise of legitimate employment to gain system access and carry out malicious activity. Breakout Time Hits Record Speed: The average eCrime breakout time dropped to 48 minutes, with the fastest recorded at 51 seconds - leaving defenders little time to react. Cloud Environments Under Siege: New and unattributed cloud intrusions increased by 26% YoY. Valid account abuse is the primary initial access tactic, accounting for 35% of cloud incidents in H1 2024. Unpatched Vulnerabilities Remain a Key Target: 52% of vulnerabilities observed were related to initial access, reinforcing the critical need to secure entry points before adversaries establish persistence. "China's increasingly aggressive cyber espionage, combined with the rapid weaponization of AI-powered deception, is forcing organizations to rethink their approach to security," said Adam Meyers, head of counter adversary operations at CrowdStrike. "Adversaries exploit identity gaps, leverage social engineering and move across domains undetected - rendering legacy defenses ineffective. Stopping breaches requires a unified platform powered by real-time intelligence and threat hunting, correlating identity, cloud and endpoint activity to eliminate the blind spots where adversaries hide." CrowdStrike pioneered adversary-driven cybersecurity through the CrowdStrike Falcon® cybersecurity platform, which delivers AI-powered protection, real-time threat intelligence and expert threat hunting to secure identity, cloud and endpoint as the gold standard in cybersecurity. Leveraging innovative behavioral AI and machine learning trained on industry-leading threat intelligence and trillions of security events, CrowdStrike delivers real-time protection against advanced threats, providing comprehensive visibility and protection across the entire attack lifecycle. Additional Resources: Download the 2025 CrowdStrike Global Threat Report. Visit CrowdStrike's Adversary Universe for the internet's definitive source on adversaries. Listen to the Adversary Universe podcast to glean insights into threat actors and recommendations to amplify security practices. About CrowdStrike CrowdStrike (NASDAQ: CRWD), a global cybersecurity leader, has redefined modern security with the world's most advanced cloud-native platform for protecting critical areas of enterprise risk - endpoints and cloud workloads, identity and data.

Will Chinese cyberespionage be more aggressive in 2025? CrowdStrike thinks so

Chinese state-sponsored actors have increased activities, report claims We're still in the early days of 2025, but CrowdStrike's Global Threat Report has laid out what cybersecurity teams should expect for the coming year. The latter half of 2024 saw the vulnerability threat landscape evolve, with the adoption of generative AI giving a huge boost to social engineering attacks across the world. CrowdStrike identified seven new 'China-nexus' adversaries in 2024, with Chinese sponsored attacks surging 150% overall. Some industries suffered a 200%-300% increase in attack activity year-on-year, most significantly in financial services, media, manufacturing, and engineering sectors. Worryingly, critical targets like government agencies, technology, and telecommunications sectors also suffered a 50% increase in Chinese threat actor incidents compared to 2023. That won't come as too much of a surprise for most, especially given the high-profile Salt Typhoon attack which breached 9 major telecom firms in late 2025. Generative AI is lowering the barrier to entry for cybercriminals, and is a tool which makes cybercrime more accessible. Most cybersecurity teams will tell you the frequency of attacks that criminals are able to leverage has skyrocketed with AI, but the tech also allows for the creation of more and more convincing scams, especially social engineering scams. CrowdStrike's research shows deepfake video and voice clones are used to scam companies and individuals, so cybersecurity teams will likely need to shift some focus to tackling the threat of deepfakes in the workplace. Looking forward, the vulnerability exploitation landscape "remains a critical concern", with threat actors expected to aggressively target flawed devices and end-of-life products, so CrowdStrike reaffirms the importance of being proactive with patches, software updates, and hardware upgrades. These trends are expected to continue to evolve into 2025, given rising geopolitical tensions and the development of new technologies which will more than likely allow cybercriminals to carry out more frequent and sophisticated attacks.

