Five Things To Know From CrowdStrike’s 2025 Threat Hunting Report

Threat actors are increasingly looking to compromise multiple IT domains as part of attacks, even as threats exploiting AI technologies continue to surge, CrowdStrike’s Adam Meyers tells CRN.

Attackers have put increased efforts behind compromising multiple IT domains at targeted victims as part of utilizing stealthier tactics, according to CrowdStrike’s latest threat hunting report released Monday.

The cybersecurity giant’s 2025 Threat Hunting Report also pointed to a major acceleration in cloud-focused attacks as well as intensified attacks originating from China and North Korea. Exploitation of GenAI and agentic technologies for cyberattacks has also been on the rise in a major way, according to CrowdStrike findings.

In an interview with CRN, Adam Meyers, head of counter adversary operations at CrowdStrike, said that the rise of “cross-domain” attacks has created massive challenges for cyber defense.

“It’s one of the things that I think many organizations are struggling with,” Meyers said. “What that effectively means is that the defender needs to be an expert not just in the endpoint and evaluating and understanding what's happening on the endpoint, but they also need to be experts in the identity space. They need to be experts in the cloud domain. And they need to be able to get instrumentation from their unmanaged devices and visibility into [systems] like VMware hypervisors and vSphere.”

Ultimately, “it's really increasing the amount of things that these defenders need to be able to effectively hunt on and understand,” he told CRN.

What follows are five things to know from CrowdStrike’s 2025 Threat Hunting Report.

Rise In Cloud Attacks

CrowdStrike’s findings reveal that cloud intrusions surged by 136 percent during the first half of 2025 compared to all of 2024.

The attacks come as threat actors follow the organizations that have increasingly moved to the cloud themselves, Meyers said.

“I think it really denotes that more and more organizations are moving toward the cloud quickly and adopting more cloud in their environments,” he said. “And so the adversaries are keeping pace there.”

Notably, China-linked attackers are believed to be behind 40 percent of the increase in cloud threats, according to the CrowdStrike report.

Expanded Attacks From China

Beyond attacks targeting the cloud, threats from China have been on the rise overall, CrowdStrike threat hunters found.

The report found a 130-percent increase in nation-state attacks targeting the telecommunications industry over the past 12 months, driven by dramatically increased operations from China-nexus attackers targeting telecom — with a focus on Asia and North America.

Other tactics increasingly adopted by China-nexus adversaries include targeting unmanaged devices that organizations lack visibility into, according to Meyers. This is among the major reasons for the wave of network device vulnerabilities that have been exploited over the past year, he said.

When it comes to unmanaged devices, they don’t have detection and response capabilities, Meyers noted. “And so if they're able to compromise those [devices] with the zero day, they can kind of lurk on them and use that to collect credentials or move deeper into the network.”

Hands-On-Keyboard Attacks Are Up

Indeed, the efficacy of endpoint detection and response (EDR) technologies continues to force threat actors to use manual, interactive methods — known as hands-on-keyboard attacks — to remain stealthy and make headway against victims, according to CrowdStrike findings.

During the past 12 months, CrowdStrike’s report found that hands-on-keyboard attacks climbed 27 percent from the same period a year earlier.

Without a doubt, “adversaries are relying more on hands-on-keyboard approaches and less on malware,” Meyers said. “That is reflective of the fact that the adversaries are trying to avoid EDR.”

In addition to increasingly targeting unmanaged devices, the need to bypass EDR is also leading more attackers to focus on identity-based attacks, he said. That’s an area where threat groups such as Scattered Spider have been excelling, Meyers said.

Accelerated Ransomware Deployment

In the case of Scattered Spider — believed to have struck numerous high-profile companies in 2025 in key sectors such as retail, insurance and aviation — one major development has been the accelerated speed of some of its attacks, according to the CrowdStrike threat report.

One attack, in particular, saw the group achieve deployment of ransomware less than 24 hours after gaining initial access, which is 32-percent faster than its fastest ransomware deployment previously, CrowdStrike threat hunters found.

In other words, attackers are “continuing to get faster, which becomes a problem from a defender's perspective, because the defenders need to move faster,” Meyers said.

Increased Use Of AI

Evidence also continues to accumulate that attackers are exploiting GenAI technologies to power more-effective attacks, according to the CrowdStrike report.

As an example, the North Korea-linked threat actor tracked as Famous Chollima has increasingly utilized GenAI to fabricate resumes and conduct interviews using deepfakes, for its campaign of gaining fraudulent employment for North Korean workers to fund government activities. Famous Chollima infiltrated more than 320 companies over the past 12 months, a 220-percent spike, with the help of AI, according to CrowdStrike.

Meanwhile, threat groups from Russia and Iran have likewise increasingly “weaponized” AI in attacks, according to the CrowdStrike findings.

Threat actors have also been observed exploiting vulnerabilities in platforms used for building AI agents as well as abusing GenAI tools to create malware, CrowdStrike researchers found.