In the Asia Pacific and Japan (APJ) region, a burgeoning set of threat actors is emerging with a different language set, distinct tools, and an ecosystem where they interact with adversaries across the threat landscape.The CrowdStrike 2025 APJ eCrime Landscape Report explores the trends and issues facing organizations operating in this part of the world. For example, criminal groups in APJ are focused on opportunistic big game hunting and primarily target organizations in manufacturing, technology, industrials and engineering, financial services, and professional services. The sale of phishing kits is popular, with some going for up to $1 million. These threat actors prefer phishing, spam campaigns, and remote access toolkits to enable their operations. And they often find them on thriving Chinese-language marketplaces, which enable the sale of illicit services. While Eastern Europe is typically known as a hotbed of eCrime activity, the APJ region is one to watch. Tune in to hear Adam and Cristian discuss the key adversaries operating in the region, the threats that stand out to them, and how defenders can stay safe. Read the report: 2025 APJ eCrime Landscape Report Watch on YouTube: https://youtu.be/97javj3hmAA

Ransomware is not new, but the ransomware of today is very different from the ransomware of 1989. Today’s episode doubles as a history lesson, as Adam and Cristian look back at how a prolific global threat has evolved over the decades.   Gone are the days of malware arriving on floppy disks and victims waiting weeks to restore their systems in exchange for $200 ransom payments. “The early days of viruses were weird,” Adam points out. But much has changed since then. Several factors — the advent of cryptocurrency, the rise of enterprise targeting, and the shift to ransomware as a service — have caused the threat to transform. Today’s adversaries run ransomware like a business and collect hundreds of millions of dollars in payments.   The hosts reflect on the first ransomware to hit a business, the first to make news headlines, and the first major botnet operator to deploy ransomware, among other key events. Tune in for a discussion that spans years of ransomware evolution, highlights the key adversaries involved, and explains how businesses can defend themselves as the threat landscape continues to change.

This week’s episode arrives as Adam and Cristian are gearing up for Fal.Con, CrowdStrike’s annual event taking place next week in Las Vegas. They’ll be recording a live episode on some fascinating LLM research presented at the show, so stay tuned for that in a couple of weeks.Amid their prep, they took the time to sit down for a conversation starting with a simple prompt: What are today’s security leaders and practitioners talking about? Their discussion sheds light on the industries hardest hit by nation-state and eCrime activity and explores why some sectors, like technology and telecommunications, are seeing a sharp spike in targeted intrusions while others are facing an increase in cybercrime.Tune in to learn about shifts in Chinese cyber activity, what happens when an adversary sees another adversary in a target environment, and whether modern tech innovations will drive changes in cyber espionage.

This year at Black Hat, the topic of AI was everywhere — from hallway chats to the expo floor. Adam and Cristian took a break from the action for a rare in-person conversation about how adversaries are weaponizing AI, how defenders are using agentic AI, and what we should all be thinking about as AI evolves as an offensive and defensive tool.The AI threat is real, and advanced adversaries in particular are using it to their advantage. They’re improving the wording in social engineering attacks, creating deepfakes in fraudulent job interviews, and targeting victims on a more personal level. FAMOUS CHOLLIMA is an example of one adversary “using it for everything,” the hosts say. SCATTERED SPIDER is another adversary to watch.On the other side, defenders are adopting agentic AI to expedite their response. Adam and Cristian explore the importance of protecting AI workloads, the potential for insider threats with AI models, and the growing need for AI governance and security guardrails. If AI is monitoring security services, they ask, who guards the guardian? Tune in for an in-depth conversation on what AI is really capable of — and stick around for a sneak peek of an upcoming guest episode, where a guest joins to discuss young adversaries moving from online gaming to organized cybercrime.

