CrowdStrike 2026 Global Threat Report

Stacy · Research & Analysis · Threat Intelligence Summary

Executive Summary

CrowdStrike names 2025 "The Year of the Evasive Adversary." The defining story is speed plus legitimacy: 29-minute average breakout, 82% of attacks with zero malware — adversaries using valid credentials and trusted tools inside the perimeter invisibly. For Cyberwise clients, the most immediately relevant threats are AI-enhanced social engineering, COZY BEAR's direct NGO targeting, MURKY PANDA's MSP supply chain pivot, and vishing as the dominant initial access vector.

The Six Major Themes

🤖 AI-Enhanced Attacks

89% increase in AI-enabled attacks YoY
FAMOUS CHOLLIMA doubled activity using ChatGPT, Gemini, Copilot for fake employment operations
PUNK SPIDER (198 intrusions, +134%) uses Gemini scripts for credential dumping
FANCY BEAR deployed LAMEHUG — first LLM embedded in malware (Hugging Face / Qwen2.5-Coder)
Attackers weaponized victims' own Claude/Gemini CLI tools via malicious npm packages
563% increase in fake CAPTCHA lures
Malicious MCP server (postmark-mcp) published to steal emails
Prompt injection used against AI-based email triage

💀 Ransomware — Cross-Domain

SCATTERED SPIDER: vishing → SSO → VMware ESXi; NTDS dump in 3 hours via unmanaged VM
PUNK SPIDER: remote SMB encryption; used unpatched webcam to execute Akira ransomware
BLOCKADE SPIDER: read victims' cyber insurance policies via compromised SSO to calibrate ransom
All three deploy ransomware only on unmanaged hosts to evade EDR
Cross-domain gap (endpoint → cloud → SaaS → virtualization) is the attack path

🐼 China-Nexus

38% overall increase; cloud attacks by state-nexus actors up 266%
CVE-2025-31324 weaponized in 3 days; CVE-2025-55182 in 2 days
WARP PANDA maintained persistent access for 22 months
MURKY PANDA targets MSPs via Entra ID partner connections → downstream nonprofit clients
Edge devices in 40% of China-nexus exploitations
Targeting aligned with China's 14th Five-Year Plan: telecom +30%, logistics +85%

🔗 Supply Chain

PRESSURE CHOLLIMA stole $1.46B from Bybit via Safe{Wallet} supply chain — largest crypto theft in history
FAMOUS CHOLLIMA: 30+ malicious npm packages; 8,000+ downloads
ShaiHulud self-propagating stealer hit 690 npm packages; 2M+ downloads
Salesloft intrusion: OAuth token theft affecting Drift integrations
Notepad++ update weaponized for targeted RAT delivery

🎯 Zero-Day Exploitation

42% increase in zero-days exploited before public disclosure
VICE SPIDER (targets academic, healthcare, local govt) used its first-ever zero-day: CVE-2025-32706 (Windows CLFS LPE)
GRACEFUL SPIDER: consistent zero-day use against internet-facing enterprise apps
FANCY BEAR exploiting Zimbra/Roundcube XSS (relevant for self-hosted email)
CVE-2025-59287: Windows WSUS RCE exploited in the wild

☁️ Cloud & Identity

COZY BEAR targeted U.S.-based NGOs: multi-day social engineering → OAuth device code phishing to real Microsoft login pages
AiTM kits steal Microsoft 365 session tokens — bypasses MFA entirely
Valid account abuse = 35% of cloud incidents
BLOCKADE SPIDER + SCATTERED SPIDER both abused Entra Connect Sync and AD FS
CRM instances emerging as primary exfiltration target

What's Genuinely New vs. Already Known

Finding	New / Confirmation	Significance
LLM embedded in malware (LAMEHUG)	New	First confirmed instance — signals where adversaries are investing
Victims' own AI CLI tools weaponized	New	AI tools as attack surface, not just attack aid
Malicious MCP server in package registry	New	Direct threat to orgs using MCP-based AI workflows
COZY BEAR targeting U.S. NGOs directly	Escalation	Mission-driven orgs explicitly in crosshairs of nation-state actor
AiTM phishing bypassing MFA	Escalation	MFA no longer sufficient as sole control
Ransomware deployed only on unmanaged hosts	Escalation	EDR is being deliberately avoided; visibility gaps are the exploit
82% malware-free detections	Confirmation	Trend continues — AV is not a meaningful control
Vishing as primary initial access	Confirmation	Human-layer remains the weakest point

2026 Outlook

Ransomware remains top threat; BGH adversaries will continue SaaS-first, cross-domain approaches
China-nexus edge device targeting will intensify — patch within 72 hours of critical CVE disclosure
AI-enabled attacks will scale; agentic AI for autonomous operations is on the near horizon
Cloud/identity targeting will increase across all adversary types — SaaS applications will be attacked more, not less
Social engineering and vishing remain the primary initial access vectors — human decision-making is the last line of defense for most small orgs
Supply chain attacks will increasingly target SaaS providers and OAuth integrations rather than software builds directly

Ian · Developer & Technical Lead · Defensive Playbook for Cyberwise Clients

Framing

These controls are prioritized for mission-driven orgs with limited IT staff and budget, heavy M365 reliance, and little to no dedicated security tooling. Every item maps directly to a 2025 observed attack pattern.

