2025年威胁狩猎报告

Tableof Contents Introduction3 Naming Conventions6 Front-Line Snapshot Hunting Cross-Domain Adversaries20Case Study: Disrupting BLOCKADE SPIDER22Case Study: Hunting OPERATOR PANDA25 Identity Hunting26Adversary Spotlight: SCATTERED SPIDER27 Cloud Hunting 30Case Study: Hunting GENESIS PANDA Acrossthe Cloud Control Plane32Case Study: MURKY PANDA’s Abuse ofTrusted Relationships34 Endpoint Hunting35Case Study: Hunting GLACIAL PANDA Living off the Land36 Vulnerability Hunting38Case Study: Hunting GRACEFUL SPIDER’s Zero-Day39 Conclusion Recommendations44 CrowdStrike Falcon Platform46 About CrowdStrike53 Introduction A new era of cyber threats has emerged with the rise of the “enterprisingadversary,” as highlighted in the CrowdStrike 2025 Global Threat Report.This new breed of threat actor distinguishes itself through sophisticated andscalable tactics designed to execute attacks with calculated, business-likeefficiency. These adversaries operate with strategic precision to maximizeimpact and quickly achieve their goals. Innovation is a critical cornerstone to outmaneuver and disrupt the enterprisingadversary. Novel technologies and threat hunting are required to anticipate theadversary's next moves, understand their evolving methodologies, and adaptdefenses to stay ahead. Today's enterprising adversary is adept at bypassing traditional cybersecuritydefenses. They understand the limitations of conventional safeguards and seekto exploit security weaknesses and vulnerabilities that established systemsand processes often overlook. This includes exploiting human factors throughsophisticated social engineering techniques — now often enhanced by AI —and moving to unmanaged devices, which are often significant blind spots in anorganization's security posture. By targeting devices outside the direct purviewof IT departments, they can establish footholds, exfiltrate data, or launchfurther attacks without immediate detection. The CrowdStrike Counter Adversary Operations team brings togetherindustry-leading threat intelligence and best-in-class managed threat huntingwith the AI-powered CrowdStrike Falcon® platform to detect, disrupt, and stopenterprising adversaries. Counter Adversary Operations comprises two closelyintegrated teams. The CrowdStrike Intelligence team provides actionable reportingthat identifies new adversaries, monitors their activities, and captures emergingcyber threat developments in real time. The CrowdStrike OverWatch team usesthis intelligence to conduct proactive threat hunting across customer telemetry todetect and address malicious activity. Together, these teams protect thousands ofcustomers from the most sophisticated adversaries by providing the intelligenceand threat hunting skills and resources that most organizations lack. Enterprising adversaries are using generative AI (GenAI) to enhancetheir operations, underscoring the critical need for innovative defensivestrategies. The integration of GenAI into insider threat operations by DemocraticPeople’s Republic of Korea (DPRK)-nexus adversary FAMOUS CHOLLIMArapidly made them the most GenAI-proficient adversary. FAMOUS CHOLLIMAIT workers use GenAI to create attractive résumés for companies, reportedly usereal-time deepfake technology to mask their true identities in video interviews,and leverage AI code tools to assist in their job duties, all of which pose asubstantial challenge to traditional security defenses. Adversaries continually seek to stay undetected by moving to unmanagednetworks and expanding their reach. Cross-domain threat hunting is critical, asadversaries increasingly operate across multiple domains — such as identity,endpoint, and cloud — in their efforts to evade detection. These cross-domainthreats often generate fewer detections in a single domain or product, makingthe activity difficult to recognize as malicious. To stay ahead of sophisticatedcross-domain adversaries such as BLOCKADE SPIDER and OPERATOR PANDA,CrowdStrike OverWatch hunters are expanding their hunting grounds withinnovative next-gen security information and event management (SIEM)technology to capture adversaries’ every move. Though adversaries that prioritize rapid execution have the most visible andimmediate impact, those that emphasize stealth, prolonged presence, and themeticulous execution of a “long game” approach present an equally potentthreat. These operations often include sustained access, covert data harvesting,and — in some cases — preparing a victim’s environment for future, moreimpactful operations. China-nexus adversaries such as GLACIAL PANDA haveincreasingly excelled at this approach. GLACIAL PANDA primarily targets theglobal telecommunications sector through patient and methodical infiltration,established persistence, and deep, quiet reconnaissance of target networks,systems, and data. The challenge in detecting these stealthy adversaries isamplified by their minimal digital footprint, allowing them to easily blend intolegiti