In the first half of 2025 alone, cloud intrusions were up 136% compared to all of 2024. China was a big driver — CrowdStrike saw a 40% year-over-year surge in intrusions from suspected cloud-conscious China-nexus threat actors. In the government sector, interactive intrusions increased 71%, and targeted intrusion activity jumped 185%.   The CrowdStrike OverWatch threat hunting team has a firsthand look at how adversaries are changing their techniques. In the CrowdStrike 2025 Threat Hunting Report, published today, the team shares observations, trends, and shifts seen in its threat hunting and adversary engagements over the past 12 months.   In this episode, Adam and Cristian dive deep into the report’s key findings and put them into context. They explore why the use of malware is going down (and why it won’t go away), unpack the rise in government intrusions, and explain the role of generative AI (GenAI) in today’s threat landscape. They examine the rise of prolific adversaries such as SCATTERED SPIDER and FAMOUS CHOLLIMA and discuss the techniques organizations can use to stop them.   Below are more key stats from this year’s report: 73% of all interactive intrusions were eCrime 81% of interactive intrusions were malware-free In the first half of 2025, voice phishing (vishing) attacks surpassed the total number seen in 2024 FAMOUS CHOLLIMA insiders infiltrated 320+ companies in the last 12 months — a 220% year-over-year increase — by using GenAI throughout hiring and employment   Download the report to learn more.   Links:   📃 Threat Hunting Report: https://www.crowdstrike.com/resources/reports/threat-hunting-report/   🎧 Our site: https://www.crowdstrike.com/en-us/resources/adversary-universe-podcast/

They never really left — they just got quieter, faster, and bolder. In this episode of the Adversary Universe podcast, Adam and Cristian trace the resurgence of SCATTERED SPIDER, one of today’s most aggressive and sophisticated adversary groups. Once known for SIM swapping and gaming community exploits, SCATTERED SPIDER has evolved into a high-speed, high-impact ransomware crew targeting the retail, insurance, and aviation sectors. Adam shares CrowdStrike’s front-line insights into how the group operates, from conducting help desk social engineering and bypassing multifactor authentication (MFA) to hijacking hypervisors and exfiltrating data via software as a service (SaaS) integrations. Tune in to learn: How SCATTERED SPIDER blends SIM swapping, voice phishing, and cloud-native tradecraft Why they’re one of the fastest threat actors we’ve seen, sometimes encrypting systems within 24 hours What defenders must do to spot them early and act fast And yes, why they still haven’t been arrested Check the show notes for CrowdStrike’s latest guidance and technical blog on SCATTERED SPIDER.

You asked, and we answered. This episode of the Adversary Universe podcast takes a deep dive into questions from our listeners. What did you want to know? Well, a lot about adversaries, but also about career paths and the threat intel space. Tune in to hear the answers to questions like: •        How did you break into the threat intelligence space?•        Who is the first adversary CrowdStrike tracked? •        Who is an adversary that keeps you up at night and why?•        What was a jaw-dropping moment you experienced in tracking adversaries?•        If you didn’t work in infosec, what would your dream job be? Thanks to everyone who submitted questions. We’d love to continue hearing from you.    💼 Careers at CrowdStrike: https://www.crowdstrike.com/en-us/careers/

Physical security and IT security have gone hand in hand for a long time. While cybersecurity teams are rightfully focused on protecting their virtual environments, they should also have an eye on whether an adversary is walking through the front door.   “Anytime there’s a physical boundary, an adversary is going to look to cross over that — whether it be in person or using some technology to get over that boundary,” Adam says in this episode on physical security threats.    Not too long ago, it was common for someone to walk into a business, slide behind the counter, and insert a USB device into a point-of-sale system to deploy malware or remote access tools. Now, this type of activity is less common, but it still occurs; China-nexus threat actor MUSTANG PANDA, for example, is dropping USB sticks to gain access to targets across the Asia Pacific region.   This conversation is full of twists, turns, and interesting stories. Tune in to hear about adversaries physically breaking into target organizations, Adam’s adventures in pen testing, the physical security implications for internet of things (IoT) and operational technology (OT) environments, and what organizations should know about protecting their physical environments. 