🚀 Quick Wins — Start Here

1

Disable legacy authentication in M365 — Free · 1 hour · Blocks a whole class of MFA bypass attacks
2

Implement help desk identity verification — Free · Process change · Callback + code word before any password reset or MFA change. SCATTERED SPIDER's primary entry point.
3

Audit and revoke unused OAuth app permissions — Free · 2–4 hours · Remove third-party SaaS integrations that aren't actively used. Salesloft/Drift-style breaches pivot through these.
4

Enable Unified Audit Log in M365 — Free · 30 min · Required for any post-incident investigation. 29-minute breakout means you need logs retroactively.
5

Vishing + fake CAPTCHA awareness training — Low cost · 1 session · 563% increase in fake CAPTCHAs; vishing is #1 initial access vector.
6

Conditional Access baseline policies — Requires Entra P1 (~$6/user/mo) · COZY BEAR spent 31 days trying to bypass these — they work when configured.

Identity & Access

Upgrade to phishing-resistant MFA (FIDO2/passkeys)

AiTM attacks bypass TOTP/SMS MFA by stealing the authenticated session. FIDO2 is cryptographically bound to the device and stops this entirely.

High Priority Free (M365/Google) Medium Effort
Enforce Conditional Access policies in Entra ID

Require compliant devices, block legacy auth, restrict risky sign-ins. COZY BEAR's 31-day intrusion attempt was repeatedly blocked by existing CA policies.

High Priority Entra P1 required Medium Effort
Audit non-human identity permissions (service accounts, API keys, OAuth tokens)

Valid account abuse = 35% of cloud incidents. Service accounts are routinely over-privileged and under-monitored. List all, apply least privilege.

High Priority Free Medium Effort
Restrict OAuth app consent to admin-approved apps only

Block users from granting new OAuth permissions without IT review. Prevents ShinyHunters-style CRM access via user-consented tokens.

Medium Priority Free Low Effort

Microsoft 365 / Cloud Hardening

Disable legacy authentication protocols

Legacy auth bypasses MFA entirely. Should be blocked in all tenants — this is free and takes under an hour.

High Priority Free Low Effort
Enable Unified Audit Log + increase retention

Required for any post-incident investigation. Default retention is 90 days (free); 1-year retention requires E3 or add-on.

High Priority Free (90-day) Low Effort
Review and restrict mail forwarding rules

BLOCKADE SPIDER creates forwarding rules to prevent security alert delivery to admins. Audit existing rules and block auto-forwarding to external addresses.

High Priority Free Low Effort
Audit SharePoint / OneDrive external sharing settings

SharePoint was the first search target for both COZY BEAR and SCATTERED SPIDER after initial access. Lock down external sharing to known domains only.

Medium Priority Free Low Effort
Enable Microsoft Defender for Office 365

Adds anti-phishing, safe links, safe attachments — addresses fake CAPTCHA lures and AiTM phishing landing pages.

Medium Priority Requires licensing Medium Effort

Endpoint & Network

Inventory all unmanaged devices on the network

Ransomware is now deployed specifically from unmanaged hosts (webcams, decommissioned VMs, BYOD) to evade EDR. You can't protect what you can't see.

High Priority Free / low-cost tools Medium Effort
Patch edge devices within 72 hours of critical CVE disclosure

China-nexus adversaries weaponize edge device CVEs within 2–6 days of disclosure. VPNs and firewalls in particular. This requires a defined process, not just intent.

High Priority Free (process) Medium Effort
Disable remote management tools when not in active use

CHATTY SPIDER exfiltrated data within 4 minutes via Quick Assist. AnyDesk, TeamViewer, Quick Assist — disable or restrict these to IT-only use.

Medium Priority Free Low Effort

Awareness & Process

Vishing-specific security awareness training

Voice phishing is the #1 initial access vector. Staff must recognize what this sounds like — "Hi, this is [staff name], I'm locked out and need a password reset right now."

High Priority Low cost Low Effort
Fake CAPTCHA recognition training

563% increase in 2025. Fake CAPTCHA pages ask users to open Run dialog and paste a command. One clear rule: a CAPTCHA will never ask you to run anything.

High Priority Low cost Low Effort
Establish verified identity procedures for all IT requests

Callback + pre-established code word before any password reset or MFA change. This is the single most effective control against SCATTERED SPIDER-style help desk attacks.

