Technical Brief: Evolving Threat Actor Tactics in 2025

Introduction The cybersecurity landscape is constantly evolving, and organizations must stay informed about the latest threat actor tactics to defend effectively. The CrowdStrike 2025 Global Threat Report highlights the increasing sophistication and adaptability of cyber adversaries. This technical brief summarizes key findings from the report, focusing on initial access and persistence strategies.

Key Trends

• Enterprising Adversaries: Today's adversaries are becoming more efficient and business-like in their approach, mirroring the organizations they target. They are streamlining tactics, refining strategies, and learning from past experiences.
• The Business of Social Engineering: eCrime and targeted intrusion adversaries are leveraging human-centric techniques like vishing and help desk social engineering to gain initial access.
• AI-Driven Attacks: Generative AI (GenAI) plays a significant role in sophisticated cyberattack campaigns, enabling adversaries to create convincing fake personas and conduct AI-driven disinformation campaigns.

Initial Access Techniques

• Social Engineering:
  • Vishing attacks have seen explosive growth, increasing 442% between the first and second half of 2024.
  • Adversaries impersonate IT support staff, persuading users to establish remote support sessions, often using tools like Microsoft Quick Assist.
  • Spam bombing is used as a pretext for vishing calls.
  • Help desk social engineering involves impersonating legitimate employees to reset passwords and MFA.
  • GenAI is used to create convincing content for social engineering, such as fake LinkedIn profiles and deepfake videos.
• Exploiting Vulnerabilities:
  • Adversaries exploit vulnerabilities to gain initial access, with 52% of observed vulnerabilities in 2024 linked to initial access.
  • They target devices in the network periphery where traditional EDR visibility is limited.
  • Exploit chaining, combining two or more exploits, is used to increase capabilities and impact.
  • Legitimate features, such as integrated command shells, are abused to enable RCE.
• Abusing Valid Accounts:
  • Abusing valid accounts has become a primary initial access vector to the cloud, accounting for 35% of cloud incidents in the first half of 2024.
  • Attackers use stealth-oriented tactics to access credentials without alerting the user.
  • Information stealers like Stealc and Vidar are used to target cloud accounts.
  • Trust relationships between business partners and their cloud tenants are abused to access environments without needing credentials in the victim tenant.
• Access Brokers:
  • Access broker activity surged in 2024, with advertised accesses increasing by nearly 50% over 2023.
  • These brokers specialize in acquiring access to organizations and selling it to other threat actors.
• Shifting from Malware to RMM Tools:
  • eCrime adversaries are moving away from phishing to alternative access methods, leveraging legitimate RMM tools to access systems, making malware non-essential.

Persistence Techniques

• Backdoor Accounts: Adversaries create backdoor user accounts to ensure persistent access to compromised systems. FAMOUS CHOLLIMA establishes persistence via a backdoor administrator user in cloud environments.
• Alternate MFA Methods: Threat actors register their own devices for MFA to enable persistent access to compromised accounts.
• Defense Evasion: Threat actors attempt to evade policy-based security controls by implementing alternate MFA methods and bypassing cloud firewall segmentation.
• Cloud-Based Persistence: Cloud-conscious actors maintain persistence via alternate authentication mechanisms.
• Operational Relay Box (ORB) Networks: China-nexus adversaries use ORB networks to obfuscate their activities and maintain anonymity.

General Trends and Techniques

• AI-Driven Attacks: GenAI plays a pivotal role in sophisticated cyberattack campaigns, enabling adversaries to create convincing fake personas and conduct AI-driven disinformation campaigns.
• Living off the Land: Adversaries are increasingly using legitimate tools and features to blend in with normal activity and evade detection.
• Rapid Exploitation: Threat actors are leveraging publicly available vulnerability research and POC exploits to aid their malicious activity.
• Malware-Free Techniques: A significant percentage of detections are malware-free, indicating adversaries are using hands-on-keyboard techniques.

Recommendations To counter these evolving threats, organizations should adopt proactive and comprehensive security strategies:

• Secure the entire identity ecosystem: Implement phishing-resistant MFA solutions, enforce strong identity and access policies, and monitor behavior across all environments.
• Eliminate cross-domain visibility gaps: Modernize detection and response strategies with XDR and next-generation SIEM solutions and enhance detection with proactive threat hunting and threat intelligence.
• Defend the cloud as core infrastructure: Use CNAPPs with CDR capabilities, enforce strict access controls, and conduct regular audits of cloud environments.
• Prioritize vulnerabilities with an adversary-centric approach: Regularly patch critical systems, monitor for signs of exploit chaining, and use tools like Falcon Exposure Management to prioritize vulnerabilities.
• Know your adversary and be prepared: Understand which adversaries are targeting your organization, how they operate, and what their objectives are. Initiate user awareness programs to combat phishing and social engineering.

Conclusion The cybersecurity landscape in 2025 demands a proactive and adaptive approach. By understanding the evolving tactics of enterprising adversaries and implementing the recommended security measures, organizations can significantly enhance their defenses and mitigate the risk of cyberattacks.