Adversary Universe Podcast

Supply chain attacks targeting AI have recently been making headlines — and keeping the CrowdStrike OverWatch team busy. Jared Myers, director of CrowdStrike OverWatch, joins Adam in this episode to discuss his team’s approach to detecting and responding to these attacks. When a supply chain attack uses a zero-day vulnerability to breach a target, it’s often the CVE that grabs attention. But the zero-day isn’t what CrowdStrike OverWatch is after, Jared says. It’s the follow-on tradecraft once the adversary is inside. He takes listeners behind the scenes of the team’s response to recent supply chain attacks, including the MOVEit attack of 2023 and the Axios supply chain incident of March 2026, to share the technical details of how the team learns and acts on information as attacks are unfolding. Identity is an essential component in supply chain attacks, Jared explains. Once an adversary is in, they’re looking for a user account to help them move laterally. He shares advice with listeners and key takeaways from the team’s identity threat hunting. CrowdStrike OverWatch is a 24/7/365 operation, with experts working around the clock across time zones with visibility into trillions of events per day. By the time an attack makes headlines, CrowdStrike OverWatch may have known about it for months. “We don’t ever stop looking; we don’t ever stop hunting,” says Jared. Notes: • Blog: STARDUST CHOLLIMA Likely Compromises Axios npm Package [https://www.crowdstrike.com/en-us/blog/stardust-chollima-likely-compromises-axios-npm-package/] • Blog: From Scanner to Stealer: Inside the trivy-action Supply Chain Compromise [https://www.crowdstrike.com/en-us/blog/from-scanner-to-stealer-inside-the-trivy-action-supply-chain-compromise/]

The Trump administration has released a national cybersecurity strategy that commits to strengthening defenses through six core pillars: employing more offensive cyber operations, streamlining regulations, modernizing and protecting federal networks, securing critical infrastructure, leading in new technologies, and developing talent. In this episode, Rob Sheldon, Sr. Director of Public Policy and Strategy at CrowdStrike, joins Adam and Cristian for a deep dive into three of the pillars that are top of mind for them: offensive cyber operations, updating federal systems, and protecting critical infrastructure. They discuss why these are difficult problems to solve and key considerations for how to approach them, including relevant threat activity and the involvement of the private sector. Though they could have talked about this for hours, this is a busy team! Check out the full cybersecurity strategy text for more details. [https://www.whitehouse.gov/wp-content/uploads/2026/03/President-Trumps-Cyber-Strategy-for-America.pdf] Interested in government cybersecurity? Register here for Fal.Con Gov 2026, taking place March 18 in Washington, D.C. [https://www.crowdstrike.com/en-us/events/fal-con/gov/register/]

It’s that time of year: The CrowdStrike 2026 Global Threat Report is live, and Adam and Cristian are here to break down the key findings. This year’s report spotlights adversaries’ heightened speed, their evolving use of AI, an increase in activity from China and North Korea, and the growth of supply chain attacks, zero-day exploitation, and cloud targeting. For new listeners, the annual Global Threat Report delivers an analysis of the modern threat landscape based on CrowdStrike's frontline observations and real-world threat intelligence from the previous year. 2026 was the year of the evasive adversary. As defenses get stronger, adversaries are focused on refining their techniques to target security blind spots and bypass detection. AI is helping them accelerate and find creative ways around defenses for hands-on-keyboard operations. In 2025, AI-enabled adversaries increased attacks by 89% year-over-year. The trend is poised to continue: “I don’t think AI is going to create the malware — I think AI is going to be the malware,” Adam said. But AI isn’t the only factor shaping the modern threat landscape. Below are a few key stats from the report: • The average eCrime breakout time fell to 29 minutes — a 65% increase in speed from 2024. The fastest breakout we observed occurred in just 27 seconds. • 82% of detections were malware-free, continuing a steady trend in recent years. • North Korea-nexus incidents jumped 130%, and FAMOUS CHOLLIMA's activity doubled compared to 2024. • We observed a 42% increase in vulnerabilities exploited prior to public disclosure and a 37% rise in cloud-conscious intrusions. Tune in to learn about these findings and more from the CrowdStrike 2026 Global Threat Report.