Would you rather have an adversary profile you based on your AI chat history or tell your AI chatbot to forget everything it knows about you? That’s one of many questions Adam and Cristian explore in this episode on how adversaries are integrating AI into cyberattacks. These days, it seems AI is everywhere — and that includes the adversary’s toolbox. Adam and Cristian describe multiple forms of malware that use AI in different ways, from identifying text in photos to writing code. And while these attacks still require humans to stitch all the pieces together, there is a growing concern that adversaries will continue to improve. Tune in to learn how adversaries are baking AI into their tools, and about Adam’s latest adventures in baking bread, in this episode of the Adversary Universe podcast. 

Today’s adversaries are increasingly operating in the cloud — and Sebastian Walla, Deputy Manager of Emerging Threats at CrowdStrike, is watching them. In this episode, he joins Adam and Cristian to dive into the latest cloud attack techniques and the adversaries behind them. So, who are they? SCATTERED SPIDER and LABYRINTH CHOLLIMA are two of the threat actors targeting and navigating cloud environments, but they have distinct methods of doing so. This conversation explores the different ways they slip into organizations undetected, some of the tools they rely on, and how they operate under the radar. It also touches on the future of cloud threat activity and AI’s influence on how these attacks are evolving. Of course, no Adversary Universe episode is complete without guidance. Adam, Cristian, and Sebastian share best practices for protecting enterprise cloud environments from these threats as adversaries continue to take aim.

Latin America has become a hotspot for cyber activity. Threat actors around the world, particularly eCriminals, are targeting organizations operating in Central and South America, Mexico, and the Caribbean. Latin America-based cybercriminals are emerging as well.   The CrowdStrike 2025 Latin America Threat Landscape Report provides key insights into this activity. In its pages, the CrowdStrike Counter Adversary Operations team details the eCrime, targeted intrusions, hacktivist disruptions, and cyber espionage targeting organizations that operate in Latin America. And in this episode of the Adversary Universe podcast, Adam and Cristian give listeners a snapshot of the key findings. These include:   A 15% increase in Latin America-based victims named on data extortion and ransomware leak sites in 2024 Over one billion credentials leaked from Latin American organizations last year The evolving presence of eCriminals such as OCULAR SPIDER The activity of nation-state adversaries such as LIMINAL PANDA and VIXEN PANDA, both linked to China   Tune in to learn how this report came to be and understand some of the critical trends shaping the Latin America threat landscape. And of course, check out the report to learn all the details.   Links: Read the CrowdStrike 2025 Latin America Threat Landscape Report: https://www.crowdstrike.com/en-us/resources/reports/latam-threat-landscape-report/   Listen to our full episode on OCULAR SPIDER, referenced in this episode: https://open.spotify.com/episode/3gJMkVKuSfKhqSAHwMb7NX?si=cf2e453ebc0843a5   🎧 Spotify: https://open.spotify.com/show/1ZYDiiBuJvTx7YsvuCenEZ   🎧 Apple Podcasts: https://podcasts.apple.com/us/podcast/adversary-universe-podcast/id1694819239   🎧 Our site: https://lnkd.in/etSAySBb

Ransomware has become more difficult for organizations to defend against, but easier for adversaries to deploy. The rise of ransomware-as-a-service (RaaS) — a model in which ransomware operators write the malware and affiliates pay to launch it — has lowered the barrier to entry so threat actors of all skill levels can participate and profit.   OCULAR SPIDER is one such operator. This adversary, newly named by CrowdStrike, is associated with the development of ransomware variants including Cyclops, Knight, and RansomHub. They targeted hundreds of named victims between February 2024 and March 2025, according to CrowdStrike intelligence, and they focus on industries such as professional services, technology, healthcare, and manufacturing in regions including the United States, Canada, Brazil, and some European countries.   But OCULAR SPIDER is one of many operators in the ransomware space. Adam and Cristian take listeners back to the early days of ransomware and track its evolution, variants, and key players from the mid-2010s through the launch of RansomHub in 2024. They explain how RaaS works, why it appeals to adversaries and complicates attribution, and how defenders can prepare to face today’s ransomware threats.   Come for an update on Adam’s adventures in bread-making; stay for a deep-dive into the RaaS evolution and the threat actors driving it.

