Thought Leadership
Attackers now need an average of just 29 minutes to move laterally through a network after gaining initial access, a 65 percent acceleration compared to the previous year.
The figures come from the Global Threat Report 2026, published by US security vendor CrowdStrike, and the trend shows no signs of improving. The fastest observed attack took a mere 27 seconds. In another case, data exfiltration began just four minutes after initial access.
The primary driver of this development is the growing use of artificial intelligence on the attackers’ side. Cybercriminals and state-sponsored groups leveraging AI have increased their attack operations by 89 percent year-over-year. AI is being used for reconnaissance, identity theft, and concealing malicious activity, in short, for anything that makes attacks faster and harder to detect.
AI tools become targets themselves
AI is not only a weapon in attackers’ hands. It has also become an attack surface in its own right. According to the report, attackers injected malicious prompts into legitimate AI tools across more than 90 organizations, essentially carrying out prompt injection attacks to steal credentials and cryptocurrency. Vulnerabilities in AI development platforms were also exploited to spread ransomware or deploy rogue AI servers masquerading as trusted services.
State-sponsored actors step up
The report, for which CrowdStrike says it tracks more than 280 named threat actors, also sheds light on state-sponsored activity. The Russia-linked group FANCY BEAR has been attributed with deploying LLM-capable malware called LAMEHUG, designed to automate intelligence gathering. North Korean group FAMOUS CHOLLIMA appears to be using AI-generated personas to scale insider operations. North Korea-linked attacks rose by more than 130 percent overall.
China-linked cyber activity increased by 38 percent in 2025, with the logistics sector hit particularly hard, seeing an 85 percent spike. Also making headlines is what is reportedly the largest cryptocurrency theft ever recorded: North Korean group PRESSURE CHOLLIMA allegedly made off with a staggering $1.46 billion.
A shrinking window to respond
For defenders, all of this means the response window is narrowing further. “Adversaries are moving from initial access to lateral movement within minutes,” said Adam Meyers, Head of Counter Adversary Operations at CrowdStrike. Lateral movement refers to the process of traversing from machine to machine across a network infrastructure, progressively working from less critical systems toward higher-value targets.
“AI is compressing the time between intent and execution.” Compounding the challenge, attacks are increasingly blending into normal network traffic by running through trusted identities, SaaS applications, and cloud infrastructure.
Cloud-related incidents rose 37 percent overall, and a striking 266 percent among state-sponsored actors. Additionally, 42 percent of all exploited vulnerabilities were abused as zero-days before their public disclosure. In short: the threat landscape remains under serious pressure.
(lb/CrowdStrike)
