CrowdStrike’s 2025 Threat Hunting Report offers key insights into the current cyber threat landscape. Drawing on data from July 2024 to June 2025, the report showcases how adversaries are becoming more sophisticated, scalable, and business-like in their operations. These “enterprising adversaries” are not only innovating their tactics but also exploiting emerging technologies such as generative AI (GenAI) to bypass traditional defences. The legal standard of care for information security varies across sectors and jurisdictions. A common thread informing how different laws set the legal standard of care is by reference to evolving threats and the state-of-the-art defences to counter them.
It is therefore important for cybersecurity lawyers to keep up to date with the evolving threat landscape and the CrowdStrike 2025 Threat Hunting Report provides a helpful summary.
A New Breed of Threat Actor: The Enterprising Adversary
CrowdStrike identifies a shift toward adversaries who operate with strategic precision and business-like efficiency. These actors—whether nation-state or eCrime—are increasingly bypassing legacy security tools by:
- Exploiting human vulnerabilities through social engineering and “vishing”, which has been reported as the root cause for some of the most widely reported attacks on the UK retail sector. Vishing is a type of cyberattack where adversaries use phone calls to trick victims into revealing sensitive information.
- Targeting unmanaged devices and cloud environments.
- Using GenAI to enhance phishing, identity spoofing, and malware development.
The report highlights FAMOUS CHOLLIMA, a Democratic People’s Republic of Korea (DPRK)-nexus adversary, as a leading example. This group uses GenAI to create synthetic identities, deepfake interview personas, and AI-assisted coding to infiltrate over 320 companies in the past year – a 220% year-on-year increase. The report proposes a number of helpful counter measures to mitigate the risk of these attacks including, amongst others, implementing enhanced identity verification processes during the hiring phase and rigorous background checks and corroboration of online profiles; implementing real time deepfake challenges during interview of employment assessment sessions and augmenting security controls pertaining to remote access to corporate systems with a particular focus on geolocation masking and endpoint security circumvention attempts. While the legal standard of care varies across sectors and jurisdictions and while there is invariably a lag before best practice is reflected in regulatory enforcement practice, given the prevalence of AI assisted attacks, it would be prudent to implement these or similar controls to defend against attacks and to mitigate compliance risk; particularly for organisations in the technology and other target sectors.
Key Findings: Threats by the Numbers
CrowdStrike’s team observed the following notable trends:
- Interactive intrusions (hands-on-keyboard attacks) rose 27% year-on-year.
- 81% of these intrusions were malware-free, reflecting a shift toward stealthier, harder-to-detect techniques.
- Cloud intrusions surged 136% in the first half of 2025 compared to all of 2024.
- Vishing attacks increased 442% from the first to the second half of 2024 and the number of vishing attacks in the first half of 2025 have already exceeded the total number seen in 2024.
- eCrime activity accounted for 73% of all interactive intrusions.
These statistics underscore the growing professionalisation of threat actors and the inadequacy of traditional malware detection as a primary defense.
Sector Spotlight: Who’s Being Targeted?
The report provides a breakdown of the most targeted sectors:
- Technology remains the top target for the eighth consecutive year, due to its interconnectedness with other industries.
- Government saw a 71% increase in intrusions and a 185% rise in nation-state activity, largely attributed to Russia-nexus actors.
- Telecommunications experienced a 130% increase in nation-state targeting, particularly from China-nexus adversaries like GLACIAL PANDA.
- Manufacturing and Retail were heavily targeted by eCrime groups such as CURLY SPIDER, with ransomware and vishing tactics driving a 55% and 41% increase, respectively.
These trends reflect adversaries’ strategic targeting of sectors with high-value data, operational urgency, and legacy infrastructure vulnerabilities.
The Decline of Malware and Rise of Stealth
One of the most striking findings is the continued decline in malware usage. With 81% of intrusions being malware-free, adversaries are increasingly relying on legitimate tools and credentials to move laterally and exfiltrate data. This approach makes detection significantly harder and demands more advanced threat hunting capabilities.
Generative AI: A Double-Edged Sword
GenAI is transforming both offensive and defensive cyber operations. Adversaries use GenAI to:
- Generate realistic phishing emails and deepfake content.
- Automate malware development and infrastructure setup.
- Create synthetic identities and spoof credentials.
Meanwhile, defenders are leveraging AI to scale threat hunting, reduce noise, and identify complex behaviours. CrowdStrike emphasizes the importance of responsible AI, with models trained only on validated threat data to prevent manipulation through model poisoning or prompt engineering.
Conclusion
As adversaries become more enterprising, stealthy, and AI-enabled, defenders must respond with intelligence-driven, cross-domain, and proactive approaches.
For lawyers the report serves as a timely reminder of the importance of ongoing engagement with CISO teams and cybersecurity professionals. Regular testing of the efficacy of cybersecurity controls to ensure that they are able to defend against the latest adversary tactics and promptly remediating any gaps identified in such tests is an essential cornerstone of any effective cybersecurity programme and while not always a legal requirement, can also help organisations to demonstrate that they have met the applicable legal standard of care for information security. For those organisations subject to laws which impose personal liability on members of the management body for cybersecurity failings (such as the EU DORA and the EU NIS2) regular testing and independent assurance of cybersecurity controls can also provide comfort to individual members of the management body.
Credit: This summary is based on the CrowdStrike 2025 Threat Hunting Report. For the full report visit CrowdStrike.com.