This year at Black Hat, the topic of AI was everywhere — from hallway chats to the expo floor. Adam and Cristian took a break from the action for a rare in-person conversation about how adversaries are weaponizing AI, how defenders are using agentic AI, and what we should all be thinking about as AI evolves as an offensive and defensive tool. The AI threat is real, and advanced adversaries in particular are using it to their advantage. They’re improving the wording in social engineering attacks, creating deepfakes in fraudulent job interviews, and targeting victims on a more personal level. FAMOUS CHOLLIMA is an example of one adversary “using it for everything,” the hosts say. SCATTERED SPIDER is another adversary to watch. On the other side, defenders are adopting agentic AI to expedite their response. Adam and Cristian explore the importance of protecting AI workloads, the potential for insider threats with AI models, and the growing need for AI governance and security guardrails. If AI is monitoring security services, they ask, who guards the guardian? Tune in for an in-depth conversation on what AI is really capable of — and stick around for a sneak peek of an upcoming guest episode, where a guest joins to discuss young adversaries moving from online gaming to organized cybercrime.

In the first half of 2025 alone, cloud intrusions were up 136% compared to all of 2024. China was a big driver — CrowdStrike saw a 40% year-over-year surge in intrusions from suspected cloud-conscious China-nexus threat actors. In the government sector, interactive intrusions increased 71%, and targeted intrusion activity jumped 185%.

The CrowdStrike OverWatch threat hunting team has a firsthand look at how adversaries are changing their techniques. In the CrowdStrike 2025 Threat Hunting Report, published today, the team shares observations, trends, and shifts seen in its threat hunting and adversary engagements over the past 12 months.

In this episode, Adam and Cristian dive deep into the report’s key findings and put them into context. They explore why the use of malware is going down (and why it won’t go away), unpack the rise in government intrusions, and explain the role of generative AI (GenAI) in today’s threat landscape. They examine the rise of prolific adversaries such as SCATTERED SPIDER and FAMOUS CHOLLIMA and discuss the techniques organizations can use to stop them.

Below are more key stats from this year’s report:

• 73% of all interactive intrusions were eCrime
• 81% of interactive intrusions were malware-free
• In the first half of 2025, voice phishing (vishing) attacks surpassed the total number seen in 2024
• FAMOUS CHOLLIMA insiders infiltrated 320+ companies in the last 12 months — a 220% year-over-year increase — by using GenAI throughout hiring and employment

Download the report to learn more.

Links:

📃 Threat Hunting Report: https://www.crowdstrike.com/resources/reports/threat-hunting-report/

🎧 Our site: https://www.crowdstrike.com/en-us/resources/adversary-universe-podcast/

They never really left — they just got quieter, faster, and bolder. In this episode of the Adversary Universe podcast, Adam and Cristian trace the resurgence of SCATTERED SPIDER, one of today’s most aggressive and sophisticated adversary groups.

Once known for SIM swapping and gaming community exploits, SCATTERED SPIDER has evolved into a high-speed, high-impact ransomware crew targeting the retail, insurance, and aviation sectors. Adam shares CrowdStrike’s front-line insights into how the group operates, from conducting help desk social engineering and bypassing multifactor authentication (MFA) to hijacking hypervisors and exfiltrating data via software as a service (SaaS) integrations.

Tune in to learn:

• How SCATTERED SPIDER blends SIM swapping, voice phishing, and cloud-native tradecraft
• Why they’re one of the fastest threat actors we’ve seen, sometimes encrypting systems within 24 hours
• What defenders must do to spot them early and act fast
• And yes, why they still haven’t been arrested

Check the show notes for CrowdStrike’s latest guidance and technical blog on SCATTERED SPIDER.

You asked, and we answered. This episode of the Adversary Universe podcast takes a deep dive into questions from our listeners.

What did you want to know? Well, a lot about adversaries, but also about career paths and the threat intel space. Tune in to hear the answers to questions like:

• How did you break into the threat intelligence space? • Who is the first adversary CrowdStrike tracked? • Who is an adversary that keeps you up at night and why? • What was a jaw-dropping moment you experienced in tracking adversaries? • If you didn’t work in infosec, what would your dream job be?

