CrowdStrike 2026 Global Threat Report Analysis

The CrowdStrike Global Threat Report, one of the most important milestones in the cybersecurity world, has released its 2026 edition. Last year, we discussed how cybercriminals had assumed an “entrepreneurial” identity. The main theme of the 2026 report, however, is much more striking: “The Age of the AI Adversary” and the “Year of the Evasive Adversary”.

We are now facing attackers who leverage autonomous AI agents, combining phishing with supply chain vulnerabilities to roam networks without triggering a single alarm. In this new era where traditional security measures and human speed fall short, the rules are being rewritten. Without further ado, let’s dive into the striking findings of the 2026 report, the shifting threat dynamics, and the new realities of the cyber world.

📈 Overview: 2025’s Bitter Reality in Numbers

The incidents observed throughout the past year demonstrate how far the boundaries of speed and evasion have been pushed. Here are the report’s most alarming figures:

• Record Drop in Attack Speed: 29 Minutes The average time it takes for attackers to move laterally after breaking into a system (breakout time) has dropped to just 29 minutes (a 65% increase in speed compared to last year).
• Fastest Breakout Time: 27 Seconds Yes, you read that right. The transition from initial breach to lateral movement took merely 27 seconds.
• Increase in AI-Enabled Attacks: 89% The attack volume of threat actors utilizing AI as a tool has nearly doubled.
• Malware-Free Attacks: 82% 82% of attacks involved no viruses or malware. Attackers entirely relied on valid credentials and the system’s own native tools (Living off the Land).
• Increase in Zero-Day Vulnerability Exploitation: 42% Attackers have become much more inclined to strike before vulnerabilities are patched or even publicly disclosed.
• Authentication Fraud: Fake CAPTCHA Surge of 563% There has been an incredible explosion in impersonating legitimate-looking CAPTCHA (“I am not a robot”) verification pages to trick users into downloading malware.
• Rapid Intrusion (CHATTY SPIDER): Just 4 Minutes Actors who call victims using social engineering (vishing) to trick them into installing remote monitoring and management (RMM) tools managed to infiltrate and begin exfiltrating data in under 4 minutes.
• Expanding Threat Pool: 281 Actors In 2025 alone, 24 new cyber threat groups were identified, bringing the total number of tracked actors to 281.

🎯 Which Sectors Are Targeted the Most?

The report presents a picture of interactive targeting distribution that is similar to last year but much more sharply defined.

1. 💻 Technology (The primary target as it acts as the breaking point of the supply chain)
2. 👥 Consulting and Professional Services
3. 🏭 Manufacturing
4. 🛒 Retail
5. 💰 Financial Services

🕵️‍♂️ State-Sponsored Threats (APT Groups): Edge Devices and Social Engineering

State-sponsored Cyber Espionage and Advanced Persistent Threat (APT) activities reached the potential to completely paralyze infrastructures in 2025. The report indicates that North Korean, Russian, and Chinese groups engaged in far more audacious operations:

• 🇨🇳 China-Nexus Groups (PANDA): Overall China-nexus activities increased by 38%, with an 85% surge in the logistics sector. China-nexus groups (OPERATOR PANDA, WARP PANDA, etc.) shifted their strategy toward Network Perimeter/Edge Devices. They managed to weaponize vulnerabilities found in VPN appliances, firewalls, and gateways, sometimes within days (e.g., in just 2-3 days) of disclosure. 67% of the exploits used in these attacks were Remote Code Execution (RCE) flaws providing immediate system access.
• 🇷🇺 Russia-Nexus Groups (BEAR): COZY BEAR moved beyond classic phishing, creating a multi-stage “trust abuse” mechanism. They developed weeks-long dialogues with fake personas, including via messaging and video conferences. Their goal was to trick victims into clicking authentic-looking links that secretly granted OAuth 2.0 or Device Code authorization via Entra ID in the background. Meanwhile, FANCY BEAR used the AI-enhanced LAMEHUG malware to gather cyber intelligence within target networks.
• 🇰🇵 North Korea-Nexus Groups (CHOLLIMA): They recognized no boundaries when it came to cryptocurrency theft. In February 2025, PRESSURE CHOLLIMA compromised the software supply chain to execute the largest cryptocurrency theft in history, stealing 1.46 Billion USD via Bybit. FAMOUS CHOLLIMA continued to infiltrate developers by masquerading as fake HR representatives and talent scouts, even automating this process with AI and coding assistants.

Prediction: In 2026, China’s interest in edge security devices will continue, while Russia will deepen its focus on “phishing and trust manipulation” targeting Western entities. Failing to patch edge devices within 72 hours poses a massive risk.

💰 Ransomware: Evading EDRs and Cross-Domain Operations

Big Game Hunting (BGH) groups have not only maintained their presence but have begun executing their intrusions much more deeply. PUNK SPIDER, SCATTERED SPIDER, and BLOCKADE SPIDER employed masterful methods to evade Endpoint Detection and Response (EDR) solutions.

