CrowdStrike reports a 136 percent surge in cloud intrusions and AI-enabled threats

CrowdStrike's latest 2025 Threat Hunting Report paints a stark picture of a threat landscape that continues to intensify on multiple fronts. Between January 2025 and June 2025, the company's OverWatch team recorded a 136 percent rise in cloud-focused intrusions compared with the whole of 2024, showcasing how quickly adversaries are mastering techniques to exploit workloads, services, and control-plane assets in public- and hybrid-cloud environments.

Interactive, hands-on keyboard intrusions are also becoming more common and more sophisticated. CrowdStrike observed a 27 percent year-over-year increase in these intrusions; 73 percent were linked to financially motivated e-crime actors, highlighting the commercial appeal of ransomware-as-a-service ecosystems and access-broker marketplaces.

Voice phishing (vishing) has emerged as one of the fastest-growing e-crime tactics. Attacks jumped 442 percent from the first to the second half of 2024 and has already surpassed last year's totals in the first six months of 2025. Groups such as SCATTERED SPIDER continue to combine social-engineering expertise with stolen credentials to move from initial account takeover to ransomware deployment in as little as 24 hours, 32 percent faster than in 2024.

National-level espionage remains a concern. China-nexus operators drove a 130 percent increase in nation-state activity against telecommunications targets, while Russia-linked adversaries accounted for most of the 185 percent surge in government-sector intrusions. CrowdStrike's analysts note that cross-domain maneuvering, pivoting rapidly from identity to endpoint to cloud, helps sophisticated actors such as BLOCKADE SPIDER and OPERATOR PANDA remain covert until late in the attack lifecycle.

Generative AI is now a core accelerant for several campaigns. The report singles out DPRK-aligned FAMOUS CHOLLIMA, which infiltrated more than 320 companies during the period (an estimated 220 percent year-on-year increase) by using large-language-model services to fabricate résumés, deepfake identities, and even real-time interview answers. Once hired, the impostors rely on AI coding assistants and translation tools to juggle several remote developer jobs simultaneously, all while exfiltrating intellectual property.

CrowdStrike recommends enhanced identity-verification procedures during recruitment, real-time deepfake checks in interviews, tighter monitoring of remote-access activity, and continuous hunting across identity, endpoint, and cloud telemetry. While defenders are increasingly turning to machine-learning pipelines of their own, the vendor cautions that AI models must be trained on curated, trusted data to avoid poisoning and other manipulation attempts.