CrowdStrike report finds surge in malware-free cyberattacks and AI-driven threats in 2024 - SiliconANGLE

CrowdStrike report finds surge in malware-free cyberattacks and AI-driven threats in 2024 A new report out today from CrowdStrike Holdings Inc. highlights how cyberthreats evolved significantly in 2024, with attackers shifting toward malware-free intrusions, artificial intelligence-assisted social engineering and cloud-focused vulnerabilities. The 11th annual 2025 CrowdStrike Global Threat report details a surge in alleged China-backed cyber activity, an explosion in "vishing," or voice phishing, and identity-based attacks and the growing role of generative AI in cybercrime. In 2024, CrowdStrike found that 79% of cyber intrusions were malware-free, compared with 40% in 2019. Attackers were found to be increasingly leveraging legitimate remote management and monitoring tools to bypass traditional security measures. And the breakout time -- the time it takes for an attacker to move laterally within a compromised network after gaining initial access -- dropped to 48 minutes in 2024, with some attacks spreading in under one minute. Identity-based attacks and social engineering saw notable surges through 2024. Vishing attacks surged more than fivefold, notably replacing traditional phishing as a primary method of initial access. Help desk impersonation attempts also increased through the year, with adversaries persuading information technology staff to reset passwords or bypass multifactor authentication. Access broker advertisements, where attackers sell stolen credentials, rose 50% through 2024, as more credentials were stolen and made available on both the clear and dark web. Alleged China-linked actors were also busy through the year. CrowdStrike's researchers claim a 150% increase in activity, with some industries seeing a 200% to 300% spike. The same groups are noted in the report as adopting strong OPSEC measures, making their attacks harder to trace. As with last year's annual report, CrowdStrike also highlights the rising prominence of AI in cybercrime. Generative AI is now widely adopted for social engineering, phishing, deepfake scams and automated disinformation campaigns. Notable AI campaigns include the North Korea-linked group FAMOUS CHOLLIMA using AI-powered fake job interviews to infiltrate tech companies. Cloud and software-as-a-service attacks were also found to have risen in 2024, with cloud-conscious adversaries expanding their tactics and exploiting valid accounts for initial access. Some 35% of cloud security incidents involved valid account abuse, as attackers avoided malware to stay undetected and SaaS exploitation increased. Attackers targeted Microsoft 365, SharePoint and enterprise application programming interfaces to exfiltrate sensitive data. On the vulnerability front, more than half of vulnerabilities observed in 2024 were related to initial access, reinforcing the urgency of securing entry points. The report notes that zero-day or unpatched vulnerability exploitation remains a concern, with state-backed groups focusing on network appliances and cloud infrastructure. To counter the increasing levels of security risk, CrowdStrike's researchers recommend strengthening identity security through phishing-resistant MFA, continuous monitoring of privileged accounts, and proactive threat hunting to detect malware-free intrusions before attackers establish a foothold. Organizations should also implement real-time AI-driven threat detection, ensuring rapid response capabilities to mitigate fast-moving attacks, such as those with breakout times under a minute. In addition to identity protection, enterprises are recommended to fortify cloud security by enforcing least privilege access, monitoring API keys for unauthorized usage and securing software-as-a-service applications against credential abuse. As adversaries increasingly exploit automation and AI tools, defenders are advised to adopt advanced behavioral analytics and cross-domain visibility solutions to detect stealthy intrusions and disrupt adversary operations before they escalate.

China cyber espionage up by 150 percent in 2024: Report

China's cyber espionage operations continue to become more aggressive amid the increasing use of emerging technologies like artificial intelligence to help carry out attacks, according to a report published Thursday. CrowdStrike's 2025 Global Threat Report, released Thursday, found China-linked cyber operations surged by 150 percent last year. Attacks targeting the financial services, media, manufacturing and industrial sectors increased by 200 to 300 percent in 2024 compared to the previous year, the report added. The Hill reached out to the Chinese embassy in Washington for further comment. Current and former government officials have increasingly warned of China-backed efforts targeting American intellectual property, but also the critical infrastructure Americans rely on every day. The cybersecurity firm also found adversaries are increasingly using AI to carry out these attacks, especially those involving phishing or impersonation tactics. Over the course of 2024, voice phishing attacks, during which adversaries call victims, increased by 442 percent, the report stated. "From fictious profiles to AI-generated emails and websites," the report stated, adversaries "are using genAI to supercharge insider threats and social engineering." "Along with legitimate organizations, easy access to commercial large language models (LLMs) is making adversaries more productive, too," the report added. "It's shortening their learning curve and development cycles, and it's allowing them to increase the scale and pace of their activities." CrowdStrike noted the AI-powered tactics are becoming harder to detect and called on organizations to bolster their defenses accordingly. Despite the increasing malicious use of AI, it is still "largely iterative and evolutionary" and there is rarely a use case that is entirely new, the firm noted. CrowdStrike said it is harnessing AI itself to help its clients anticipate cyber attacks and defend against them.