August 5, 2025
5 min read
Aman Mishra
Adversaries use AI to automate attacks, target autonomous agents, and expand their reach across cloud and enterprise systems.
Threat Actors Exploit AI to Scale Attacks and Target Autonomous Agents
Adversaries are increasingly using artificial intelligence (AI) to boost their operational efficiency in a rapidly evolving threat landscape. They are scaling attacks and focusing on autonomous AI agents that underpin modern enterprise ecosystems. According to frontline intelligence from CrowdStrike’s 2025 Threat Hunting Report, derived from elite threat hunters and analysts, threat actors employ generative AI (GenAI) to optimize resource-constrained operations. This enables infiltration of organizations with unprecedented speed and precision. This shift allows even lower-skilled eCrime and hacktivist groups to automate complex tasks traditionally requiring advanced expertise, such as malware development, script generation, and technical problem-solving.AI Weaponization
For example, the DPRK-linked adversary FAMOUS CHOLLIMA has infiltrated over 320 companies in the past 12 months—a 220% year-over-year surge—by integrating GenAI throughout the hiring and employment lifecycle. These actors use GenAI to fabricate convincing resumes, deploy real-time deepfake technologies to obscure identities during video interviews, and employ AI-driven coding tools to covertly perform job functions. Similarly, adversaries like EMBER BEAR and CHARMING KITTEN harness GenAI to spread pro-Russia narratives and craft sophisticated phishing lures using large language models (LLMs), targeting entities in the U.S. and EU. This weaponization extends to exploiting vulnerabilities in AI software stacks, facilitating unauthenticated access, credential harvesting, persistence mechanisms, and malware deployment—including emerging GenAI-built malware families like Funklocker and SparkCat. As enterprises accelerate AI adoption, the attack surface expands. Threat actors prioritize AI-integrated systems to transform traditional insider threats into persistent, scalable campaigns.Cross-Domain Intrusions
Adding to the risk, adversaries are mastering cross-domain attacks, seamlessly moving across endpoints, identity systems, cloud environments, and unmanaged assets to evade conventional security controls. The resurgence of SCATTERED SPIDER exemplifies this, with operators using voice phishing (vishing) and help desk impersonation to reset credentials, bypass multifactor authentication (MFA), and move laterally across SaaS and cloud infrastructures. In one documented case, SCATTERED SPIDER advanced from initial access to ransomware encryption in under 24 hours, leveraging acquired personally identifiable information (PII) to impersonate employees and authenticate via help desk verifications. After account takeover, these actors pivot to integrated platforms for data warehousing, document management, and identity access management, establishing footholds for persistence, data exfiltration, and further propagation. Cloud intrusions surged 136% in the first half of 2025 compared to all of 2024, driven by a 40% increase in activities from suspected China-nexus actors such as GENESIS PANDA and MURKY PANDA, who exploit misconfigurations and trusted access for evasion. GLACIAL PANDA’s deep embedding in telecommunications networks has fueled a 130% rise in nation-state espionage within the sector. CrowdStrike now tracks over 265 named adversaries and 150 activity clusters, highlighting a 27% year-over-year increase in interactive intrusions. Notably, 81% of these are malware-free and rely on hands-on-keyboard tactics to bypass legacy detections. eCrime accounts for 73% of these intrusions, while vishing volumes are projected to double by year’s end. The government sector has seen a 71% overall increase in interactive intrusions and a 185% spike in targeted activities, underscoring the urgent need for organizations to integrate these insights into defensive strategies to counter AI-augmented threats effectively.Frequently Asked Questions (FAQ)
AI in Cybersecurity
Q: How are threat actors using AI to scale their attacks? A: Threat actors are leveraging generative AI (GenAI) to optimize their operations, allowing them to infiltrate organizations with increased speed and precision. This enables even less skilled groups to automate complex tasks like malware development and phishing lure creation. Q: What are "autonomous AI agents" in the context of cyber threats? A: Autonomous AI agents are systems that can operate independently to perform tasks. In cybersecurity, threat actors are targeting these agents because they underpin many modern enterprise systems, making them critical points of vulnerability. Q: What specific examples were given of AI weaponization by threat actors? A: The article mentions the DPRK-linked group FAMOUS CHOLLIMA using GenAI for fabricating resumes and deepfakes during hiring processes, and groups like EMBER BEAR and CHARMING KITTEN using GenAI to spread narratives and craft phishing lures. Q: Are there new types of malware being developed with AI? A: Yes, the article notes the emergence of GenAI-built malware families, citing Funklocker and SparkCat as examples. Q: How does increased AI adoption by enterprises affect the threat landscape? A: As enterprises adopt more AI, their attack surface expands. Threat actors are prioritizing AI-integrated systems, turning traditional insider threats into more persistent and scalable attacks. Q: What are "cross-domain attacks" in this context? A: Cross-domain attacks involve adversaries moving seamlessly across different environments like endpoints, identity systems, and cloud infrastructure to evade security controls. Q: How are groups like SCATTERED SPIDER exploiting AI and other methods? A: SCATTERED SPIDER uses tactics like voice phishing (vishing) and help desk impersonation to reset credentials, bypass multi-factor authentication (MFA), and gain lateral movement within cloud and SaaS environments. They leverage acquired PII to impersonate employees. Q: What is the trend in cloud intrusions? A: Cloud intrusions surged by 136% in the first half of 2025 compared to all of 2024, often facilitated by actors exploiting misconfigurations and trusted access. Q: What percentage of interactive intrusions are malware-free? A: Notably, 81% of interactive intrusions tracked by CrowdStrike are malware-free, relying on hands-on-keyboard tactics to bypass traditional defenses. Q: What sector has seen a significant increase in targeted activities? A: The government sector has experienced a 71% overall increase in interactive intrusions and a 185% spike in targeted activities, highlighting its vulnerability to AI-augmented threats.Crypto Market AI's Take
The increasing sophistication and scale of cyberattacks powered by AI, as detailed in this report, directly impact the security of digital assets and the broader financial technology ecosystem. Threat actors leveraging generative AI for tasks like phishing and malware development pose a significant risk to individuals and institutions operating in the cryptocurrency space. Ensuring robust security measures and staying informed about emerging threats is paramount for safeguarding investments and maintaining the integrity of the digital asset market. Our platform is dedicated to providing up-to-date market intelligence and security insights to help navigate this evolving landscape, offering resources such as our AI-driven crypto trading bots to help users stay ahead of potential risks.More to Read:
- AI-Driven Crypto Scams Surge: Experts Warn No One Is Safe
- Threat Actors Exploit AI to Scale Attacks and Target Autonomous Agents
Source: Originally published at GBHackers on August 4, 2025.