CrowdStrike 2025 Threat Hunting Report – part 4: Hunting Cross-Domain Adversaries

Modern attackers are no longer confined to a single domain. Today’s intrusions span endpoints, identities, and cloud environments, often woven together in the same campaign. The 2025 report highlights how adversaries are increasingly blending these surfaces into complex, multi-stage operations.

Cross-Domain Intrusions

Groups like BLOCKADE SPIDER illustrate this evolution. Their campaigns often move across three fronts:

Endpoints → Deploying credential harvesting tools, moving laterally with admin utilities, and disrupting sensors to blind defenders

Identities → Compromising VPN accounts, escalating privileges in Active Directory, and exploiting IAM misconfigurations

Cloud → Abusing SaaS platforms, creating rogue IAM agents, and establishing persistence in virtualized environments

Common Cross-Domain Attacks

The most widely used techniques among ransomware operators in 2025:

Remote Encryption – Punk Spider, Blockade Spider, Recess Spider

VPN Compromise – Vice Spider, Tunnel Spider, Ocular Spider affiliates

Cloud Targeting – Scattered Spider, Chatty Spider

Credential Dumping – Abuse of backup platforms for harvesting admin secrets

Unmanaged Systems – Frozen Spider, Tunnel Spider exploiting overlooked endpoints

RMM & Proxy Tools for C2 – Scattered Spider, Blockade Spider, Frozen Spider

Key Trend: Ransomware campaigns are evolving beyond encryption events. They now blend data exfiltration, lateral movement, credential theft, and cloud persistence into extended intrusion operations.

Defensive Insights

Defenders must establish visibility across multiple layers—endpoint, identity, and cloud—not just one.

Lateral movement across domains often occurs quickly, compressing response windows.

The most successful defense strategies focus on correlating weak signals across domains rather than treating them in isolation.

This section reinforces a truth I encounter often: adversaries thrive in the gaps between domains. Security teams may secure endpoints well but leave identity roles misconfigured. They may watch Active Directory but miss rogue activity in cloud environments. The only effective countermeasure is integrated defense across endpoints, identity systems, and cloud environments, with proactive hunting that anticipates these pivots.

Author: Sebastian Burgemejster