Threat hunting is hard to define, but Brody Nisbet, Sr. Director of CrowdStrike OverWatch, breaks down the basics in an episode that starts with the CrowdStrike OverWatch mission and dives into his stories from the front lines of threat hunting. This team detects adversaries in customer environments before they can achieve their nefarious goals. “Our mission is to outcompete your adversary,” Brody says. His team notifies customers of adversary activity and provides them with the actionable intelligence required to protect themselves. A staggering amount of data goes into the CrowdStrike OverWatch team's process: 5.7 trillion events per day (65 million events per second). The team triages this data and “sorts the wheat from the chaff” to figure out what’s most important for each business. As you might imagine, this work leads to some fascinating findings and stories. Tune in to hear Adam, Cristian, and Brody chat about encounters with FAMOUS CHOLLIMA and OPERATOR PANDA — and a cold case centered around malware dubbed Fluffy Cannoli.

LABYRINTH CHOLLIMA, which is among the most prolific DPRK-nexus adversaries that CrowdStrike tracks, has evolved into three separate threat actors: GOLDEN CHOLLIMA, PRESSURE CHOLLIMA, and LABYRINTH CHOLLIMA. Each adversary has specialized goals and tradecraft. While LABYRINTH CHOLLIMA continues to prioritize espionage and targets specific industries, GOLDEN CHOLLIMA and PRESSURE CHOLLIMA focus on cryptocurrency entities and stand out for the scale and scope of their operations. In this episode, Adam and Cristian explain when it became clear that one adversary had evolved into three and discuss how they differ — and, interestingly, what they still have in common. Despite operating independently, the three adversaries still share tools and infrastructure, a sign of coordination within the DPRK cyber ecosystem. To put this development into context, the hosts take us back to the early days of North Korea's cyber activity and trace the progression of the many nation-state threat actors operating on its behalf. Tune in to learn about a significant update for a prolific nation-state adversary. Learn more about: • The LABYRINTH CHOLLIMA evolution in our new blog post • Fal.Con Gov 2026 • CrowdTour 2026

How do you take down a cybercriminal? Last month, we explored that question through the lens of Operation Endgame. Today, we ask Shawn Henry, former Executive Assistant Director of the FBI and current Executive Advisor to the Founder and CEO of CrowdStrike. In some ways, it’s similar to taking down criminals in the physical world. But the speed and scale of cybercrime operations exacerbate the challenge of stopping them. While infrastructure can be dismantled, the impact is now short-lived as adversaries pivot to other setups. While law enforcement considers how to replicate successful operations, cybercriminals are thinking about how they can adapt and stay ahead. For those pursuing adversaries, speed and scale are difficult to achieve. As Shawn explains, successful takedowns require collaboration among dozens of groups; among them law enforcement agencies, international partners, intelligence analysts, reverse engineers, prosecutors, and private sector organizations that have visibility into adversary infrastructure. “A takedown isn’t a single door-kick moment. It’s a monthslong choreography of legal process and infrastructure mapping and partner synchronization,” he says. Are there ways to accelerate the process? He has a few ideas. Tune in as Shawn joins Adam and Cristian to share a behind-the-scenes take on stopping cybercrime. Learn the key challenges law enforcement faces, how a takedown comes together, why arrests alone aren’t enough to stop adversaries, and where there is still an opportunity to have real impact.

