News

CrowdStrike: AI and Cloud Now Prime Targets as Threat Actors Blend Tactics

CrowdStrike's 2025 Threat Hunting Report paints a clear picture for IT pros working in cloud and AI: adversaries are not just using AI to supercharge attacks--they are actively targeting the AI systems organizations deploy in production. Combined with a surge in cloud exploitation, this shift marks a significant change in the threat landscape for enterprises.

Cloud Intrusions Reach Record Levels
The report notes a sharp escalation in attacks aimed at cloud environments. CrowdStrike threat hunters identified a 136% increase in cloud intrusions in the first half of 2025 compared to all of 2024, with a 40% year-over-year rise in cloud-conscious intrusions attributed to suspected China-nexus actors. Threat groups such as GENESIS PANDA and MURKY PANDA have proven adept at evading detection by exploiting misconfigurations, abusing trusted relationships, and manipulating cloud control planes to achieve persistence, lateral movement, and data exfiltration.

In detailed case studies, GENESIS PANDA was seen leveraging credentials from compromised virtual machines to pivot into cloud service accounts, establishing "various forms of persistence" including identity-based access keys and SSH keys. MURKY PANDA demonstrated the ability to compromise a supplier's administrative access to a victim's Entra ID tenant, then backdoor service principals to gain access to email and other sensitive assets. Such tactics underscore that cloud administration tooling itself is a prime attack surface.

Highlights
[Click on image for larger view.] Highlights (source: CrowdStrike).

AI as Both a Weapon and a Target
The report's headline theme is the rise of AI in both offensive and defensive cyber operations--but with a critical warning for defenders. Threat actors are using generative AI (GenAI) to accelerate intrusion workflows, improve phishing lures, create deepfake personas, automate malware development, and enhance technical problem-solving. At the same time, they are increasingly exploiting vulnerabilities in AI platforms themselves as an initial access vector.

CrowdStrike highlighted CVE-2025-3248 in the report, described as "an unauthenticated code injection vulnerability in Langflow AI," a widely used framework for building AI agents and workflows. By exploiting it, attackers were able to achieve "unauthenticated remote code execution" and pursue persistence, credential theft (including cloud environment credentials), and malware deployment. This signals a fundamental shift: "Threat actors are viewing AI tools as integrated infrastructure rather than peripheral applications, targeting them as primary attack vectors."

North Korea-nexus FAMOUS CHOLLIMA exemplifies AI weaponization. In over 320 incidents in the past year, operatives used GenAI to draft résumés, create synthetic identities with altered photos, mask their true appearance in live video interviews using real-time deepfake technology, and leverage AI code assistants for on-the-job tasks. CrowdStrike notes that this represents "a 220% year-over-year increase" in such infiltrations.

This growing trend of targeting AI platforms parallels another key avenue of attack highlighted in the report: identity compromise. Just as adversaries exploit weaknesses in AI tools to gain privileged access, they also exploit weaknesses in human and process-driven identity verification to move laterally across environments. These identity-driven breaches often serve as the connective tissue in complex, cross-domain attacks.

Identity as the Gateway in Cross-Domain Attacks
The report underscores that identity compromise is central to modern cross-domain attacks, where adversaries move fluidly between endpoints, cloud, and unmanaged systems. SCATTERED SPIDER, a prolific eCrime group, resurfaced in 2025 with faster, more aggressive operations. In one incident, they progressed from initial access to ransomware deployment in under 24 hours.

SCATTERED SPIDER relies heavily on vishing and help desk impersonation to reset credentials, bypass multifactor authentication, and gain persistent access. Once authenticated, they pivot rapidly into integrated SaaS applications such as data warehousing, document management, and identity and access management platforms. These footholds support persistence, lateral movement, and large-scale data exfiltration.

Their social engineering tradecraft is precise. When impersonating legitimate employees during help desk engagements, they are able to provide accurate employee IDs and answer verification questions, leveraging stolen personally identifiable information to pass identity checks. This proficiency in identity abuse makes them a significant enabler of broader cross-domain intrusions.

Other Key Highlights from the Report
The comprehensive and detailed report contains a lot of information, with some takeaways being:

  • 81% of interactive intrusions were malware-free, underscoring the importance of detecting hands-on-keyboard activity rather than relying solely on malware signatures.
  • Interactive intrusions increased 27% year-over-year, with eCrime activity representing 73% of the total.
  • Voice phishing (vishing) is on track to double 2024's volume, having already surpassed last year's total in the first half of 2025.
  • The government sector saw a 71% year-over-year increase in overall interactive intrusions and a 185% increase in targeted nation-state activity, driven largely by Russia-nexus actors.
  • The telecommunications sector experienced a 130% rise in nation-state activity, primarily linked to China-nexus adversaries such as GLACIAL PANDA.

Implications for IT and Cloud Security Teams
CrowdStrike advises organizations to take the following actions based on its 2025 threat hunting findings:

  • Adopt AI-powered solutions, including agentic AI, to scale security operations. Use these capabilities to triage alerts, conduct investigations, and execute response actions, freeing human analysts to focus on proactive threat hunting and hypothesis-driven investigation.
  • Defend the cloud as core infrastructure by deploying cloud-native application protection platforms (CNAPPs) with detection and response capabilities. Enforce strict access controls such as role-based access and conditional policies, and maintain continuous monitoring for anomalies including logins from unexpected locations.
  • Conduct regular audits of cloud environments to identify and remediate overly permissive storage settings, exposed APIs, and unpatched vulnerabilities. Remove unused permissions and address outdated configurations promptly.

The CrowdStrike 2025 Threat Hunting Report makes clear that cloud and AI are now central battlegrounds in cyber defense. As adversaries blend these domains in increasingly sophisticated ways, security teams must integrate intelligence, automation, and cross-domain visibility to stay ahead.

About the Author

David Ramel is an editor and writer at Converge 360.

Featured

Subscribe on YouTube