CrowdStrike’s 2026 Global Threat Report has revealed a significant surge in AI-enabled adversary operations, with an 89% year-over-year increase, highlighting the growing role of AI in faster and stealthier cyberattacks.
The report, which draws intelligence from over 280 named threat actors, notes that the average “breakout time” – the period from initial breach to lateral movement across a network – has fallen to 29 minutes in 2025, representing a 65% increase in speed compared to 2024. The fastest observed breakout took just 27 seconds, and in one specific instance, data exfiltration began within four minutes of initial access. Furthermore, 82% of detections were malware-free, continuing a trend toward credential theft and identity-based intrusions.
Adversaries are not only using AI to enhance their attacks but are also targeting AI systems directly. Malicious prompts were injected into generative AI tools at more than 90 organizations to steal credentials and cryptocurrency. Attackers exploited vulnerabilities in AI development platforms to deploy ransomware and published rogue AI servers to intercept sensitive data. On the offensive side, Russia-linked group FANCY BEAR deployed LAMEHUG, an LLM-enabled malware identified by Ukraine’s CERT-UA in July 2025, which uses the Qwen2.5-Coder-32B-Instruct model to dynamically generate reconnaissance commands.
Cybercriminal groups are also leveraging AI to amplify their operations. PUNK SPIDER utilized AI-generated scripts to accelerate credential dumping and destroy forensic evidence, while North Korea-linked FAMOUS CHOLLIMA leveraged AI-generated personas to scale insider threat operations.
Nation-state activity escalated significantly in 2025, with China-linked cyber operations rising 38%, and the logistics sector seeing an 85% increase in targeting. Sixty-seven percent of vulnerabilities exploited by China-nexus actors delivered immediate system access, while 40% targeted internet-facing edge devices. North Korea-linked incidents surged more than 130%, with FAMOUS CHOLLIMA’s activity more than doubling, and PRESSURE CHOLLIMA’s $1.46 billion cryptocurrency theft was flagged as the largest single financial heist ever reported.
The report also highlights a significant increase in cloud-focused intrusions, which rose 37% overall, including a 266% increase from state-backed actors targeting cloud environments. Forty-two percent of vulnerabilities were exploited before public disclosure as attackers weaponized zero-day flaws. CrowdStrike President Michael Sentonas emphasized the growing threat of AI-enabled attacks, stating, “Prompts are going to be the new malware.”
