CrowdStrike has recently released its 2025 Threat Hunting Report, highlighting key trends and shifts observed over the past 12 months. The report covers adversary activity across the first half of the year and drills down into the evolving tactics, techniques and procedures used by today’s cybercriminals. It offers crucial insight into how adversaries are adapting to bypass traditional defences, and sets out the strategies businesses must adopt to proactively detect, disrupt, and defend against them.
Today’s cyber landscape is defined by a new era of threat. This new class of enterprising adversaries is using sophisticated and scalable tactics to execute attacks with business-like precision and efficiency. And traditional cyber defences are struggling to keep up. Adversaries understand the limitations of conventional safeguards and are highly adept at exploiting security vulnerabilities in established systems and processes.
A key finding from the report is that cyber threat actors are strategically exploiting cloud platforms and human vulnerabilities at unprecedented rates. For example, hands-on-keyboard intrusions, where attackers are actively operating within compromised environments, rose by 27% year over year, underlining a clear shift toward more direct, interactive attack methods that bypass legacy detection systems.
Today’s enterprising adversaries are getting faster, smarter, and more coordinated, bypassing traditional cybersecurity defences with strategic precision. They operate across multiple domains, including identity, endpoint, and cloud, to evade detection. While some prioritise speed and immediate disruption, others favour stealth, prolonged presence, and meticulous execution. These operations can involve covert data harvesting, persistent access maintenance, and preparing a victim’s environment for future attacks.
CrowdStrike observed that over half of the vulnerabilities in 2024 were related to initial access. Common routes of entry include sophisticated social engineering attacks, often enhanced by generative AI. Adversaries now use GenAI to create convincing phishing content and develop contextually aware business email compromise scams. They also leverage it to create deepfakes of known individuals, develop disinformation campaigns, produce technical documents and generate malicious code to exploit vulnerabilities.
Nation-state adversaries are actively adopting GenAI to make operations faster, more efficient, and harder to detect. They use publicly available models for reconnaissance, vulnerability research, and phishing payload creation, as well as for malware advancement, code translation, and execution guidance during attacks. One example is FAMOUS CHOLLIMA, a DPRK-nexus group that infiltrated over 320 companies in the past year, a 220% increase, by posing as IT job seekers.
In the first half of 2025 alone, CrowdStrike observed a 136% increase in cloud intrusions compared to all of 2024. Nation-state targeting has surged, with the government sector seeing a 185% year-over-year increase in targeted intrusion activity, alongside a 71% rise in overall interactive intrusions. The telecommunications sector has also become a key target, experiencing a 130% increase in nation-state activity over the past 12 months.
But it isn’t just nation-state groups making waves. eCrime adversaries continue to demonstrate speed, precision, and technical versatility in their attacks, and their impact is no less severe. Some key examples include:
These examples show that even a single gap in visibility can quickly spiral into a full-scale breach. And as adversaries become more enterprising still, their operations will only become faster, stealthier, and more complex.
The rise of enterprising adversaries marks a significant shift in the global threat landscape. With attackers leveraging cloud platforms, AI, and identity vulnerabilities at speed and scale, businesses can no longer rely on traditional detection methods alone. Today’s threats are more coordinated, cross-domain, and technically advanced than ever before.
To stay ahead, organisations must take proactive, intelligence-led steps to detect and stop attacks before they escalate, including:
This kind of proactive approach is the only way to stay ahead. Ultimately, by unifying security telemetry with threat intelligence and leveraging cross-domain hunting, your business will be much better placed to rapidly detect, disrupt, and contain fast-moving, enterprising threats.
If you’d like to find out more about the evolving threat landscape and how to defend against it, you can download the full CrowdStrike 2025 Threat Hunting Report here.