CrowdStrike 2026 Global Threat Report: The Evasive Adversary Wields AI

BLOG Featured Recent Video Category Start Free Trial CrowdStrike 2026 Global Threat Report: The Evasive Adversary Wields AI Adversaries combined trusted access paths, AI-enabled techniques, and cross-domain movement to evade detection in 2025. February 24, 2026 | Adam Meyers | Threat Hunting & Intel As cyber defenses become stronger, adversaries continue to evolve their tactics to succeed. In 2025, the year of the evasive adversary, the threat landscape was defined by attacks that targeted trusted relationships, demonstrated fluency with AI tools, and incorporated tradecraft tailored to exploit security blind spots. The CrowdStrike Counter Adversary Operations team spends every day immersed in adversary behavior and tradecraft. Each year, they compile their most critical observations and insights into the CrowdStrike Global Threat Report. When the team looked back on 2025, the most prominent trend was subtlety: Adversaries are shifting away from heavily monitored systems to quietly gain access and deftly move across endpoint, identity, SaaS, and cloud environments. To defend themselves, security leaders need clarity on which adversaries to watch, the details of their behavior, and how to prepare for and respond to an attack. The CrowdStrike 2026 Global Threat Report provides a comprehensive overview of the modern threat landscape so organizations can prepare to face it. Learn more: Download the CrowdStrike 2026 Global Threat Report Inside the Evasive Adversary’s Toolbox  In 2025, adversaries became faster than ever before. The average eCrime breakout time — the period between initial access and lateral movement onto another system — dropped to 29 minutes, a 65% increase in speed from 2024. The fastest observed breakout time: 27 seconds. Adversaries of all motivations utilized AI technology throughout 2025 to accelerate and optimize their existing techniques. They explored its use in attack types such as social engineering and information operations, proving their growing proficiency with AI tools. Most threat actors that integrated AI increased their attack volume: CrowdStrike observed an 89% increase in the number of attacks by AI-enabled adversaries compared to 2024. In addition to using AI tools, adversaries are targeting the AI systems underpinning the modern enterprise. As AI is embedded into development pipelines, SaaS platforms, and operational workflows, AI systems become part of the attack surface. In 2025, adversaries exploited legitimate GenAI tools at more than 90 organizations by injecting malicious prompts to generate commands for stealing credentials and cryptocurrency. They also exploited vulnerabilities in AI development platforms to establish persistence and deploy ransomware, and published malicious AI servers impersonating trusted services to intercept sensitive data. In 2025, evasion was defined by the speed at which adversaries exploit trust. They operated using valid credentials, trusted identity flows, approved SaaS integrations, and inherited software supply chains. Notably, 82% of detections were malware-free. Intrusions moved through authorized pathways and trusted systems, where they blended into normal activity. Supply chain attacks were a defining tactic of 2025. Adversaries compromised upstream providers, development ecosystems, and public code repositories to gain broad access to downstream organizations. In one example, PRESSURE CHOLLIMA stole $1.46 billion USD worth of cryptocurrency through trojanized software delivered via supply chain compromise — the largest single financial theft ever reported.1 CrowdStrike observed a 42% year-over-year increase in zero-days exploited prior to public disclosure as adversaries weaponized dozens of them for initial access, remote code execution, and privilege escalation. In parallel with this trend, 67% of vulnerabilities exploited by China-nexus adversaries provided immediate system access; 40% targeted edge devices that typically lack comprehensive monitoring. China-nexus adversaries systematically exploited vulnerabilities in network edge devices such as VPN appliances, firewalls, and gateways to establish long-term access for intelligence collection. CrowdStrike named 24 new adversaries in 2025, bringing the total tracked to 281+. These threat actors continue to become faster, stealthier, and more effective as they adapt to navigate larger environments and bypass sophisticated security controls. Below are more trends and observations we explore in this year’s report:  38% increase in China-nexus intrusions across all sectors, with an 85% increase