The Global Threat Report 2025 shows increasing aggressiveness of Chinese cyber espionage, a rise in GenAI-based social engineering and vulnerability research and exploitation by nation-state actors, and a sharp increase in malware-free, identity-based attacks.
According to the report, state-sponsored cyber operations by China-affiliated attackers increased by 150%, with targeted attacks in the financial services, media, manufacturing, and industrial sectors increasing by up to 300%. At the same time, attackers worldwide are leveraging AI-generated deception, using stolen credentials, and increasingly conducting cross-domain attacks, exploiting vulnerabilities in endpoints, clouds, and identities to bypass security controls and operate undetected. The increasing shift toward malware-free attacks that exploit trusted access and record-breaking breakout times leave defenders little room for error. To stop modern attacks, security teams must close visibility gaps, detect hostile activity in real time, and stop attacks before they spread—because once they're in the system, it's too late.
Cyber Espionage Threat Report
- China’s cyber espionage is becoming increasingly aggressive: CrowdStrike identified seven new China-related attackers and a 2024% increase in China-related espionage attacks in 150, with targeted attacks on critical industries increasing by up to 300%.
- Generative AI gives social engineering a huge boost: Between the first and second half of 2024, AI-driven phishing and impersonation tactics led to a 442% increase in voice phishing (vishing). Sophisticated eCrime groups such as CURLY SPIDER, CHATTY SPIDER, and PLUMP SPIDER used social engineering to steal credentials, establish remote sessions, and evade detection.
- Iran uses generative AI for vulnerability research and exploitation: In 2024, Iran-aligned attackers increasingly explored the potential uses of generative artificial intelligence for vulnerability research, exploit development, and patching domestic networks, in coordination with government-led AI initiatives.
- From intrusion to login – malware-free attacks are on the rise: Now, 79% of initial accesses are malware-free, while the number of access broker listings has increased by 50% year-over-year. Attackers used compromised credentials to infiltrate systems as legitimate users and moved laterally undetected using hands-on keyboard activity.
- Insider threats continue to increase: The attacker FAMOUS CHOLLIMA, attributed to the Democratic People's Republic of Korea (DPRK), was behind 304 incidents uncovered in 2024. Of these, 40% were so-called insider threat operations, in which attackers acted under the guise of legitimate employment to gain access to the system and conduct malicious activities.
- Record-breaking breakout time: The average eCrime breakout time dropped to 48 minutes, with the fastest being 51 seconds, leaving defenders little time to react.
- Cloud environments in sight: The number of new and ambiguous cloud attacks increased by 26% year-on-year. Valid account abuse is the primary tactic for initial access, accounting for 35% of cloud incidents in the first half of 2024.
- Unpatched vulnerabilities remain a major target: 52% of all observed vulnerabilities were exploited for initial access, highlighting the urgent need to secure entry points before attackers can establish a permanent presence.
"China's increasingly aggressive cyberespionage, combined with the growing use of AI-based deception, is forcing organizations to rethink their security approach," explains Adam Meyers, Head of Counter Adversary Operations at CrowdStrike. "Attackers exploit identity gaps, employ social engineering, and move undetected across multiple domains, rendering traditional defenses ineffective. Stopping breaches requires a unified platform powered by real-time threat intelligence and hunting, capable of correlating identity, cloud, and endpoint activity to eliminate blind spots where enemies hide."
More at Crowdstrike.com
About CrowdStrike CrowdStrike Inc., a global leader in cybersecurity, is redefining security in the cloud age with its completely redesigned platform for protecting workloads and devices. The lean single-agent architecture of the CrowdStrike Falcon® platform uses cloud-scaled artificial intelligence and ensures protection and transparency across the company. This prevents attacks on end devices both inside and outside the network. With the help of the company's own CrowdStrike Threat Graph®, CrowdStrike Falcon correlates around 1 trillion endpoint-related events worldwide every day and in real time. This makes the CrowdStrike Falcon platform one of the world's most advanced data platforms for cybersecurity.