Skyrocketing Cloud Intrusions in 2025: The Rising Threat Landscape Exposed

The world of cybersecurity is facing a sharp and alarming rise in cloud intrusions during the first half of 2025. According to CrowdStrike’s 2025 Threat Hunting Report, attacks on cloud environments have surged by a staggering 136% compared to all of 2024. This rapid increase highlights a worrying trend where cybercriminals and nation-state actors are mastering the art of exploiting cloud misconfigurations, gaining persistent access, and moving stealthily within victim networks.

The growth in cloud-targeted attacks is significantly driven by Chinese-linked threat groups, who have enhanced their cyber espionage capabilities with bolder tactics and expanded operational scale. Two groups in particular—Genesis Panda and Murky Panda—have demonstrated exceptional skill in breaching cloud defenses, exploiting web-facing vulnerabilities, and leveraging trusted partner relationships to infiltrate sensitive environments. Alongside this, the report also reveals an uptick in highly interactive “hands-on-keyboard” intrusions, where human operators adapt tactics in real time to evade detection and persist in their targets’ networks.

In parallel, the cybercriminal gang Scattered Spider has surged back into activity, targeting critical sectors with ransomware and sophisticated voice phishing (vishing) attacks. These multifaceted developments paint a vivid picture of an evolving threat ecosystem where cloud security and social engineering are becoming prime battlegrounds.

Rising Cloud Intrusions and Threat Actor Evolution

CrowdStrike’s findings expose a cybersecurity landscape in flux, with cloud attacks now dominating the threat environment. The 136% increase in cloud intrusions is a clear indicator that adversaries have become proficient in exploiting cloud-specific weaknesses—whether through misconfigured systems, compromised cloud service provider accounts, or trusted third-party relationships. Notably, the report highlights a 40% rise in Chinese-nexus actors exploiting cloud targets, showcasing how state-linked groups are sharpening their cyber espionage skills.

Genesis Panda acts as a preliminary broker, hunting for vulnerabilities in web-facing assets and cloud services, while Murky Panda exploits trusted partner ecosystems to gain footholds, particularly in North America. Their use of advanced malware like CloudedHope and quick weaponization of zero-day exploits demonstrate a leap in sophistication.

This surge also extends to the methods attackers use. Interactive intrusions have risen by 27%, emphasizing that more adversaries are employing manual, adaptive techniques instead of automated scripts. This hands-on approach enables threat actors to bypass legacy detection tools, carefully explore networks, evade defenses, and move laterally to maximize impact.

Scattered Spider’s return with ransomware campaigns targeting retail, aviation, and insurance sectors, combined with a sharp increase in vishing attacks, adds another dimension of risk. Their ability to convincingly impersonate employees during help desk calls, even using accurate employee IDs or alternative credentials, shows a troubling level of social engineering sophistication.

What Undercode Say:

The sharp rise in cloud intrusions underlines a critical pivot in the cybersecurity battlefield. Cloud environments, once considered a boon for flexibility and efficiency, have now become a major vulnerability vector. The sheer scale of the 136% increase in cloud attacks indicates that threat actors are not only growing in number but also in expertise specific to cloud platforms. Misconfigurations and inadequate cloud account management remain low-hanging fruit, but increasingly sophisticated groups are leveraging these weaknesses with tailored strategies.

Chinese state-linked actors like Genesis Panda and Murky Panda are leading this charge with a methodical, multi-stage approach. Genesis Panda’s role as an initial access broker suggests a complex ecosystem where different groups specialize in parts of the attack chain—access brokering, persistence, intelligence gathering—making defense increasingly complicated. Murky Panda’s use of third-party trust relationships illustrates the vulnerabilities of supply chains and cloud tenant ecosystems, pushing defenders to rethink identity and access management.

The shift towards interactive, hands-on intrusions signals a maturation of attacker tactics. Human operators analyzing environments in real time pose a bigger threat than automated malware scans. This evolution requires defenders to move beyond signature-based detection towards behavior analysis and zero-trust architectures. The prominence of discovery and defense evasion techniques further reinforces that attackers spend significant time inside networks, patiently navigating and hiding from security tools.

Scattered Spider’s resurgence also reveals how cybercriminals blend technical attacks with advanced social engineering. Their voice phishing tactics, including identity spoofing and real-time interaction, exploit human factors often overlooked in cybersecurity frameworks. This hybrid threat model—technical and social—demands integrated defense strategies encompassing user education, multi-factor authentication, and strict verification protocols.

Overall, CrowdStrike’s report highlights the necessity for organizations to prioritize cloud security and social engineering defenses in equal measure. Legacy perimeter defenses and automated alerts are no longer sufficient; dynamic, context-aware detection systems and rigorous cloud hygiene practices must become the norm.

🔍 Fact Checker Results

✅ Cloud intrusions surged by 136% in H1 2025 compared to all of 2024.
✅ Chinese-linked threat actors, including Genesis Panda and Murky Panda, are key drivers of this increase.
✅ Scattered Spider has been linked to increased ransomware and sophisticated voice phishing attacks.

📊 Prediction

Cloud environments will become the primary battleground in cybersecurity for the foreseeable future. Attackers will continue refining hands-on, adaptive intrusion techniques that bypass traditional detection systems. Supply chain and third-party trust vulnerabilities will grow in prominence, making identity and access management the frontline defense. Meanwhile, social engineering attacks, particularly voice phishing, will become more sophisticated and frequent, forcing organizations to invest heavily in human-centric security training and multi-layered authentication. Failure to evolve cloud security and user verification will likely result in more devastating breaches and widespread data exfiltration incidents by the end of 2025.