Over 320 companies have been breached by groups linked to North Korea (DPRK) with generative AI-powered attacks. Threat actors are leveraging AI agents, making autonomous systems the new attack perimeter for the enterprise environment.
CrowdStrike has published the Threat Hunting Report 2025, which reveals a new phase in modern cyberattacks: adversaries are leveraging GenAI to scale operations and accelerate attacks – increasingly targeting the autonomous AI agents that are transforming businesses. The report reveals how threat actors are targeting the tools used to develop AI agents—gaining access, stealing credentials, and spreading malware—a clear sign that autonomous systems and system-generated identities have become a central component of the enterprise attack surface.
Key Findings from the Threat Hunting Report
Based on information gathered by CrowdStrike threat hunting experts and intelligence analysts, who monitor over 265 identified adversaries, the report reveals that:
Adversaries are using AI as a weapon at scale: North Korea-linked adversary FAMOUS CHOLLIMA has used generative AI to automate every step of its insider attack program, from creating fake resumes to conducting interviews using deepfakes to performing technical tasks under false identities. AI-enhanced adversary tactics are transforming traditional insider threats into scalable, persistent operations. The Russian-backed adversary EMBER BEAR used generative AI to amplify pro-Russian narratives, while the Iranian-backed adversary CHARMING KITTEN used phishing lures created by LLM (Large Language Models) to target entities in the United States and the European Union.
Agentic AI is the new attack surface: CrowdStrike observed multiple cybercriminals exploiting vulnerabilities in the tools used to build AI agents, gaining unauthenticated access, establishing persistence, stealing credentials, and spreading malware and ransomware. These attacks demonstrate how the agentic AI revolution is redefining the enterprise attack surface, transforming autonomous workflows and non-human identities into the new frontier for adversaries to exploit.
Generative AI-powered malware becomes a reality: eCrime actors and hacktivists with low-level technical skills are abusing AI to generate scripts, troubleshoot technical issues, and create malware, automating tasks that previously required advanced skills. Funklocker and SparkCat are the first proof that malware developed with generative AI is no longer just theoretical; it’s already a reality.
SCATTERED SPIDERaccelerates identity-based cross-domain attacks: The group resurfaced in 2025 with faster, more aggressive tactics, leveraging vishing and impersonating help desk support teams to reset credentials, bypass MFA (multi-factor authentication), and move laterally in SaaS and cloud environments. In one case, the group went from initial access to encryption and deployed ransomware in less than 24 hours.
China-linked adversaries drive continuing wave of cloud attacks: Cloud intrusions increased by 136%, with Chinese-linked adversaries responsible for 40% of this growth. GENESIS PANDA and MURKY PANDA evaded detection systems by exploiting cloud misconfigurations and the use of trusted logins.
“The AI era has redefined how businesses operate and how adversaries attack. We’re seeing criminals use generative AI to scale social engineering, accelerate operations, and lower the barrier to entry for manual intrusions.”
Said Adam Meyers, head of counter adversary operations, CrowdStrike.
“At the same time, adversaries are targeting the very AI systems that companies are deploying. Each AI agent is a superhuman identity: autonomous, fast, and deeply integrated, making them high-value targets. Adversaries treat these agents like infrastructure, attacking them the same way they target SaaS platforms, cloud consoles, and privileged accounts. Protecting the same AI that powers business is the new terrain on which cyberwarfare is evolving today.”
Redazione The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.
Redazione