Report: AI is Supercharging Old-School Cybercriminal Tactics
AI isn’t just transforming how we work. It’s reshaping how cybercriminals attack, with threat actors exploiting AI to mass produce malicious code loaders, steal browser credentials and accelerate cloud attacks, according to a new report from Elastic.
The 2025 Global Threat Report, based on more than 1 billion data points derived from real production environments, finds that generic threats — typically loaders built using AI — jumped 15.5% in the past year, while malicious code execution on Windows nearly doubled to 32.5%.
AI-created malware and easy access to stolen browser credentials are fueling a new class of bad actors who are less reliant on stealth attacks and are leaning into continuous, steady probes for entry into corporate networks.
“Attackers are shifting from stealth to speed, launching waves of opportunistic attacks with minimal effort,” said Devon Kerr, head of Elastic Security Labs and director of Threat Research. “This evolution shows how urgent it is for defenders to harden identity protections and to adapt their detection strategies for this new era of speed attacks.”
Key Findings
Browsers are the new front line
One in eight malware samples targeted browser data, making credential theft the most common sub-technique for access.
Infostealers increasingly exploit Chromium-based browsers to bypass built-in protections.
Execution has overtaken evasion
On Windows, execution tactics nearly doubled to 32%, surpassing defense evasion for the first time in three years.
GhostPulse accounted for 12% of signature events, often delivering infostealers like Lumma (6.67%) and Redline (6.67%).
AI lowers the barrier to entry
Generic threats rose 15.5%, fueled by adversaries using LLMs to churn out simple but effective malicious loaders and tools.
Off-the-shelf malware families remain widely used, with RemCos (9.33%) and CobaltStrike (~2%)
Cloud identity is under siege
Over 60% of cloud security events involved Initial Access, Persistence, or Credential Access.
Authentication gaps in Microsoft Entra ID stood out: 54% of anomalous Azure signals originated from audit logs, climbing to nearly 90% when all Entra telemetry was included.