In 2025, threat actors significantly increased their use of artificial intelligence tools to launch rapid and precise network intrusions, a trend detailed in CrowdStrike’s 2026 Global Threat Report. The report indicates an 89% year-over-year surge in attacks by AI-enabled adversaries, who leveraged automation and machine-generated scripts to reduce the time between initial access and full domain compromise to under 30 minutes. This acceleration in intrusion speed became a defining characteristic of the threat landscape.
The average time for an eCrime attack to progress from initial entry to lateral movement across systems fell to 29 minutes in 2025, representing a 65% increase in speed compared to 2024. In some extreme cases, data exfiltration began just four minutes after initial access, leaving organizations with minimal opportunity to respond. This alarming speed is directly attributed to the abuse of AI technologies by malicious actors.
Cybercriminals are not only developing custom malware but are also embedding malicious prompts within legitimate AI tools operating within victim environments. For example, in August 2025, attackers integrated malicious JavaScript into Node Package Manager (npm) packages. This allowed them to hijack victims’ local AI tools, such as Claude and Gemini, to steal authentication credentials and cryptocurrency assets. CrowdStrike Services and OverWatch reported responding to over 90 affected customers due to this campaign.
One notable incident involved CHATTY SPIDER, an eCrime adversary that targeted a U.S.-based law firm through voice phishing. The attackers successfully convinced an employee to grant remote access via Microsoft Quick Assist. Within four minutes of gaining access, CHATTY SPIDER attempted to exfiltrate stolen files to attacker-controlled infrastructure using WinSCP. When this was blocked by the firewall, the adversary pivoted to using Google Drive. CrowdStrike OverWatch intervened and stopped the data exfiltration before any information left the network.
Beyond isolated attacks, threat actors like FAMOUS CHOLLIMA have developed comprehensive AI-assisted attack pipelines that span multiple phases of the cyberattack kill chain. These actors utilize tools such as ChatGPT, Gemini, GitHub Copilot, and VSCodium to create fake personas, manage numerous accounts, and execute technical job tasks while operating under fraudulent identities. Their activity in 2025 doubled compared to the previous year, illustrating how AI has significantly reduced the effort required to conduct large-scale deceptive operations.
How Threat Actors Weaponize AI Across the Kill Chain
PUNK SPIDER, identified as the most active ransomware adversary in 2025 with 198 documented intrusions, employed Gemini-generated scripts to extract credentials from Veeam Backup & Replication databases. It is also believed that DeepSeek-generated scripts were used to terminate services and erase forensic evidence. This demonstrates how AI is integrated into multiple stages of an attack, from data acquisition to obfuscation.
The Russia-nexus actor FANCY BEAR deployed LAMEHUG malware, which queried the Hugging Face LLM Qwen2.5-Coder-32B-Instruct through hardcoded prompts. This AI integration facilitated reconnaissance and document collection prior to exfiltration. The use of AI-generated outputs in place of rigid code logic allows these attacks to evade static security tools more effectively. Notably, 82% of all malware-free detections in 2025 suggest a shift towards attacks leveraging legitimate pathways rather than traditional malicious software.
.webp.jpeg)
To counter these rapidly evolving threats, organizations are advised to implement robust monitoring of AI tool usage on endpoints. Prompt patching of AI platforms, auditing of npm dependencies, and maintaining cross-domain visibility across identity, cloud, and Software as a Service (SaaS) environments are crucial steps. These measures can help detect and mitigate fast-moving intrusions before they escalate.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.