This was a busy year for the Adversary Universe podcast. We covered the emergence of new adversaries, the weaponization of AI, critical CrowdStrike research, and how cyberattacks look in different regions of the world. To recap 2025, we’re revisiting the topics that resonated most with our listeners to share year-end updates. Adam and Cristian cover the I-Soon data leaks, evolution of China as a nation-state threat, re-emergence of SCATTERED SPIDER, and the latest in ransomware-as-a-service. Tune in to learn the factors that may shape Chinese cyber operations in 2026 and why SCATTERED SPIDER activity looks different now compared to its summer of cybercrime. As a bonus, Adam shares some of the latest eCrime stats his team is seeing as we close out 2025 and explains why he believes we’ll see “an explosion of zero-days” in the months ahead. The adversary never slows down — and neither do we. We look forward to bringing you more information on the newest cyber threats in 2026. For more information: • I-Soon episode: See You I-Soon: A Peek at China’s Offensive Cyber Operations • Blog post: Unveiling WARP PANDA, a New Sophisticated China-Nexus Adversary • Blog post: CrowdStrike Services Observes SCATTERED SPIDER Escalate Attacks Across Industries

In November 2025, a major public-private sector collaboration took down three significant malware networks. Operation Endgame involved law enforcement agencies from six EU countries, Australia, Canada, the U.K., and the U.S., along with Europol and 30 private sector partners, including CrowdStrike. The dismantled infrastructure consisted of hundreds of thousands of infected computers containing several million stolen credentials. Operation Endgame was a critical disruption of adversary operations — but it wasn’t the first. Law enforcement has for years sought to take down adversary infrastructure and often partners with private sector organizations like CrowdStrike to inform their operations. By disrupting the tools and processes threat actors rely on, these takedowns raise the cost for adversaries and make it harder for them to operate. As Adam and Cristian discuss in this episode, takedowns require careful planning and constant innovation. Adversaries are always finding new techniques and tools, and law enforcement must do the same. While disruption may slow them down, threat actors are often quick to pivot and find new ways to achieve their goals. In this episode, we examine how law enforcement takedowns disrupt adversary operations, how adversaries respond, where the private sector provides support, and what this all means for organizations facing modern threats.

Not all cybercrimes are resolved. Some threat groups disappear completely, and some malware is never seen again. But sometimes, a long-dormant case is cracked open and elusive answers are found. Tillmann Werner, VP of Intelligence Production at CrowdStrike, has been a member of the CrowdStrike Intelligence team since 2012 and has analyzed many of these cold cases. In this episode, he joins Adam to chat about unresolved cyberattacks, the adversaries behind them, and cases that remained inactive for years before new technology or data allowed experts to close them. While it’s frustrating to close a file without success, Tillmann says, the evolution of technology and proliferation of data often help solve old cases that have collected dust. Tune in to hear Adam and Tillmann look back at decades-old eCrime and nation-state campaigns, some of which now have answers — and others that remain a mystery.

CrowdStrike research into AI coding assistants reveals a new, subtle vulnerability surface: When DeepSeek-R1 receives prompts the Chinese Communist Party (CCP) likely considers politically sensitive, the likelihood of it producing code with severe security flaws increases by up to 50%. Stefan Stein, manager of the CrowdStrike Counter Adversary Operations Data Science team, joined Adam and Cristian for a live recording at Fal.Con 2025 to discuss how this project got started, the methodology behind the team’s research, and the significance of their findings. The research began with a simple question: What are the security risks of using DeepSeek-R1 as a coding assistant? AI coding assistants are commonly used and often have access to sensitive information. Any systemic issue can have a major and far-reaching impact. It concluded with the discovery that the presence of certain trigger words — such as mentions of Falun Gong, Uyghurs, or Tibet — in DeepSeek-R1 prompts can have severe effects on the quality and security of the code it produces. Unlike most large language model (LLM) security research focused on jailbreaks or prompt injections, this work exposes subtle biases that can lead to real-world vulnerabilities in production systems. Tune in for a fascinating deep dive into how Stefan and his team explored the biases in DeepSeek-R1, the implications of this research, and what this means for organizations adopting AI.

