CrowdStrike has dubbed North Korean group Famous Chollima as “the most GenAI-proficient adversary” in its annual threat report, after the scammers successfully placed their operatives in over 320 companies over the last year.
The security vendor’s 2025 Threat Hunting Report also highlighted Scattered Spider’s ability to bring retailers to their knees, and Chinese—based groups’ success in cloud intrusions.
These are all part of a new era of the “enterprising adversary”, CrowdStrike said, able to use “sophisticated, scalable” tactics and “business-like efficiency” to achieve their goals. Moreover, they are very successful at bypassing traditional security defenses.
Famous Chollima exploits GenAI at “every stage of the hiring and employment” process, CrowdStrike said. The group puts forward multiple “candidates” for remote developer jobs to increase their chance of clinching a role, using real-time deep fakes in interviews. A typical operative would be doing three or four “jobs” simultaneously.
Nation states more broadly have been adopting GenAI to make their cyber operations “faster, more efficient, and harder to detect.”
They were leveraging publicly available models across all stages of the attack lifecycle, from reconnaissance and research, to creating phishing content and developing payloads.
Meanwhile, increased use of AI tooling by legitimate organisations was presenting attackers with new targets. CrowdStrike said these were being used as “initial access vectors to execute diverse post-exploitation operations.”
But AI is not the only way to penetrate a target. The report also showed that voice phishing (vishing) attacks increased 442% between the first and second halves of 2024. CrowdStrike has logged more vishing attacks in the first half of this year than in the whole of 2024.
Scattered Spider, the group allegedly behind attacks on UK retailers Marks and Spencer and the Co-op, was notably adept at such techniques, CrowdStrike said. In one case, “the adversary moved from account takeover to ransomware deployment in just 24 hours.”
The group often targeted accounts belonging to IT and security staff CrowdStrike noted, “as these employees typically have access to documentation on network architecture, security tooling, and incident response procedures.”
Not everything is quick and dirty though. The report also details the “long-game” approach of some adversaries, particularly China-nexus adversaries.
These groups had become particularly adept at exploiting cloud environments, with CrowdStrike logging a “40% increase in cloud intrusions attributed to China-nexus adversaries” over the previous 12 months.
All of which make for terrifying reading for CISOs and tech leaders in general. CrowdStrike published its report as CISOs and cybersecurity experts gather in Las Vegas for Black Hat 2025.
Though it’s worth remembering that malicious intent isn’t a prerequisite for crippling IT systems. Afterall, it’s just over a year since one faulty CrowdStrike update caused what was arguably the biggest outage in history.
