Cybercriminals Harness AI to Achieve Full Domain Access in Under 30 Minutes
In 2025, cybercriminals significantly escalated their use of artificial intelligence (AI) to conduct rapid and precise network intrusions. According to CrowdStrike’s 2026 Global Threat Report, there was an 89% year-over-year increase in attacks by AI-enabled adversaries. These attackers utilized automation and machine-generated scripts to reduce the time between initial access and full domain control to less than 30 minutes.
The defining characteristic of the 2025 threat landscape was the unprecedented speed of these intrusions. The average eCrime breakout time—the interval between initial access and lateral movement within a network—dropped to 29 minutes, marking a 65% acceleration compared to 2024. The fastest recorded breakout occurred in just 27 seconds. In one instance, data exfiltration commenced within four minutes of initial access, leaving organizations with minimal time to respond.
CrowdStrike analysts attributed this acceleration to the exploitation of AI technologies. Adversaries not only developed custom malware but also embedded malicious prompts into legitimate AI tools operating within victim environments. In August 2025, attackers inserted malicious JavaScript into Node Package Manager (npm) packages, compromising local AI tools such as Claude and Gemini to steal authentication credentials and cryptocurrency assets. CrowdStrike Services and OverWatch responded to over 90 affected customers during this campaign.
A notable case involved CHATTY SPIDER, an eCrime group that targeted a U.S.-based law firm through voice phishing. The attackers persuaded an employee to grant remote access via Microsoft Quick Assist. Within four minutes, CHATTY SPIDER attempted to exfiltrate stolen files using WinSCP. When the firewall blocked this attempt, the attackers pivoted to Google Drive. CrowdStrike OverWatch intervened, preventing any data from leaving the network.
Beyond individual operations, threat actors like FAMOUS CHOLLIMA constructed AI-assisted attack pipelines encompassing multiple phases. They utilized tools such as ChatGPT, Gemini, GitHub Copilot, and VSCodium to create fake personas, manage multiple accounts, and perform technical tasks under fraudulent identities. Their activity in 2025 doubled compared to 2024, illustrating how AI has lowered the effort required to execute large-scale deceptive operations.
How Threat Actors Exploit AI Across the Attack Lifecycle
PUNK SPIDER, the most active ransomware group in 2025 with 198 documented intrusions, employed Gemini-generated scripts to extract credentials from Veeam Backup & Replication databases. They likely used DeepSeek-generated scripts to terminate services and eliminate forensic evidence.
The Russian-affiliated actor FANCY BEAR deployed LAMEHUG malware, which queried the Hugging Face large language model Qwen2.5-Coder-32B-Instruct through hardcoded prompts to perform reconnaissance and collect documents before exfiltration. This approach replaced rigid code logic with AI-generated outputs, effectively evading static security tools. Notably, 82% of all detections in 2025 were malware-free, indicating that most attacks exploited authorized pathways rather than traditional malicious software.
Recommendations for Organizations
To counter these rapidly evolving threats, organizations should:
– Monitor AI Tool Usage: Keep a close watch on the deployment and operation of AI tools within their networks to detect any unauthorized or suspicious activities.
– Promptly Patch AI Platforms: Regularly update AI platforms to address vulnerabilities that could be exploited by attackers.
– Audit npm Dependencies: Conduct thorough audits of npm packages to identify and mitigate potential security risks.
– Maintain Cross-Domain Visibility: Ensure comprehensive visibility across identity, cloud, and Software as a Service (SaaS) environments to detect and respond to fast-moving intrusions before they escalate.
By implementing these measures, organizations can enhance their defenses against the increasingly sophisticated and rapid AI-driven cyber threats.