High Priority Free Low Effort
Tabletop exercise: "The help desk gets a call"

Simulates SCATTERED SPIDER / CHATTY SPIDER social engineering. Reveals process gaps in how your team handles identity verification under pressure.

Medium Priority Low cost Medium Effort
Review AI tool usage policy

Staff using Claude, ChatGPT, Gemini are potential targets for prompt injection and MCP-based attacks. Set clear guardrails on what data can be processed through external AI tools.

Medium Priority Free Low Effort

Riley · Client Engagement · Impact Assessment & Service Opportunities

Immediate Talking Points for Client Calls

"Russian intelligence (COZY BEAR) specifically targeted U.S.-based NGOs this year — not large enterprises." The method: multi-day conversations over Teams/Slack/email building a fake relationship, then sending a Microsoft login link. A completely real Microsoft login link. There was no suspicious URL to catch.
"Even with MFA turned on, accounts can now be compromised." Adversary-in-the-middle phishing captures the authenticated session after MFA succeeds. TOTP and SMS codes don't protect against this. FIDO2/passkeys do.
"The #1 way attackers are getting in is by calling the help desk." They impersonate a staff member and ask for a password reset. No malware, no link to click. One call, full access. We need a verification protocol before that conversation is today.
"Your antivirus caught zero of these attacks." 82% of 2025 detections were malware-free. Signature-based AV is not a meaningful control against today's threats. We need to talk about what's actually working.
"If your organization uses a shared IT provider, you may be exposed through them." MURKY PANDA (China) specifically targets MSPs via Microsoft trust relationships to pivot to downstream clients. Worth asking your IT provider what their security posture looks like.
"Fake CAPTCHA attacks increased 563% last year." If your staff has clicked one thinking it was a routine "I'm not a robot" check, they may have executed malware. One training session prevents this.
"The window to respond to a breach is now under 30 minutes." Average breakout time in 2025 was 29 minutes. Fastest was 27 seconds. Without a defined incident response process and visibility into your environment, that window is functionally zero.

Service Opportunity Assessment

Threat Pattern	Most Affected Client Type	Service Opening
AI-enhanced vishing & social engineering	All clients; especially those with small/shared IT staff	Social engineering tabletop + vishing awareness training
AiTM MFA bypass	Any client using M365 TOTP/SMS MFA as primary control	Conditional Access audit + FIDO2 migration roadmap
MSP supply chain risk (MURKY PANDA)	Clients using shared IT providers	MSP vendor security review as add-on service
COZY BEAR NGO targeting	Advocacy orgs, faith-based orgs with international presence	Cloud identity hardening; Entra ID configuration review
Unmanaged device / EDR gap	Clients with BYOD policies, volunteers, remote staff	Asset inventory + device management consultation
OAuth token theft / SaaS supply chain	Any client using CRM, donor mgmt, marketing automation	SaaS integration audit; OAuth permissions review
Help desk social engineering	Any client with IT staff who handle password resets	Process redesign: verified identity protocols
Fake CAPTCHA + AI phishing	All clients with limited security awareness culture	Annual security awareness training refresh

Client Risk Tiers

🔴 Tier 1 — Highest Immediate Risk

International advocacy or politically sensitive missions (COZY BEAR targeting profile)
Using an MSP who serves multiple clients (MURKY PANDA supply chain vector)
M365 with no Conditional Access policies configured
Legacy authentication still enabled
No formal help desk identity verification procedure

🟡 Tier 2 — Elevated Risk

Significant donor databases or CRM systems
Large volunteer / BYOD footprint
Recently expanded SaaS integrations
Academic institutions (VICE SPIDER explicitly targets academic sector)
Healthcare-adjacent orgs

🟢 Tier 3 — Baseline

Strong Conditional Access configured
Phishing-resistant MFA deployed
Regular security awareness training in place
Still: update vishing/fake CAPTCHA training, audit OAuth permissions

Foundations Assessment Updates

Six controls that are under-addressed in most current assessments and directly map to 2025's top attack vectors:

#	New Control	Section	Why It Matters Now
1	Help desk identity verification procedures	Processes	#1 initial access vector — most orgs have nothing in place
2	OAuth / non-human identity audit	SaaS Security	Salesloft/Drift-style breaches pivot through forgotten OAuth grants
3	Unmanaged device inventory	Endpoint	Ransomware now deploys specifically from unmanaged hosts to evade EDR
4	Legacy authentication status (disabled?)	Identity	Free, high-impact — many orgs still haven't done this
5	MFA type (SMS/TOTP vs. FIDO2)	Identity	AiTM bypasses TOTP/SMS; FIDO2 is the actual protection
6	MSP security posture	Third-Party Risk	MURKY PANDA pivots to downstream clients via MSP Entra ID connections
7	AI tool usage policy	Governance	Staff using AI tools = new attack surface; prompt injection + MCP risks

Morgan · Communications & Content · Mission Critical Newsletter + Content Strategy

Newsletter Story Candidates

Story 1 — Lead Candidate

"The Phone Call That Took Down a Company in Under an Hour"

Hook for Our Audience

No malware. No suspicious link. An attacker called the help desk, impersonated a staff member, asked for a password reset — and had full access within minutes. This is the #1 way sophisticated attackers are getting into organizations like ours right now.

