The cybersecurity landscape has entered a new and alarming era. According to the CrowdStrike 2026 Global Threat Report, threat actors in 2025 became dramatically faster, more evasive, and increasingly powered by artificial intelligence — turning the very tools enterprises depend on into weapons against them. The defining theme of 2025, the report concludes, was the rise of the “evasive adversary” — attackers who blend invisibly into normal business operations, leaving conventional defenses struggling to keep up.
The Clock Is Ticking — Faster Than Ever
Speed is now the defining weapon. The average time it takes a cybercriminal to move from initial access to full network infiltration — known as “breakout time” — plummeted to just 29 minutes in 2025, a staggering 65% faster than the year before. One intrusion recorded a breakout time of only 27 seconds. In another case, data theft began just four minutes after an attacker gained access. For security teams, this window to detect, respond to, and contain a breach has become razor-thin.
AI Is Now a Double-Edged Sword
Artificial intelligence, widely deployed to protect enterprises, is now being exploited against them. The report found an 89% year-over-year increase in attacks by AI-enabled adversaries. Hackers are using AI to craft more convincing phishing emails, scale up social engineering campaigns, write malware code, and automate post-breach data collection. In one remarkable incident, attackers uploaded malicious packages to a popular developer platform that hijacked victims’ own local AI tools — including widely used AI assistants — to steal credentials and cryptocurrency.
Even more concerning, the report documents the first real-world use of autonomous AI agents in cyberattacks — requiring minimal human oversight. While still not widespread, this signals a potentially seismic shift in how attacks are executed.
Hiding in Plain Sight: The Malware-Free Attack
Perhaps the most unsettling finding is that 82% of all detected intrusions in 2025 involved no malware whatsoever — up from just 51% in 2020. Instead of deploying viruses that trigger security alerts, attackers are logging in with stolen credentials, exploiting legitimate software tools, and piggybacking on trusted cloud services. This makes them nearly invisible to traditional antivirus and signature-based defenses. In one high-profile case, the notorious SCATTERED SPIDER group compromised a corporate network entirely through social engineering and legitimate system tools — deploying ransomware only on virtual machine infrastructure that many security products cannot monitor.
China and Russia: State-Sponsored Threats Hit New Heights
Nation-state activity surged in 2025. China-linked threat actors increased overall intrusion activity by 38%, with attacks in the logistics sector up 85% and in telecommunications up 30%. These groups are systematically targeting edge devices — VPNs, firewalls, and gateways — and, in some cases, weaponizing newly disclosed software vulnerabilities within 2 to 6 days of public disclosure, long before most organizations can patch them.
Russia-linked adversaries, including the well-known COZY BEAR group, launched sophisticated multi-channel social engineering campaigns targeting NGOs and legal entities, while cloud-conscious intrusions by state-sponsored actors surged by 266%.
Supply Chains: The Trusted Back Door
Attackers increasingly bypass heavily guarded front doors by compromising the trusted software vendors and developer tools that organizations rely on. In February 2025, a North Korea-linked group executed the largest cryptocurrency theft in history — stealing $1.46 billion — by quietly inserting malicious code into a widely used digital wallet platform. Separately, malicious packages in the npm developer ecosystem were downloaded over 2 billion times per week before the attacks were detected, demonstrating the terrifying scale achievable through supply-chain compromise.
What Organizations Must Do Now
The CrowdStrike report issues a clear call to action. Organizations need to treat identity and SaaS platforms as primary attack surfaces, patch edge devices within 72 hours of critical vulnerability disclosures, and invest in AI-powered threat hunting to detect evasive behavior across cloud, endpoints, and unmanaged systems. Critically, human awareness training must keep pace with increasingly sophisticated social engineering — because in many 2025 breaches, the weakest link was not technology, but trust.
Based on the CrowdStrike 2026 Global Threat Report