Europe is a prime target for global adversaries. There is a strong emphasis on eCrime across the region as well as a rise in hacktivism and espionage stemming from ongoing conflicts. The CrowdStrike 2025 European Threat Landscape Report breaks down these trends. In this episode, Adam and Cristian cover the highlights. They start with cybercrime, a major theme of the report. The five most targeted European nations were the U.K., Germany, Italy, France, and Spain, which also represent the region’s largest economies (excluding Russia). The most targeted sectors were manufacturing, professional services, technology, industrials and engineering, and retail. Adam explains how eCrime threat actors are looking for victims with a high need to stay operational. “With manufacturing, if they’re knocked offline because of ransomware, they can count the downtime in dollars and cents,” he shares as an example. On the nation-state front, Russia is top of mind. Since its invasion of Ukraine in 2022, many Russian threat actors who operated globally are more focused on Ukraine and areas related to the conflict. Adam and Cristian discuss reports of North Korean threat actors supporting the Russians with weapons and personnel, North Korea targeting Ukraine, and the tactics and techniques that stand out most. The European threat landscape is crowded and complex. Tune in to understand the key findings, and download the full report for more details. https://www.crowdstrike.com/en-us/resources/reports/2025-european-threat-landscape-report/

In the Asia Pacific and Japan (APJ) region, a burgeoning set of threat actors is emerging with a different language set, distinct tools, and an ecosystem where they interact with adversaries across the threat landscape. The CrowdStrike 2025 APJ eCrime Landscape Report explores the trends and issues facing organizations operating in this part of the world. For example, criminal groups in APJ are focused on opportunistic big game hunting and primarily target organizations in manufacturing, technology, industrials and engineering, financial services, and professional services. The sale of phishing kits is popular, with some going for up to $1 million. These threat actors prefer phishing, spam campaigns, and remote access toolkits to enable their operations. And they often find them on thriving Chinese-language marketplaces, which enable the sale of illicit services. While Eastern Europe is typically known as a hotbed of eCrime activity, the APJ region is one to watch. Tune in to hear Adam and Cristian discuss the key adversaries operating in the region, the threats that stand out to them, and how defenders can stay safe. Read the report: 2025 APJ eCrime Landscape Report Watch on YouTube: https://youtu.be/97javj3hmAA

Ransomware is not new, but the ransomware of today is very different from the ransomware of 1989. Today’s episode doubles as a history lesson, as Adam and Cristian look back at how a prolific global threat has evolved over the decades. Gone are the days of malware arriving on floppy disks and victims waiting weeks to restore their systems in exchange for $200 ransom payments. “The early days of viruses were weird,” Adam points out. But much has changed since then. Several factors — the advent of cryptocurrency, the rise of enterprise targeting, and the shift to ransomware as a service — have caused the threat to transform. Today’s adversaries run ransomware like a business and collect hundreds of millions of dollars in payments. The hosts reflect on the first ransomware to hit a business, the first to make news headlines, and the first major botnet operator to deploy ransomware, among other key events. Tune in for a discussion that spans years of ransomware evolution, highlights the key adversaries involved, and explains how businesses can defend themselves as the threat landscape continues to change.

This week’s episode arrives as Adam and Cristian are gearing up for Fal.Con, CrowdStrike’s annual event taking place next week in Las Vegas. They’ll be recording a live episode on some fascinating LLM research presented at the show, so stay tuned for that in a couple of weeks. Amid their prep, they took the time to sit down for a conversation starting with a simple prompt: What are today’s security leaders and practitioners talking about? Their discussion sheds light on the industries hardest hit by nation-state and eCrime activity and explores why some sectors, like technology and telecommunications, are seeing a sharp spike in targeted intrusions while others are facing an increase in cybercrime. Tune in to learn about shifts in Chinese cyber activity, what happens when an adversary sees another adversary in a target environment, and whether modern tech innovations will drive changes in cyber espionage.