Thanks to everyone who submitted questions. We’d love to continue hearing from you.

💼 Careers at CrowdStrike: https://www.crowdstrike.com/en-us/careers/

Physical security and IT security have gone hand in hand for a long time. While cybersecurity teams are rightfully focused on protecting their virtual environments, they should also have an eye on whether an adversary is walking through the front door.

“Anytime there’s a physical boundary, an adversary is going to look to cross over that — whether it be in person or using some technology to get over that boundary,” Adam says in this episode on physical security threats.

Not too long ago, it was common for someone to walk into a business, slide behind the counter, and insert a USB device into a point-of-sale system to deploy malware or remote access tools. Now, this type of activity is less common, but it still occurs; China-nexus threat actor MUSTANG PANDA, for example, is dropping USB sticks to gain access to targets across the Asia Pacific region.

This conversation is full of twists, turns, and interesting stories. Tune in to hear about adversaries physically breaking into target organizations, Adam’s adventures in pen testing, the physical security implications for internet of things (IoT) and operational technology (OT) environments, and what organizations should know about protecting their physical environments.

Would you rather have an adversary profile you based on your AI chat history or tell your AI chatbot to forget everything it knows about you?

That’s one of many questions Adam and Cristian explore in this episode on how adversaries are integrating AI into cyberattacks. These days, it seems AI is everywhere — and that includes the adversary’s toolbox. Adam and Cristian describe multiple forms of malware that use AI in different ways, from identifying text in photos to writing code. And while these attacks still require humans to stitch all the pieces together, there is a growing concern that adversaries will continue to improve.

Tune in to learn how adversaries are baking AI into their tools, and about Adam’s latest adventures in baking bread, in this episode of the Adversary Universe podcast.

Today’s adversaries are increasingly operating in the cloud — and Sebastian Walla, Deputy Manager of Emerging Threats at CrowdStrike, is watching them. In this episode, he joins Adam and Cristian to dive into the latest cloud attack techniques and the adversaries behind them.

So, who are they? SCATTERED SPIDER and LABYRINTH CHOLLIMA are two of the threat actors targeting and navigating cloud environments, but they have distinct methods of doing so. This conversation explores the different ways they slip into organizations undetected, some of the tools they rely on, and how they operate under the radar. It also touches on the future of cloud threat activity and AI’s influence on how these attacks are evolving.

Of course, no Adversary Universe episode is complete without guidance. Adam, Cristian, and Sebastian share best practices for protecting enterprise cloud environments from these threats as adversaries continue to take aim.

Latin America has become a hotspot for cyber activity. Threat actors around the world, particularly eCriminals, are targeting organizations operating in Central and South America, Mexico, and the Caribbean. Latin America-based cybercriminals are emerging as well.

The CrowdStrike 2025 Latin America Threat Landscape Report provides key insights into this activity. In its pages, the CrowdStrike Counter Adversary Operations team details the eCrime, targeted intrusions, hacktivist disruptions, and cyber espionage targeting organizations that operate in Latin America. And in this episode of the Adversary Universe podcast, Adam and Cristian give listeners a snapshot of the key findings. These include:

• A 15% increase in Latin America-based victims named on data extortion and ransomware leak sites in 2024
• Over one billion credentials leaked from Latin American organizations last year
• The evolving presence of eCriminals such as OCULAR SPIDER
• The activity of nation-state adversaries such as LIMINAL PANDA and VIXEN PANDA, both linked to China

Tune in to learn how this report came to be and understand some of the critical trends shaping the Latin America threat landscape. And of course, check out the report to learn all the details.

Links:

Read the CrowdStrike 2025 Latin America Threat Landscape Report:

https://www.crowdstrike.com/en-us/resources/reports/latam-threat-landscape-report/

Listen to our full episode on OCULAR SPIDER, referenced in this episode:

https://open.spotify.com/episode/3gJMkVKuSfKhqSAHwMb7NX?si=cf2e453ebc0843a5

🎧 Spotify: https://open.spotify.com/show/1ZYDiiBuJvTx7YsvuCenEZ

🎧 Apple Podcasts: https://podcasts.apple.com/us/podcast/adversary-universe-podcast/id1694819239

🎧 Our site: https://lnkd.in/etSAySBb