To anticipate threat actors’ behavior, we must understand them. That’s why CrowdStrike closely tracks the evolution and activity of 257 named adversaries, including the eCrime actor LUNAR SPIDER.“They almost behave like a startup; they’re constantly testing and innovating and developing what they’re doing,” Adam says of the group. “It’s an interesting paradigm when you think about how these eCrime actors operate.”In this episode, Adam and Cristian take a deep dive into the inner workings of LUNAR SPIDER, discussing their role in the complex eCrime ecosystem, their collaboration with other adversaries, and the evolution of their techniques, including changes to the BokBot/IcedID malware over time and their eventual transition to the Lotus loader. Tune in to learn what defenders should know about this threat actor’s behavior and how to defend against their evolving activity.Learn more about the eCrime ecosystem in this infographic.

When an adversary wants to target an organization, they want to make it look like they’re coming from a regional or local internet service provider. This makes their activity seem more legitimate and buys time until they get caught. Proxies, which adversaries can use to conceal the origin of malicious traffic, are essential to this process.   NSOCKS is a residential proxy provider that CrowdStrike researchers dug into to learn more about how it was constructed and proactively identify how adversaries were using it to mask their attacks. They found that a range of internet of things (IoT) devices, such as home routers and network-attached storage (NAS) devices, are targeted by proxy providers to build out infrastructure and provide access to residential internet connections. Many of these devices have basic misconfiguration issues that make them accessible to attackers, but the CrowdStrike team was also able to identify a range of zero-day and n-day vulnerabilities being used.     Joel Snape, Senior Security Researcher at CrowdStrike, is part of that team. In this episode, Joel and Adam get into the details of the researchers’ findings, from how NSOCKS works to its takedown in late 2024 and the steps listeners can take to identify suspicious activity on their networks. Joel has presented this research at multiple security conferences — and now he brings it to the Adversary Universe podcast.

China’s cyber enterprise is rapidly growing: China-nexus activity was up 150% across industries in 2024, with a 200-300% surge in key sectors such as financial services, media, manufacturing, and industrials/engineering. CrowdStrike identified seven new China-nexus adversaries in 2024. “After decades investing in offensive cyber capabilities, China has achieved parity with some of the top players out there, and I think that is the thing that should terrify everybody,” Adam says.   China-nexus threat actors aren’t the only ones evolving their cyber operations. As the CrowdStrike 2025 Global Threat Report shows, nation-state and eCrime adversaries spanning regions and skill levels are gaining speed and refining their techniques. They’re learning what works and what doesn’t, and they’re scaling their effective tactics to achieve their goals. So what works? Voice phishing (vishing) skyrocketed 442% between the first and second half of 2024 as adversaries leaned on vishing, callback phishing, and help desk social engineering to access target networks. Generative AI played a key role in social engineering, where its low barrier to entry and powerful capabilities help adversaries create convincing content at scale. Compromised credentials also proved handy last year, helping threat actors enter and move laterally through organizations and operate as legitimate users.  What doesn’t work as well? Malware. 79% of detections in 2024 were malware-free, indicating a rise in hands-on-keyboard activity as adversaries face stronger security defenses.  Tune in to hear Adam and Cristian dig into the key findings of the CrowdStrike 2025 Global Threat Report, which also examines the latest on cloud-focused attacks, vulnerability exploitation, and nation-state activity around the world.

DeepSeek took the internet by storm earlier this year, making headlines and sparking conversations about its development, use, and associated risks. Today, Adam and Cristian take a deep dive into the new AI model. At a time when new AI models are constantly emerging, the launch of DeepSeek has led to questions and concerns around AI model security, data security, and national security. What is DeepSeek, and how was it trained? What are the risk implications of using it? Are there safe ways to explore new AI models, or should they be avoided entirely? And how worried do we need to be about data poisoning? Tune in for the answers to these questions and more in this episode of the Adversary Universe podcast.

