CISOs and their teams are entering a “new era” of cyberthreats characterized by sophisticated threat actors who operate with “business-like efficiency,” researchers from CrowdStrike conclude in the cybersecurity giant’s 2025 Threat Hunting Report.

“These adversaries operate with strategic precision to maximize impact and quickly achieve their goals,” CrowdStrike said in the report. “Innovation is a critical cornerstone to outmaneuver and disrupt the enterprising adversary.”

Chief among the emerging adversarial tactics is the rapid adoption of AI technologies. “The more advanced adversaries use generative AI to increase sophistication, to increase the speed at which they operate, and to increase their capability,” Adam Meyers, CrowdStrike’s senior VP, said during a press briefing.

“We can see that they’re using gen AI to create more sophisticated phishing,” Meyers said. “They’re using it for business email compromise scams. They’re using natural language and things like that to make more compelling phishing content. They’re also using generative AI to create identities.”

The challenge of stopping these more effective adversaries is that they rely heavily on exploiting hard-to-control human factors through social engineering, now often aided by AI, and they target unmanaged devices outside IT’s purview to hide themselves from detection.

In its report, CrowdStrike offers case studies of select groups to illustrate the advanced nature of the threats defenders face, clustering these groups according to their basic fields or sphere of operations, such as cross-domain, identity, cloud, endpoint, and vulnerability.

Cross-domain: Blockade Spider and Operator Panda

Cross-domain adversaries engage in dispersed actions across various domains, including identity systems, endpoints, and the cloud, to better avoid detection or make it harder to identify their actions as being part of a coordinated effort.  

“This is becoming the norm,” Meyers said. “It is no longer novel or an exception. When I talk about cross-domain attacks, I am talking about something that spans multiple domains within the security environment.” For example, “Once they have compromised the identity rather than going after the endpoints, they use those identities to pivot into the cloud,” he said. “They then use that to pivot to unmanaged devices.”

CrowdStrike offers case studies of two threat actors, an “eCrime” adversary dubbed Blockade Spider and a Chinese state threat group, Operator Panda, both of which rely on cross-domain attacks.

In early 2025, CrowdStrike observed Blockade Spider access a network via an unmanaged VPN, where it performed several actions, including attempting to dump credentials from a Veeam Backup and Replication configuration database and delete backup files. The group also tried to interfere with CrowdStrike’s Falcon censor repeatedly.

Despite Blockade Spider deeply embedding itself in the target’s network, CrowdStrike was able to completely watch its interactions, with the customer ultimately able to shut down the threat actor’s access.

Regarding Operator Panda, better known as Salt Typhoon, CrowdStrike discovered that in mid-2024, the group targeted a US-based telecommunications entity and a US-based consulting and professional services firm by exploiting Cisco switches running Cisco IOS and Cisco IOS XE. To better hide their activities, Operator Panda sanitized logs from the compromised Cisco switches.

They also chained vulnerabilities, leveraging one flaw to create a local user account, which they then exploited to abuse another vulnerability in a different component of the Cisco web UI feature, enabling them to run arbitrary commands on the device.

Identity threats: Scattered Spider

Identity-oriented adversaries exploit human weaknesses to leverage compromised credentials obtained through social engineering and AI-based tools to gain access to networks.

Voice-based phishing is one identity-based attack tool rising in prominence, having increased in use by 443% last year, according to Myers. “This is on track to double by the end of 2025,” he said. “So, voice-based phishing continues to be a huge opportunity for threat actors to take advantage of some of the security or bypass some of the security controls, oftentimes calling the help desk and saying, ‘Hey, this is a legitimate user in the environment, I can’t access my account, and I need a password reset.’”

“Scattered Spider has really kind of been leading the way in [the evolution of] social engineering attacks,” Meyers said.

Following a dormant period, the group came roaring back in April 2025, engaging in impersonation campaigns to gain access to a host of organizations. In its report, CrowdStrike said that in one 2025 ransomware incident, Scattered Spider progressed from initial access to encryption within 24 hours, far faster than its average time of 35.5 hours in 2024 and 80 hours in 2023. This has been a trend seen across the industry, with ransomware gangs extorting victims less than a day after initial intrusion.

Cloud threats: Genesis Panda and Murky Panda

Over the past 12 months, CrowdStrike has observed a 40% increase in cloud intrusions associated with China-nexus groups. “The cloud is an ideal target,” Meyers said. “It is huge. It has vast amounts of data. Oftentimes, Chinese nexus adversaries can employ some innovative tactics, such as using ORB [Operational Relay Box] networks to avoid detection and to make it more difficult to see what they’re up to.”

