CrowdStrike has just released its 2025 Global Threat Report. In it, the company reveals that cyber threats increasingly utilize legitimate tools, while threats have emerged from new corners of the globe. The solution: an offensive posture.
The CrowdStrike report has become an annual tradition. Despite the security firm’s preference to see every threat disappear, it is constantly on the lookout for adversaries that merit a “promotion” to being tracked fully. Such a promotion means the threat actor in question receives a code name, typically an adjective paired with an animal species. Each animal denotes a characteristic of the group in question: usually it refers to a country of origin, but sometimes it may signify a subcategory of attackers such as hacktivists. For example, the notorious Cozy Bear is of Russian origin, while Scattered Spider is an eCrime group.
Pandas and saiga antelopes
This year saw the addition of many pandas, i.e. cyber threats emerging from China. CrowdStrike measured a 150 percent increase in Chinese activity, reaching up to 300 percent in certain sectors. This growth was accompanied by signs of sophisticated attack techniques previously adopted by adversarial counterparts in Russia and North Korea. Adam Meyers, Senior Vice President of Counter Adversary Operations at CrowdStrike, concludes that China has matured as a haven for cyberattacks during 2024.
The cyber animal kingdom has also grown more diverse, reflecting the variety of origins of threats. Consider Kazakhstani actors, identified in CrowdStrike reporting as saiga antelopes, such as Comrade Saiga. Meyers points out that the threat landscape isn’t only evolving to become more ‘biodiverse’. Attack methods have become more cunning than ever as well, and are consequently more difficult to detect than ever before.
Legitimate tools and EDR subversion
79 percent of CrowdStrike detections worldwide involved malware-less attacks that require hands-on-keyboard action on the part of the attacker. “Interactive intrusions,” in the security company’s terminology, are on the rise. For instance, the eCrime group Curly Spider combined social engineering with legitimate remote management (RMM) tools and cloud-hosted payloads to strike at their targets.
Since legitimate binaries and accounts are used throughout in these interactive intrusions, traditional EDR tools don’t readily flag the activities of cyber threats as suspicious. Meanwhile, the damage remains enormous and occurs at an alarming pace. SaaS applications contain valuable data that attackers exfiltrate or manipulate for their own purposes. Within 4 minutes, cyber threats like Curly Spider may move from initial access to connecting to their own malicious infrastructure. Just 6 seconds later, a backdoor can be established for long-term residence in the compromised IT network.
Threat hunting: cutting off attackers’ path
CrowdStrike offers the XDR platform Falcon. Such tools typically communicate in two directions, where endpoints are protected in real-time while also relaying information about new threats to the security vendor itself. However, Meyers recognizes that being a gatekeeper for endpoints is no longer sufficient. CrowdStrike therefore operates with two teams under Meyers’ Counter Adversary Operations unit: CrowdStrike Intelligence and CrowdStrike OverWatch. The former maps the latest cyber threats in real-time, while OverWatch applies this intelligence to proactively outsmart threats and cut off attacks before they happen.
We asked Meyers how this intelligence is combined. “It can be preventative. We’ve stopped some breaches by identifying credentials flowing within eCrime ecosystems.” Indeed, Meyers explained that the aforementioned Curly Spider was caught in the act by CrowdStrike OverWatch and halted within those critical four minutes. Another example: Famous Chollima (chollima is a mythical Chinese horse, and represents North Korea in CrowdStrike’s taxonomy). Meyers recounts how a client hired a North Korean employee on a Wednesday, with the PC arriving at the laptop farm on Saturday. “It was plugged in, and CrowdStrike was able to report this to the customer within an hour. On Monday, when the employee would have been onboarded and gained access to all systems, their account was terminated.”
It’s evident that speed is critical. 52 percent of vulnerabilities observed by CrowdStrike were related to initial access, meaning attackers walk in through the front door with legitimate credentials or tools. Additionally, the average “breakout time”—the period to expand beyond initial access—was merely 48 minutes on average. The speed record was a staggering 51 seconds from infiltration to exploitation.
Explosion of vishing
The CrowdStrike report reveals another threat that emerged in the final months of 2024 in particular: vishing. No, that’s not a typo: it refers to voice-phishing, or deception via phone or Teams calls, which increased by 442 percent compared to 2023. CrowdStrike detected only two occurrences in January, but 93 by December.
Attackers frequently impersonate IT professionals in Teams calls and urge employees to install legitimate RMM tools. Microsoft Quick Assist, for example, is an extremely common solution for resolving PC problems. Because attackers initially distribute phishing emails with Teams invitations at scale, they inevitably find targets. Which group is one of the biggest proponents of this trendy attack technique? None other than Curly Spider. Once again, this adversary of CrowdStrike and its clients proves to be a valuable source of information about the behavior of the most sophisticated cyber threats, precisely because it is one.
Also read: CrowdStrike bundles threat hunting and intelligence to combat identity threat