Core Takeaway

Vishing is the dominant initial access vector in 2025. The counter isn't technical — it's one process change: verify identity before acting on any IT request. Walk readers through what the call sounds like and what the procedure looks like.

Story 2

"Your MFA Isn't Enough Anymore — Here's What Actually Is"

Hook for Our Audience

Most nonprofit leaders think MFA is the gold standard of account protection. It was — until attackers figured out how to bypass it without ever touching your password. The good news: the fix is simpler than you think.

Core Takeaway

AiTM phishing steals the live session after MFA succeeds. FIDO2/passkeys are the real solution — not an upgrade, a replacement. Frame as: MFA is still necessary, just not sufficient. Here's the next step.

Story 3

"When Your Antivirus Does Nothing: The Rise of the Invisible Attack"

Hook for Our Audience

82% of cyberattacks in 2025 involved no malware whatsoever. Attackers signed in with valid credentials, used your own tools, and left through the front door. Your antivirus never blinked.

Core Takeaway

The "we have antivirus" posture is no longer defensible. What does protection look like when the attacker looks like a legitimate user? Leads naturally into identity-first security and visibility controls.

Story 4

"The AI Arms Race Has Hit Your Inbox"

Hook for Our Audience

AI-enabled cyberattacks increased 89% in 2025. Attackers are using the same tools your staff uses — to write more convincing phishing emails, generate fake personas, and run more attacks faster than ever before.

Core Takeaway

The threat isn't robots taking over — it's that phishing emails no longer feel off. The "this looks suspicious" instinct your staff relies on is being systematically undermined. Human resilience training needs to catch up.

LinkedIn Post

Jim Rispin

Founder & Chief Cybersecurity Advisor · Cyberwise Solutions

The CrowdStrike 2026 Global Threat Report dropped this week. 80 pages of threat intelligence. Here's what actually matters for mission-driven organizations: Russian intelligence (COZY BEAR) specifically targeted U.S.-based NGOs this year. Not Fortune 500 companies — nonprofits and advocacy organizations. The method: a weeks-long conversation over Slack and email, building trust, then sending a Microsoft login link. A real Microsoft login link. No suspicious URL to catch. This is the threat landscape your organization is operating in right now. At Cyberwise, we work specifically with mission-driven organizations because the stakes of getting this wrong aren't just financial — it's mission continuity, constituent trust, and the ability to do the work that matters. Three things you can do this week: → Disable legacy authentication in Microsoft 365 (free, takes one hour) → Implement a callback verification before any IT help desk request → Talk to your team about what vishing actually sounds like Or reach out — we'll walk through your posture together. #cybersecurity #nonprofitsecurity #missiondriven

Webinar / Workshop Concept

They Called the Help Desk: Social Engineering Tabletop for Nonprofit Teams

Your staff is your most targeted asset — and right now, attackers are specifically calling mission-driven organizations and impersonating their own colleagues to get in. This 90-minute workshop runs two live scenarios based on real 2025 attack patterns, then builds a simple playbook your organization can implement before you leave.

Format

20 min — What vishing and social engineering look like in 2025 (real examples, no jargon)
45 min — Guided tabletop: Scenario 1 (the help desk call) + Scenario 2 (the fake CAPTCHA)
25 min — Debrief + action planning: what procedures does your org leave with?

Designed for 4–12 participants: executive director, IT point person, finance director, key operations staff. Virtual delivery. No technical prerequisites.

Content Warnings — Handle Carefully

Finding	Risk If Handled Poorly	Framing That Works
AiTM bypasses MFA	Clients who just invested in MFA rollout will feel it was wasted	"MFA is still necessary but not sufficient. FIDO2 is the next step forward — not a full redo."
COZY BEAR targeting NGOs	Sounds like every nonprofit is a priority target of Russian intelligence	"The techniques used against NGOs are now being adopted by lower-tier criminal actors. The tactics matter regardless of who's using them."
82% malware-free attacks	"Antivirus is useless" causes panic and erodes confidence in existing tools	"Antivirus addresses a shrinking portion of the threat surface. Identity and behavior-based controls matter more now — here's what to add."
27-second breakout time	Induces helplessness, not action	Use the 29-minute average, not the 27-second outlier. Frame around response readiness, not doom.