CrowdStrike 2025 Threat Hunting Report part 2: The Most Intrusive Adversaries & Their Tactics
- Katarzyna Celińska
- 16 hours ago
- 2 min read
Following my introductory post on the CrowdStrike 2025 Threat Hunting Report: link , we now move into the heart of the data.
The Most Intrusive Adversaries
The report highlights dozens of #statesponsored, #eCrime, and #hacktivist actors operating across every major region:
🔹 State-Sponsored Campaigns – e.g., GENESIS PANDA, MURKY PANDA, GLACIAL PANDA, VENOMOUS BEAR, FAMOUS CHOLLIMA, SUNRISE PANDA
Focused on government, energy, manufacturing, telecoms, and healthcare
Aim for espionage, long-term access, and geopolitical advantage
🔹 eCrime Leaders – e.g., SCATTERED SPIDER, PLUMP SPIDER, VICE SPIDER, MUTANT SPIDER, PUNK SPIDER
Target retail, finance, technology, services, real estate
Driven by financial gain, often deploying ransomware or engaging in data theft-for-sale
🔹 Regional Specialization – Certain groups are dominant in specific geographies
Multiple groups target services, consulting, and professional services, indicating that trusted third parties remain a key attack vector for accessing multiple downstream clients.
MITRE ATT&CK
Analysis of the most frequent techniques reveals a three-stage offensive core:
1️⃣ Initial Access
Valid Accounts – Compromised credentials remain the one entry point
Exploit Public-Facing Applications – Weaponized #vulnerabilities in internet-exposed systems
2️⃣ Execution & Persistence
Command & Scripting Interpreter – Automates post-exploitation actions
Scheduled Tasks / Jobs – Maintains persistence without triggering alerts
Web Shells – Ensures remote control of compromised servers
3️⃣ Privilege Escalation & Defense Evasion
Process Injection – Embeds malicious code in legitimate processes
Disable/Modify Tools – Neutralizes EDR, logging, and security controls
Obfuscated/Encrypted Files – Conceals payloads from scanning
Other Critical Phases Observed:
Lateral Movement – RDP, SMB shares, and remote services dominate
Impact – Data encryption for ransomware remains a major endgame
This combined adversary and MITREATTACK mapping is critical because it connects who is attacking with how they are attacking. Credential abuse and identity exploitation dominate every adversary category—making identity security and privileged access management non-negotiable. The targeting map also reinforces a hard truth: supply chain and service providers are prime intrusion pivots, exploited by both eCrime and nation-state groups.
Author: Sebastian Burgemejster
Comments