Cloud intrusions surged in the first half 2025 and are already 136% higher than in all of 2024, according to CrowdStrike’s 2025 Threat Hunting Report.
The researchers said the figures highlight that more threat actors are becoming versed in targeting cloud environments, including exploiting misconfigurations, achieving persistence and move laterally.
The explosion in cloud intrusions was partly driven by a 40% increase in Chinese-nexus actors exploiting these environments.
“China’s cyber espionage capabilities reached a critical inflection point over the past year, marked by increasingly bold targeting, stealthier tactics and expanded operational capacity,” the researchers wrote.
Two Chinese state-linked actors – Genesis Panda and Murky Panda – were shown to be particularly adept at navigating cloud environments over the past year.
Genesis Panda likely serves as an initial broker to facilitate future intelligence collection. The group has been observed exploiting a wide range of web-facing vulnerabilities to access cloud environments.
It is also adept at using cloud services to expand access and achieve persistence, including targeting cloud service provider (CSP) accounts.
Murky Panda, which targets various entities in North America, exploits cloud environments through trusted relationships between partner organizations and their cloud tenants. This includes compromising suppliers and using their administrative access to the victim’s Entra ID tenant.
The group has demonstrated advanced capabilities, including access to low-prevalence malware such as CloudedHope, and the expertise to quickly weaponize zero-day vulnerabilities.
Enhanced Defense Evasion Techniques
The CrowdStrike report, published on August 4 during Black Hat USA 2025, found that interactive, hands-on-keyboard intrusions rose 27% year-over-year in H1 2025.
This demonstrates that threat actors are increasingly focused on using manual navigation to find innovative techniques to bypass legacy detection tools. This allows them to tailor their approaches to the specific environment and defenses of the target organization.
This assists persistence and lateral movement in target systems, with the ultimate goal normally data exfiltration.
“Unlike automated attacks, interactive intrusions involve human operators who interact with systems in real time, adapting their tactics as need. They are typically more sophisticated and difficult to detect than automated attacks,” the researchers explained.
CrowdStrike OverWatch observed that five of the top 10 most commonly used MITRE ATT&CK techniques in the past 12 months were discovery techniques. These approaches help attackers spend time orientating themselves within a network and ensuring their activities are not detected by security measures whenever possible.
Additionally, defense evasion techniques, such as masquerading and disabling or modifying tools, were also in the top 10 most leveraged techniques. These approaches allow adversaries to blend their activity into expected network activity while enabling follow-on activities in various other tactic areas, such as privilege escalation and credential access.
Scattered Spider Ramps Up Threat Activity
CrowdStrike observed the Scattered Spider cybercriminal gang ramping up its activity in April 2025 following a period of relative inactivity between December 2024 and March 2025.
The actor has been linked to a spate of ransomware attacks targeting the retail, aviation and insurance sectors in the UK and US over recent months.
In June, UK authorities arrested four individuals on suspicion of involvement in attacks on three high-profile British retailers, which have been linked to Scattered Spider.
Read now: Cybercriminals ‘Spooked’ After Scattered Spider Arrests
This activity coincided with a continued surge in vishing attacks in H1 2025, which have already surpassed the whole of 2024 in terms of volume.
Scattered Spider are a big proponent of voice phishing, including impersonating a legitimate employee in a call to an organization’s IT help desk and requesting a password and/or multifactor authentication (MFA) reset.
The researchers highlighted the sophisticated nature of this approach, with Scattered Spider observed accurately providing the impersonated individuals’ employee IDs in response to the help desks’ identity verification questions.
“In one call where the adversary could not provide the impersonated employee’s ID, the threat actor offered to provide the employee’s date of birth and Social Security number as alternative verification credentials,” the researchers said.
