CrowdStrike today released its 2026 Global Threat Report, revealing that AI is accelerating adversaries and expanding the enterprise attack surface.
The average eCrime breakout time fell to just 29 minutes in 2025, with the fastest observed breakout occurring in only 27 seconds. Adversaries are also actively exploiting AI systems themselves, injecting malicious prompts into GenAI tools at more than 90 organizations and abusing AI development platforms. The Global Threat Report makes clear that as innovation accelerates, adversary exploitation follows.
AI-enabled adversaries increased operations by 89% year over year, weaponizing AI across reconnaissance, credential theft and evasion. Intrusions now move through trusted identities, SaaS applications and cloud infrastructure, blending into normal activity while compressing defenders’ response time. AI is both the accelerant and the target.
Global threat report highlights
Based on frontline intelligence from CrowdStrike’s threat hunters and intelligence analysts tracking more than 280 named adversaries, the report reveals:
● AI is the new attack surface — prompts are the new malware: Adversaries exploited legitimate GenAI tools at more than 90 organizations by injecting malicious prompts to generate commands for stealing credentials and cryptocurrency. They also exploited vulnerabilities in AI development platforms to establish persistence and deploy ransomware, and published malicious AI servers impersonating trusted services to intercept sensitive data.
● Fastest breakout time on record: As AI accelerated attacks, the average eCrime breakout time fell to 29 minutes — a 65% increase in speed from 2024 — with the fastest observed breakout occurring in just 27 seconds. In one intrusion, data exfiltration began within four minutes of initial access.
● Nation-state and eCrime AI use accelerates: AI-enabled adversaries increased activity by 89%. Russia-linked FANCY BEAR deployed LLM-enabled malware, LAMEHUG, to automate reconnaissance and document collection. eCrime actor PUNK SPIDER used AI-generated scripts to speed up credential dumping and erase forensic evidence, while DPRK-linked FAMOUS CHOLLIMA leveraged AI-generated personas to scale insider operations.
● China- and DPRK-linked operations surge: China-linked activity increased 38% in 2025, with the logistics sector experiencing the largest rise in targeting, up 85%. Sixty-seven percent of exploited vulnerabilities by China-linked actors delivered immediate system access, while 40% targeted internet-facing edge devices. DPRK-linked incidents rose more than 130% as FAMOUS CHOLLIMA activity more than doubled. PRESSURE CHOLLIMA’s $1.46 billion cryptocurrency theft was the largest single financial heist ever reported.
● Zero-day and cloud exploitation grow: Forty-two percent of vulnerabilities were exploited before public disclosure as adversaries weaponized zero-days for initial access, remote code execution and privilege escalation. Cloud-focused intrusions rose 37% overall, with a 266% increase among state-linked threat actors targeting cloud environments for intelligence collection.
“This is an AI arms race,” said Adam Meyers, head of counter adversary operations at CrowdStrike. “Breakout time is the clearest signal of how intrusions have changed. Adversaries are moving from initial access to lateral movement in minutes. AI is compressing the time between intent and execution while turning enterprise AI systems into targets. Security teams must operate faster than the adversary to win.”
Additional resources
● Download the CrowdStrike 2026 Global Threat Report.
● Visit CrowdStrike’s Adversary Universe for comprehensive profiles of tracked adversaries.
● Listen to the Adversary Universe podcast for insights into threat actors and recommendations to strengthen security practices.
● Learn more about the 2026 Global Threat Report through CrowdStrike’s blog and website.
About CrowdStrike
CrowdStrike, a global cybersecurity leader, has redefined modern security with a cloud-native platform designed to protect critical areas of enterprise risk, including endpoints, cloud workloads, identity and data.
Powered by the CrowdStrike Security Cloud and AI, the CrowdStrike Falcon platform leverages real-time indicators of attack, threat intelligence, evolving adversary tradecraft and enriched telemetry across the enterprise to deliver precise detection, automated protection and remediation, threat hunting and prioritized vulnerability observability.
Built in the cloud with a single lightweight agent architecture, the Falcon platform enables rapid, scalable deployment, strong protection and performance, reduced complexity and immediate time to value.
READ MORE TECH NEWS.