in logistics targeting 130% increase in North Korea-nexus incidents, as FAMOUS CHOLLIMA’s activity doubled year-over-year and STARDUST CHOLLIMA increased their operational tempo 82% of detections were malware-free as adversaries used valid credentials, trusted identity flows, and approved SaaS integrations to move across domains 37% increase in cloud-conscious intrusions, with a staggering 266% increase among state-nexus actors; valid account abuse accounted for 35% of cloud incidents 563% increase in incidents using fake CAPTCHA lures, demonstrating adversaries’ shift to effective social engineering techniques 141% increase in spam emails, providing adversaries with more opportunities to gain initial access CrowdStrike is committed to understanding adversaries because it’s the most effective way to defend against them. The CrowdStrike 2026 Global Threat Report summarizes our observations throughout 2025 and the themes, trends, and events that defined the cyber threat landscape. Download the full report to understand how today’s adversaries are operating and how to strengthen your defenses. 1 https://www.elliptic.co/blog/bybit-hack-largest-in-history || https://www.ic3.gov/psa/2025/psa250226 Tweet Share CrowdStrike 2026 Global Threat Report AI threats have reached a critical turning point. Access the definitive look at the cyber threat landscape. Download report Related Content The Art of Deception: How Threat Actors Master Typosquatting Campaigns to Bypass Detection LABYRINTH CHOLLIMA Evolves into Three Adversaries How CrowdStrike’s Malware Analysis Agent Detects Malware at Machine Speed CATEGORIES Agentic SOC 48 Cloud & Application Security 139 Data Protection 21 Endpoint Security & XDR 351 Engineering & Tech 86 Executive Viewpoint 177 Exposure Management 116 From The Front Lines 198 Next-Gen Identity Security 67 Next-Gen SIEM & Log Management 111 Public Sector 40 Securing AI 25 Threat Hunting & Intel 210 CONNECT WITH US FEATURED ARTICLES October 01, 2024 CrowdStrike Named a Leader in 2024 Gartner® Magic Quadrant™ for Endpoint Protection Platforms September 25, 2024 Recognizing the Resilience of the CrowdStrike Community September 25, 2024 CrowdStrike Drives Cybersecurity Forward with New Innovations Spanning AI, Cloud, Next-Gen SIEM and Identity Protection September 18, 2024 SUBSCRIBE Sign up now to receive the latest notifications and updates from CrowdStrike. Sign Up The Art of Deception: How Threat Actors Master Typosquatting Campaigns to Bypass Detection Copyright © 2026 CrowdStrike Privacy Request Info Blog Contact Us 1.888.512.8906 Accessibility ABOUT COOKIES ON THIS SITE In order to provide you with the most relevant content and best browser experience, we use cookies to remember and store information about how you use our website. See how we use this information in our Privacy Notice and more information about cookies in our Cookie Notice. Privacy Preference Center Privacy Preference Center Your Privacy Strictly Necessary Cookies Performance Cookies Functional Cookies Targeting Cookies Your Privacy When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer. More information Strictly Necessary Cookies Always Active These cookies are necessary for the website to function and cannot be switched off in our systems. They may be set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies may process limited personal information, such as technical or device identifiers, where necessary to ensure the security, functionality, and integrity of the website or web portal. Such processing is strictly limited to what is required for these purposes and is not used for advertising or marketing. Cookies Details Performance Cookies Performance Cookies These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore does not identify you. If you do not allow these cookies, your visit to our website will not be included in our analytics, and our ability to monitor website performance and make improvements will be reduced. Cookies Details Functional Cookies Functional Cookies These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly. Cookies Details Targeting Cookies Targeting Cookies These cookies may be set on our site by our advertising partners. They assign a unique identifier to your browser or device and may track your activity across sites to build a profile of your interests and show you relevant adverts on other sites. If you do not allow these cookies, you will still see ads, but they may be less relevant to you. Cookies Details Cookie List Consent Leg.Interest checkbox label label checkbox label label checkbox label label Clear checkbox label label Apply Cancel Confirm My Choices Allow All