This year at Black Hat, the topic of AI was everywhere — from hallway chats to the expo floor. Adam and Cristian took a break from the action for a rare in-person conversation about how adversaries are weaponizing AI, how defenders are using agentic AI, and what we should all be thinking about as AI evolves as an offensive and defensive tool. The AI threat is real, and advanced adversaries in particular are using it to their advantage. They’re improving the wording in social engineering attacks, creating deepfakes in fraudulent job interviews, and targeting victims on a more personal level. FAMOUS CHOLLIMA is an example of one adversary “using it for everything,” the hosts say. SCATTERED SPIDER is another adversary to watch. On the other side, defenders are adopting agentic AI to expedite their response. Adam and Cristian explore the importance of protecting AI workloads, the potential for insider threats with AI models, and the growing need for AI governance and security guardrails. If AI is monitoring security services, they ask, who guards the guardian? Tune in for an in-depth conversation on what AI is really capable of — and stick around for a sneak peek of an upcoming guest episode, where a guest joins to discuss young adversaries moving from online gaming to organized cybercrime.

In the first half of 2025 alone, cloud intrusions were up 136% compared to all of 2024. China was a big driver — CrowdStrike saw a 40% year-over-year surge in intrusions from suspected cloud-conscious China-nexus threat actors. In the government sector, interactive intrusions increased 71%, and targeted intrusion activity jumped 185%. The CrowdStrike OverWatch threat hunting team has a firsthand look at how adversaries are changing their techniques. In the CrowdStrike 2025 Threat Hunting Report, published today, the team shares observations, trends, and shifts seen in its threat hunting and adversary engagements over the past 12 months. In this episode, Adam and Cristian dive deep into the report’s key findings and put them into context. They explore why the use of malware is going down (and why it won’t go away), unpack the rise in government intrusions, and explain the role of generative AI (GenAI) in today’s threat landscape. They examine the rise of prolific adversaries such as SCATTERED SPIDER and FAMOUS CHOLLIMA and discuss the techniques organizations can use to stop them. Below are more key stats from this year’s report: 73% of all interactive intrusions were eCrime 81% of interactive intrusions were malware-free In the first half of 2025, voice phishing (vishing) attacks surpassed the total number seen in 2024 FAMOUS CHOLLIMA insiders infiltrated 320+ companies in the last 12 months — a 220% year-over-year increase — by using GenAI throughout hiring and employment Download the report to learn more. Links: 📃 Threat Hunting Report: https://www.crowdstrike.com/resources/reports/threat-hunting-report/ 🎧 Our site: https://www.crowdstrike.com/en-us/resources/adversary-universe-podcast/

They never really left — they just got quieter, faster, and bolder. In this episode of the Adversary Universe podcast, Adam and Cristian trace the resurgence of SCATTERED SPIDER, one of today’s most aggressive and sophisticated adversary groups. Once known for SIM swapping and gaming community exploits, SCATTERED SPIDER has evolved into a high-speed, high-impact ransomware crew targeting the retail, insurance, and aviation sectors. Adam shares CrowdStrike’s front-line insights into how the group operates, from conducting help desk social engineering and bypassing multifactor authentication (MFA) to hijacking hypervisors and exfiltrating data via software as a service (SaaS) integrations. Tune in to learn: How SCATTERED SPIDER blends SIM swapping, voice phishing, and cloud-native tradecraft Why they’re one of the fastest threat actors we’ve seen, sometimes encrypting systems within 24 hours What defenders must do to spot them early and act fast And yes, why they still haven’t been arrested Check the show notes for CrowdStrike’s latest guidance and technical blog on SCATTERED SPIDER.

You asked, and we answered. This episode of the Adversary Universe podcast takes a deep dive into questions from our listeners. What did you want to know? Well, a lot about adversaries, but also about career paths and the threat intel space. Tune in to hear the answers to questions like: • How did you break into the threat intelligence space? • Who is the first adversary CrowdStrike tracked? • Who is an adversary that keeps you up at night and why? • What was a jaw-dropping moment you experienced in tracking adversaries? • If you didn’t work in infosec, what would your dream job be? Thanks to everyone who submitted questions. We’d love to continue hearing from you. 💼 Careers at CrowdStrike: https://www.crowdstrike.com/en-us/careers/