Threat Actors Exploit AI to Scale Attacks and Target Autonomous Agents

Adversaries are using artificial intelligence (AI) to increase their operational efficiency in a fast-changing threat landscape. They are scaling attacks and focusing on autonomous AI agents that support contemporary enterprise ecosystems.

According to frontline intelligence from CrowdStrike’s 2025 Threat Hunting Report, derived from elite threat hunters and analysts, threat actors are employing generative AI (GenAI) to optimize resource-constrained operations, enabling them to infiltrate organizations with unprecedented speed and precision.

This shift allows even lower-skilled eCrime and hacktivist groups to automate complex tasks traditionally requiring advanced expertise, such as malware development, script generation, and technical problem-solving.

AI Weaponization

For instance, DPRK-nexus adversary FAMOUS CHOLLIMA has infiltrated over 320 companies in the past 12 months a 220% year-over-year surge by integrating GenAI throughout the hiring and employment lifecycle.

These actors utilize GenAI to fabricate compelling resumes, deploy real-time deepfake technologies to obscure identities during video interviews, and employ AI-driven coding tools to perform job functions covertly.

Similarly, adversaries like EMBER BEAR and CHARMING KITTEN harness GenAI to propagate pro-Russia narratives and craft sophisticated phishing lures using large language models (LLMs), targeting entities in the U.S. and EU.

This weaponization extends to exploiting vulnerabilities in AI software stacks, facilitating unauthenticated access, credential harvesting, persistence mechanisms, and malware deployment, including emerging GenAI-built families like Funklocker and SparkCat.

As enterprises accelerate AI adoption, the attack surface expands, with threat actors prioritizing AI-integrated systems to reshape traditional insider threats into persistent, scalable campaigns.

Cross-Domain Intrusions

Compounding these risks, adversaries are mastering cross-domain attacks, seamlessly traversing endpoints, identity systems, cloud environments, and unmanaged assets to evade conventional security controls.

The resurgence of SCATTERED SPIDER exemplifies this proficiency, with operators employing voice phishing (vishing) and help desk impersonation to reset credentials, bypass multifactor authentication (MFA), and achieve lateral movement across SaaS and cloud infrastructures.

In one documented incident, SCATTERED SPIDER progressed from initial access to ransomware encryption in under 24 hours, leveraging acquired personally identifiable information (PII) to impersonate employees and authenticate via help desk verifications.

Post-account takeover, these actors pivot to integrated platforms for data warehousing, document management, and identity access management, establishing footholds for persistence, exfiltration, and further propagation.

Cloud intrusions have surged 136% in the first half of 2025 compared to the entirety of 2024, driven by a 40% increase in activities from suspected China-nexus actors such as GENESIS PANDA and MURKY PANDA, who exploit misconfigurations and trusted access for evasion.

GLACIAL PANDA’s deep embedding in telecommunications networks has fueled a 130% rise in nation-state espionage within the sector.

CrowdStrike now tracks over 265 named adversaries and 150 activity clusters, highlighting a 27% year-over-year increase in interactive intrusions, with 81% being malware-free and relying on hands-on-keyboard tactics to circumvent legacy detections.

eCrime accounts for 73% of these intrusions, while vishing volumes are projected to double by year’s end.

The government sector has seen a 71% overall increase in interactive intrusions and a 185% spike in targeted activities, underscoring the need for organizations to integrate these insights into defensive strategies to counter AI-augmented threats effectively.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!