Skip to content
.ca
sign in
Work being done in the backend.
4 minhigh

CrowdStrike 2026 Global Threat Report: The Evasive Adversary Wields AI

The CrowdStrike 2026 Global Threat Report highlights a shift toward highly evasive, malware-free attacks leveraging valid credentials, AI tools, and supply chain compromises. Adversaries are operating with unprecedented speed, with average breakout times dropping to 29 minutes, while increasingly targeting AI infrastructure, cloud environments, and network edge devices.

Conf:highAnalyzed:2026-03-20reports

Authors: CrowdStrike Counter Adversary Operations

ActorsPRESSURE CHOLLIMAFAMOUS CHOLLIMASTARDUST CHOLLIMAChina-nexus adversariesNorth Korea-nexus adversaries
Zero-DayMalware-FreeAISupply ChainCloud Security

Source:CrowdStrike

Key Takeaways

  • Average eCrime breakout time dropped to 29 minutes, with the fastest observed at 27 seconds.
  • 82% of detections were malware-free, relying heavily on valid credentials, trusted identity flows, and SaaS integrations.
  • Adversaries are actively exploiting AI systems, injecting malicious prompts into GenAI tools, and targeting AI development platforms.
  • Significant increase in state-nexus activity, including a 130% rise in North Korea-nexus incidents and a 38% rise in China-nexus intrusions.
  • Supply chain attacks remain a critical threat, exemplified by PRESSURE CHOLLIMA's $1.46B cryptocurrency theft via trojanized software.

Affected Systems

  • AI development platforms
  • GenAI tools
  • SaaS platforms
  • Cloud environments
  • Network edge devices (VPN appliances, firewalls, gateways)

Vulnerabilities (CVEs)

  • Zero-day vulnerabilities (unspecified, 42% YoY increase in exploitation prior to public disclosure)

Attack Chain

Adversaries increasingly rely on spam emails and fake CAPTCHA lures for initial access, alongside exploiting zero-day vulnerabilities in network edge devices. Once inside, they utilize valid credentials and trusted SaaS integrations to move laterally, achieving breakout times as fast as 27 seconds. The attacks are largely malware-free, focusing on cloud environments and AI development platforms to establish persistence, deploy ransomware, or exfiltrate sensitive data and cryptocurrency.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

No specific detection rules or queries are provided in this high-level threat report summary.

Detection Engineering Assessment

EDR Visibility: Medium — 82% of attacks are malware-free, relying on valid accounts and SaaS integrations, making traditional endpoint alerting harder without identity and behavioral context. Network Visibility: Medium — Edge device exploitation and cloud/SaaS lateral movement often bypass internal network sensors, requiring API and edge-specific telemetry. Detection Difficulty: Hard — Malware-free attacks using valid credentials and trusted integrations blend in seamlessly with normal administrative and user activity.

Required Log Sources

  • Cloud Audit Logs
  • Identity Provider (IdP) Logs
  • SaaS Application Logs
  • VPN/Firewall Authentication Logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Adversaries are using compromised valid accounts to access cloud or SaaS environments from anomalous locations or via impossible travel.Identity Provider (IdP) Logs, Cloud Audit LogsInitial Access / Lateral MovementMedium
Threat actors are injecting malicious prompts or making anomalous API calls directed at internal GenAI tools or AI development platforms.Application Logs, Web Proxy LogsExecutionHigh
Adversaries are exploiting network edge devices (VPNs, firewalls) resulting in unexpected outbound connections or configuration changes.Firewall Logs, VPN Logs, Network Flow LogsInitial Access / PersistenceLow

Control Gaps

  • Lack of comprehensive monitoring on network edge devices
  • Insufficient behavioral analytics for identity and SaaS platforms
  • Blind spots in AI development pipelines and GenAI usage

Key Behavioral Indicators

  • Anomalous SaaS integration usage or new API key generation
  • Rapid lateral movement across domains within minutes of initial login
  • Fake CAPTCHA interactions preceding credential use

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Enforce MFA across all external-facing services, VPNs, and SaaS applications.
  • Review and audit active SaaS integrations, OAuth tokens, and API keys.

Infrastructure Hardening

  • Implement comprehensive monitoring and aggressive patch management for network edge devices (VPNs, firewalls, gateways).
  • Secure AI development pipelines and monitor enterprise GenAI tool usage for prompt injection or data exfiltration.

User Protection

  • Deploy identity threat detection and response (ITDR) solutions to catch malware-free, credential-based lateral movement.
  • Implement robust email filtering to block the rising volume of spam and fake CAPTCHA lures.

Security Awareness

  • Conduct training on the risks of AI-generated social engineering and fake CAPTCHA mechanisms.
  • Update incident response plans to account for sub-30-minute breakout times, emphasizing automated containment.

MITRE ATT&CK Mapping

  • T1078 - Valid Accounts
  • T1190 - Exploit Public-Facing Application
  • T1195 - Supply Chain Compromise
  • T1566 - Phishing
  • T1566.002 - Spearphishing Link
  • T1068 - Exploitation for Privilege Escalation

Additional IOCs

  • Urls:
    • hxxps://www[.]elliptic[.]co/blog/bybit-hack-largest-in-history - Reference to the Bybit hack involving PRESSURE CHOLLIMA cryptocurrency theft
    • hxxps://www[.]ic3[.]gov/psa/2025/psa250226 - IC3 Public Service Announcement referenced in the report

Related