In its report, CrowdStrike highlighted the case of Genesis Panda. Since at least March 2024, the group has been able to use cloud services to support tool deployment, command and control (C2) communications, and exfiltration, targeting cloud service provider (CSP) accounts to expand access and establish alternate forms of persistence. In October 2024, CrowdStrike identified hands-on keyboard activity from a Genesis Panda implant running on a cloud compute instance, likely using compromised credentials from cloud VMs to target the organization’s cloud account.

In early March 2025, CrowdStrike identified an intrusion in which Genesis Panda obtained credentials to the target organization’s cloud provider account by querying the instance metadata service (IMDS) after exploiting a public-facing Jenkins server. The group then added SSH keys and created a backdoor access key on the cloud service account, later reusing it to regain access.

Another China group, Murky Panda, targets cloud environments through trusted relationships between partner organizations and their cloud tenants, particularly in North America.

In late 2024, CrowdStrike responded to an incident in which Murky Panda likely compromised a supplier of a North American entity, using the supplier’s admin access to add a temporary backdoor account to the victim entity’s Entra ID tenant. Murky Panda then backdoored several preexisting Entra ID service principles related to Active Directory management and emails.

Endpoint threats: Glacial Panda

Endpoint threat actors operate on extended timelines, waiting with stealth and persistence to sustain access, harvest data, and prepare for future operations, with China nexus adversaries mastering this approach.

“These adversaries demonstrate deep knowledge of the endpoints that are there, what threat hunters have to enable them to look at those, and what types of detections are being used,” Meyers said. “So, the adversaries have learned how the defenders are operating and how the threat hunters are looking, and they look to avoid detection.”

One such adversary, a China nexus group called Glacial Panda, which CrowdStrike said operates across the telecommunications industry, likely conducts targeted intrusions for intelligence collection purposes, primarily targeting telcos’ Linux systems, including legacy systems that support older technologies.

Glacial Panda deploys trojanized OpenSSH tools on compromised Linux hosts to log user authentication events and support lateral movement by tracking remote connections to other hosts in a technique CrowdStrike calls ShieldSlide.

Vulnerability threats: Graceful Spider

Fifty-two percent of vulnerabilities CrowdStrike observed in 2024 were related to initial access, with exploitation of internet-exposed applications a prevalent method, underscoring the importance of vulnerability management in managing zero-day exploitation.

“eCrime actors are quickly able to take the learnings from when a nation state finds one of those zero days and it gets documented in a blog post,” Meyers said. “Then the eCrime actors can take that information and quickly weaponize it to do more widespread exploitation.”

In its report, CrowdStrike points to an incident involving the group Graceful Spider and how it impacted Cleo data transfer products in late 2024.

On Dec. 7, 2024, CrowdStrike detected suspected exploitation of multiple Cleo products on Windows and Linux servers, with compromises across Cleo instances in various sectors and geographies. Based on the threat actor’s targets, speed, scope, and tactics, CrowdStrike determined the activity was likely a zero-day file upload exploit leading to remote code execution related to an earlier vulnerability.

Top takeaways for defenders

Based on the trends in CrowdStrike’s report, Meyers offered defenders a few key takeaways.

Implement identity threat detection. When it comes to identity threats, “rolling out identity threat detection response is one of the tools to protect those identities, making sure that you have adequate threat hunting to hunt across those identities,” he said.

MFA is a must. As has been standard security advice for years now, “Rolling out multifactor authentication using good multifactor authentication, meaning not SMS, is critical,” Meyers added.

Harden the cloud. Another takeaway is to “defend the cloud,” Meyers said. “The cloud is increasingly being identified as a soft spot for organizations that haven’t implemented proper cloud security.”

Shore up cross-domain visibility gaps. “That means instrumenting identity, that means instrumenting cloud, and that means having visibility into unmanaged devices through finding those unmanaged devices and deploying things like EDR to them,” Meyers said. “And if they don’t support EDR, then instrument them into next-gen SIEM [security information and event management] solutions.”

Check your patch priorities. “A lot of organizations are still patching based on the vulnerabilities’ criticality,” Meyers said. “We advocate … understanding what vulnerabilities are being exploited and patching those immediately. CISA puts out the known exploited vulnerabilities every week, which updates organizations on what they’re seeing. So having the patch model be what is being exploited and patching that first is incredibly important.”

Know thy enemy. “It’s important to know your adversary,” Meyers said. “Understand who these threat actors are, how they operate, what they’re up to, and how they’re changing to instrument your defenses.”