• Infiltrating Unmanaged Systems: SCATTERED SPIDER deployed its ransomware exclusively within hypervisor environments like VMware ESXi. By creating an unmanaged virtual machine without EDR installed on the target network, they managed to capture the Active Directory (ntds.dit) database. Throughout the entire incident, they successfully hid their tracks by touching only a single managed device.
• Remote File Encryption: PUNK SPIDER (the most active group in 2025, with instances increasing by 134%) significantly advanced the technique of remotely encrypting data via the SMB protocol from unmanaged IoT devices connected to the network (such as an unpatched webcam), rather than executing ransomware directly on the victim’s own machines.

Prediction: Cross-Domain attacks will increase further. Attackers will continue to leap from a SaaS environment, using stolen identities, to on-prem (local) systems, and then to cloud environments, leaving no trace behind.

🔗 Supply Chain: Breaking the Trust

2025 demonstrated, in a historically unprecedented manner, the immense risks inherent in trusting software developers. Instead of forcing the victim’s door, attackers knocked on the door of the victim’s trusted vendor.

• NPM Poisoning / ShaiHulud: As if malicious npm packages being downloaded millions of times wasn’t enough, September saw the release of a new malware family named ShaiHulud. If it found the appropriate authorization tokens on an infected machine, it acted like a self-propagating worm, automatically injecting itself into that developer’s projects to spread further.
• Hacking Update Mechanisms: In October 2025, it was discovered that the legitimate Notepad++ application’s update mechanism was hacked to distribute RATs to specific institutions (highly targeted victims, rather than a scattergun approach).
• SaaS and OAuth Exploitation: By seizing OAuth tickets (tokens) belonging to third-party integrations like the popular sales and marketing platforms Salesloft and Drift, cyber attackers infiltrated the CRM environments of their targeted IT companies and exfiltrated data.

🕳️ Zero-Day Vulnerabilities and Privilege Escalation

To evade detection, attackers increasingly relied on zero-day vulnerabilities in 2025, utilizing them 42% more than the previous year. While eCrime actors like GRACEFUL SPIDER exploited flaws in common enterprise applications (e.g., CVE-2025-61882) to conduct opportunistic data leaks, groups like VICE SPIDER exploited local privilege escalation (LPE—e.g., CVE-2025-32706) vulnerabilities in Windows systems precisely while they were in the patching phase. This allowed them to bypass EDR solutions and gain complete root-level control over the system. For initial network entry, the perimeter exploitation of network security devices (like VPNs) played a foundational role.

☁️ Cloud and Hybrid Identity Threats

Cloud-oriented security breaches increased by 37%, and specifically, state-sponsored groups’ cloud breaches surged by a massive 266%. The primary target was no longer just the system itself, but seizing the “Identity”.

Systems providing “Hybrid Identity,” such as Entra ID, AD FS, and Entra Connect Sync, were specifically targeted. Attackers (e.g., BLOCKADE SPIDER) exploited these intermediate connection points to pivot from on-prem servers to the cloud or from the cloud back to on-prem environments.

To completely bypass multi-factor authentication (MFA), attackers used AiTM (Adversary-in-the-Middle) phishing kits. By positioning themselves between the user and the service, they directly copied Microsoft 365 session cookies (e.g., IMPERIAL KITTEN and ShinyHunters operations). This continues to be one of the most critical entry vectors today.

🤖 Artificial Intelligence: The Attackers’ New Cyber Weapon

We have entered the “Agentic Era,” the period of Autonomous AI. Attackers are now using AI tools not just to write scripts, but to optimize the entire attack process.

1. Social Engineering: Flawlessly translating phishing emails into any language (including Ukrainian, as seen in RENAISSANCE SPIDER campaigns), impersonating executives via Deepfake/Voice Cloning, or posing as a fully operational professional company has become routine.
2. Operational Automation: Taking actions on target servers, dumping passwords, and securely erasing persistent tracks (using DeepSeek-like model-based AI bots) has granted attackers capabilities achievable in seconds. FANCY BEAR’s LAMEHUG malware was observed directly querying an LLM model (via the Hugging Face API) to gather cyber intelligence across a network.
3. Attacks Against AI Systems: Attackers not only use AI, but they also attack open-source/enterprise AI tools or infiltrate through tunnels opened in the security coverage of legitimate environments (e.g., the CVE-2025-3248 vulnerability in the Langflow platform) to deploy ransomware. There have even been instances of malicious JS code inserted into Nx packages to manipulate developers’ local “Gemini” or “Claude” models to steal cryptocurrency.

Attempts to bypass security rules (such as email protection agents) using “Prompt Injection” have officially begun. AI-based agents have become so widespread that if these agents go rogue, they can turn into the biggest insider threat in your system.

📢 Conclusion

CrowdStrike’s 2026 Global Threat Report sends a crystal-clear message: Responding at human speed is no longer sufficient. There is a dire need for infrastructures and modern security barriers utilizing Autonomous AI that can detect and react to an attack that begins spreading in just 27 seconds. Patch your edge devices, tighten your identity-based security controls, and absolutely verify your software supply chains. The only way to survive the increasingly destructive power of AI-backed cybercriminals is to think at machine speed and defend at machine speed.

See you in another analysis, stay safe!

Disclaimer: This article is an English summary of the prominent findings from the CrowdStrike 2026 Global Threat Report. The content provided here is for informational purposes only. For the original report, please visit: CrowdStrike 2026 Global Threat Report