November 13, 2025 CrowdStrike’s 2025 Global Threat Report paints a clear picture of a threat landscape moving faster, operating more quietly, and acting more like modern businesses than traditional hackers. The overarching theme is the rise of the enterprising adversary: attackers who organize, scale, and innovate with the efficiency of legitimate enterprises.

The biggest shift is the dominance of malware-free intrusions, which now account for 79% of all detections. Attackers are using valid credentials, social engineering, remote management tools, and cloud misconfigurations to enter networks without triggering classic antivirus alerts. Breakout times — the moment an attacker pivots deeper into a network — hit a new low of 48 minutes on average, with the fastest observed at 51 seconds.

Social engineering has entered a new phase. Vishing attacks surged 442%, with attackers impersonating IT staff, using spam bombs to create urgency, and leveraging tools like Microsoft Teams or Quick Assist to gain access. Help-desk impersonation also expanded, with adversaries calling support lines to reset MFA and take over accounts.

Generative AI is now a mainstream adversary capability. Threat actors are using it to craft convincing phishing emails, run influence operations, automate coding tasks, create deepfakes for fraud, and even draft early-stage exploit code. A single LLM-generated phishing study showed a click-through rate of 54%, compared with 12% for human-written lures.

Nation-state activity is also escalating. China-linked intrusions are up 150%, with some industries seeing 200–300% more activity than last year. China’s operations show increasing specialization, stronger OPSEC, and heavy use of massive ORB proxy networks. Meanwhile, DPRK (North Korean) actors continue to grow their revenue-generation schemes, including sophisticated insider operations using fake developer identities and job interviews.

Cloud intrusions are climbing as attackers target identity systems and SaaS apps. Valid credential abuse accounts for 35% of cloud incidents, and multiple groups now pivot directly into cloud control planes to steal data or deploy ransomware. Attackers are increasingly exploiting SaaS tools — such as SharePoint, communication platforms, credential managers, and SMS distribution apps — to conduct further phishing and lateral movement.

Vulnerability exploitation remains aggressive, especially against network appliances. Threat actors are chaining multiple CVEs and abusing built-in product features to achieve remote code execution. Palo Alto Networks, Cisco infrastructure, and Microsoft components were among the most targeted, with exploitation often beginning within 24 hours of disclosure.

CrowdStrike concludes that 2024 marked a turning point: adversaries are maturing faster than defenders. The report recommends identity-first security, cloud-native monitoring, rapid patching, cross-domain visibility, and intelligence-driven defence as the only sustainable countermeasures.

A copy of the report is available from CrowdStrike (may require registration).