CrowdStrike: Leading the Race Against Threat Actors

AI and tech sophistication that helps organisations innovate is also helping cybercriminals attack from the shadows and hide their tracks. 

This cyber reality is why CrowdStrike named 2025 as the “Year of the evasive adversary” in its 2026 Global Threat Report.

With AI-enabled bad actors increasing attacks by 89% year-over-year, mounting speed, accuracy and sophistication of cyber threats define the evolving threat landscape. 

A striking find showed that intruders did not break in, they used a stolen key to open the door and merged in with the crowd. 

These intrusions accounted for 82% of detections, which were malware-free and occurred by the exploitation of the gaps in visibility created by fragmented security ecosystems. 

“In the agentic era, defending against AI-accelerated adversaries and securing AI systems themselves, require operating at machine speed, says George Kurtz, CEO and Founder of CrowdStrike.

“The CrowdStrike 2026 Global Threat Report reflects this reality. 

“It provides the intelligence defenders need to understand how adversaries exploit trust, accelerate with AI, and move across domains to remain evasive.

“Our mission remains unchanged. We stop breaches. In the agentic era, that mission requires a single platform with the architecture to reason and act at the speed of the adversary, while securing the AI-powered enterprise.”

Race against time

Adversaries have picked up speed, with the average eCrime breakout time down to 29 minutes in 2025 – a 65% increase in speed from the year before.

Breakout time signifies the time clocked from gaining initial access to “breaking out”, or moving laterally to other high-value assets.

The fastest logged breakout took a mere 27 seconds.

Data shows that there has been a steady drop in average break out time since 2021, with an overall 70% reduction from 2021 to 2025.

This puts into perspective how fast defender action needs to be to stop intrusion.

Nation state actors

State sponsored threat actors have resource abundant treasuries that show up in the sophistication of their attacks. 

China-nexus adversaries dominate the adversarial threat landscape.

The CrowdStrike report shows that Chinese adversarial cyber activity rose 38% in 2025.

Chinese groups were shown to have an affinity towards edge device exploitation, which accounted for 40% of their hits. 

These internet facing edge devices often operate with minimal EDR and limited defender visibility, while giving immediate access on compromise, making them ideal targets. 

The most technically advanced North Korean adversary, PRESSURE CHOLLIMA organised the largest single financial theft in history. The loss – US$1.46bn in cryptocurrency.  

This crypto heist was orchestrated through trojanised software delivery via supply chain compromise.

CrowdStrike points out that Democratic People’s Republic of Korea (DPRK) -nexus threat actors poses an acute threat to fintech, technology and western defences in 2026. 

Among state-nexus threat actors, cloud-conscious intrusions rose 266% while valid account abuse caused 35% of cloud incidents. 

Ransomware evolves

Big game hunting (bgh) adversaries tyrannised the world with high impact ransomware and rapid lateral movement with potential for cross-domain attacks. 

Three key aspects usually allow successful ransomware deployment: unmanaged systems, remote file encryption and cross-domain operations. 

These adversaries rely heavily on social engineering for initial access, while cloud and SaaS accounts were squeezed to identify and exfiltrate data. 

CrowdStrike intelligence suggests that ransomware group operations will continue to cause disruptions in 2026. 

Adversaries leveraging AI 

AI is being integrated into all the steps of the attack cycle, but rather than opening new attack doors, AI is currently being used to hyperscale the capabilities of existing malicious operations. 

Case in point, PUNK SPIDER is a moderately resourced threat group that uses AI to speed up operations.  

AI is also used to accelerate malware development. CrowdStrike’s threat intelligence team spotted FunkLocker and RALord ransomware variants to share a certain encryption flaw that is associated with WormGPT.

A mobile malware named SparkCat is known to use AI optical character recognition to pick and choose the image files to be exfiltrated from malware infected devices.

FANCY BEAR, a Russia-nexus adversary, used AI to develop websites that drop AI generated malwares, also hidden using AI.

More than 90 organisations fell victim to adversaries injected malicious prompts into legitimate AI tools, causing them to execute commands that stole credentials and cryptocurrency.  

Counter adversary operations

CrowdStrike’s Intelligence teams have their ear to the ground, listening for movements to identify new adversaries, track malicious activity and capture cyber threat development. 

The Overwatch team at CrowdStrike is poised for proactive threat hunting leveraging the intelligence. 

As adversaries leverage AI, CrowdStrike has advanced its agentic threat hunting system built on Crowdstrike falcon – Threat AI. 

Threat AI automates complex workflows like malware analysis and threat hunting to then surface actionable recommendations.

In this advanced threat landscape, organisations should advance their counter adversary operations to not be felled by bad actors.