Cyberattacks targeting critical infrastructure have made more headlines in recent years, sparking concern about how these systems are protected. Adversaries are taking aim at older technologies that are both essential to everyday life and difficult to secure. Our guest for this episode is Greg Bell, chief strategy officer at Corelight. Before he co-founded the network security firm, Greg spent most of his career working in the National Laboratory system, part of the U.S. Department of Energy. He brings his perspective and expertise to this conversation about energy sector threats, the adversaries behind them, and the unique challenges that utility organizations face in detecting and defending against cyberattacks. There is a scary side to energy sector threats — but there is also an optimistic side. Adam, Cristian, and Greg discuss everything from the history of critical infrastructure threats to the attacks they’re seeing today, the complications of securing energy systems, and collaborative efforts to improve defense. Key to these efforts are partnerships like the one between CrowdStrike and Corelight, which work together to improve network threat detection and response. Come for the comprehensive look at energy sector threats and stay for Cristian’s energy sector puns in this episode of the Adversary Universe podcast.

“It would not be an understatement to say that China is the number one national security concern that I think we have here in the West.” China’s offensive cyber activity has undergone a massive shift: What used to be simple smash-and-grab operations in the mid-2000s have evolved into sophisticated business models. We got a lens into this environment through a leak stemming from Chinese company I-Soon, whose data provided a narrow but revealing glimpse into the Chinese cyber contractor marketplace. I-Soon is a mid-sized contractor that has been operating since 2010. It provides state-sponsored advanced persistent threat (APT) cyber operations and tools, surveillance products and training for public security agencies, intelligence services and the military. The leak, which came from an anonymous GitHub user, included its internal documents and employee chat logs. These shed light on its products, services and customers as well as how some China-nexus adversaries are connected and sharing tools and capabilities. Adam and Cristian take a deep dive into these findings and how Chinese offensive cyber operations reached this point. They also dig into which PANDA adversaries are connected to I-Soon, how the cyber contractor recruits talent and what we learned about its disgruntled staff. The key takeaway? Leaks like this won’t stop adversaries — and China’s cyber operations aren’t slowing down.

It has been another busy year for defenders and adversaries alike. As we wrap up 2024, Adam and Cristian reflect on the nation-state and eCrime threat activity that defined this year and what they expect as we head into 2025.Tune in to hear their observations on changing eCrime activity in Latin America, Chinese adversaries evolving their tactics and targeting telecommunications entities, the disruption of eCrime operations in the United States and more. And of course, you’ll hear the stories and context behind how these events unfolded and how we got to where we are today.Thank you to our listeners for all your support this year. We appreciate you sharing feedback and topics you’d like to hear on the show. As we plan for 2025, we anticipate another year of in-depth conversations, adversary insight and guest perspectives on the Adversary Universe podcast. Happy holidays!

Adversaries have realized their time-honored attack methods involving clunky malware and malicious attachments are no longer working, largely due to endpoint detection and response tools alerting security teams to their activity. To improve their success rate, many are turning to cross-domain attacks. Cross-domain attacks span multiple domains within an organization’s environment; namely, identity, endpoint and cloud. An adversary most often starts with a set of stolen credentials, which allows them to log in and operate under the guise of a legitimate employee. From there, they might target the cloud control plane to access more accounts or pivot to unmanaged devices. All the while, they move silently, achieving their goals without triggering alarms. “The adversaries have really figured out how to operate from the shadows more effectively,” Adam says. In this episode, he and Cristian discuss how cross-domain attacks unfold in a target environment; which adversaries are adopting this tradecraft; and how organizations can better detect, identify and mitigate these threats before it’s too late. Watch our Cyber Threat Summit (focused on the rise of cross-domain attacks) on-demand: https://www.crowdstrike.com/resources/crowdcasts/cyber-threat-summit/