Cybersecurity company CrowdStrike said threat actors are now using Generative AI (GenAI) to make cyberattacks faster and more scalable, while also targeting AI tools and systems themselves, according to its 2025 Threat Hunting Report.
Based on intelligence from more than 265 tracked adversaries, the report describes how attackers are exploiting tools used to build AI agents, gaining access, stealing credentials, and deploying malware. CrowdStrike said this shows that machine identities and autonomous systems have become a key part of the enterprise attack surface.
“Every AI agent is a superhuman identity: autonomous, fast, and deeply integrated, making them high-value targets,” said Adam Meyers, head of counter adversary operations at CrowdStrike. “Adversaries are treating these agents like infrastructure, attacking them the same way they target SaaS platforms, cloud consoles, and privileged accounts. Securing the AI that powers business is where the cyber battleground is evolving.”
The report highlights how a North Korea-linked group, Famous Chollima, used GenAI to scale insider threats by automating resume creation, deepfake interviews, and technical tasks using fake identities. Russia-linked Ember Bear used GenAI to spread pro-Russia content, while Iran-linked Charming Kitten used AI to craft phishing lures aimed at U.S. and EU targets.
CrowdStrike also observed attackers breaking into systems used to develop AI agents, often without needing credentials. They then installed malware or ransomware, showing how autonomous workflows and non-human identities are becoming key targets for exploitation.
Lower-level cybercriminals and hacktivists are now using GenAI to create scripts and tools that once required advanced skills. CrowdStrike identified groups like Funklocker and SparkCat as early examples of operational malware developed using AI.
The group Scattered Spider resurfaced in 2025 with faster identity-based attacks. It used fake calls and help desk impersonation to reset passwords, bypass multi-factor authentication, and deploy ransomware across cloud and SaaS systems, sometimes within 24 hours of initial access.
Cloud-based intrusions also rose by 136%, with China-linked adversaries responsible for 40 percent of the increase. CrowdStrike said groups like Genesis Panda and Murky Panda used cloud misconfigurations and trusted credentials to avoid detection.