Why it matters

The Elastic Global Threat Report 2025 reveals that AI is transforming not only cyber defence but also how adversaries attack.

The report, drawn from over one billion data points, shows that generic AI-generated malware rose 15.5 per cent, execution activity on Windows nearly doubled to 32.1 per cent, and more than one in eight malware samples now steal browser data .

The findings confirm what many in cyber intelligence suspected: the balance of power in digital espionage is shifting from stealth to speed, and from human-crafted intrusions to AI-driven automation.

1. The End of Patience

For decades, cyber-espionage was an art form.

Groups like Equation, Turla, and APT29 spent months crafting implants, developing zero-days, and moving laterally through networks at a glacial pace. Their hallmark was invisibility — persistence without noise.

Elastic’s 2025 data shows that world is gone. The report’s opening warning sets the tone:

“The era of slow, methodical intrusion has been replaced by a new model of high-velocity attacks that prioritise speed and efficiency.”

Attackers are now exploiting the same trusted tools enterprises use — cloud platforms, browsers, and developer accounts — blurring the line between normal behaviour and intrusion.

Where once defenders hunted shadows, they must now defend against storms.

2. The Elastic Report: Anatomy of a Paradigm Shift

Elastic Security Labs’ telemetry between June 2024 and July 2025 paints a picture of unprecedented acceleration.

Here’s what the data reveals.

AI as Force Multiplier

Elastic recorded a 15.5 per cent rise in “Generic” threats, a category largely composed of simple malware loaders generated or modified by large language models .

These loaders don’t require sophisticated expertise — just access to an AI tool that can generate code variants faster than traditional defences can adapt.

“Adversaries are weaponising AI to lower the barrier to entry for cybercrime,” Elastic notes. “Even less-skilled actors can now generate reliable, simple loaders.”

This trend represents the industrialisation of malware creation — an assembly line of code tailored by algorithms.

Windows: From Stealth to Execution

Perhaps the most telling statistic: on Windows, Execution tactics surged from around 16 per cent last year to 32.1 per cent, overtaking Defence Evasion for the first time in three years .

Attackers are no longer lingering undetected. They’re running payloads immediately on entry — evidence of a strategic shift from hiding to hitting.

Elastic’s analysts interpret this as a pivot to runtime memory exploitation, where speed trumps subtlety.

Defenders must now make decisions in minutes, not months.

The Industrialisation of Browser Theft

Browser credential theft has exploded into a full-blown economy.

Elastic’s analysis of 150,000 malware samples found that one in eight target browser data — cookies, tokens, and saved passwords .

These are not stolen for one-off use but sold wholesale through access-broker markets, fuelling secondary intrusions and identity theft.

The report calls this “the industrialisation of credential theft,” and it’s easy to see why: browser data provides direct access to cloud accounts, email, and corporate dashboards without ever triggering multi-factor authentication.

The Cloud Identity Crisis

Over 60 per cent of cloud security events in Elastic’s dataset involved Initial Access, Persistence, or Credential Access .

That’s not infrastructure exploitation — it’s identity abuse.

The cloud battleground is dominated by Microsoft Entra ID (Azure AD).

Elastic found that 54 per cent of anomalous Azure signals came from Entra audit logs — and when all Entra telemetry was included, that rose to nearly 90 per cent.

In other words, the front line of espionage has moved into authentication flows.

Execution Overtakes Evasion

The most significant behavioural inversion of the year:

“Attackers are shifting from stealth to speed,” says Devon Kerr, Elastic’s Head of Threat Research. “They’re launching waves of opportunistic attacks with minimal effort.”

That shift reverberates across the threat landscape — from espionage to organised crime.

3. The New Tradecraft: How AI Shapes Espionage

Elastic’s findings confirm a deeper transformation in attacker tradecraft.

Automated Reconnaissance

LLMs now scour open-source data to build detailed target maps — corporate hierarchies, leaked credentials, developer activity, even device fingerprints.
AI agents can simulate reconnaissance continuously, probing for weaknesses long after human operators sleep.

Infinite Mutation

The 15.5 per cent rise in “Generic” threats reflects thousands of small code changes generated automatically to evade detection.
Each variant is unique enough to slip through static signature systems, creating an evolutionary arms race.

Credential Harvesting at Scale

Infostealers like Lumma, Redline, and GhostPulse dominate Elastic’s Windows telemetry — together accounting for over 12 per cent of signature events.
They’re part of a pipeline where stolen credentials are bundled and sold to access brokers, breaking the link between the attacker and the intrusion.

Cloud Identity Exploitation

Elastic’s Azure telemetry shows Initial Access and Persistence together account for over 95 per cent of anomalous signals, with Valid Accounts and Account Manipulation as the dominant techniques.
Attackers increasingly use legitimate OAuth tokens and app consents — not exploits — to impersonate trusted users.

AI-Powered Decision Support

Models can recommend which path to take inside a network, identify high-value data, and automate lateral movement.
In this sense, AI isn’t just generating malware — it’s orchestrating operations.

4. Reading Between the Lines: What the Data Tells Us

Elastic’s report is not a collection of disconnected statistics. It’s a window into the emerging physics of cyber conflict.

Speed over stealth

Execution replacing evasion means defenders must detect faster, not deeper.
Context and correlation — the ability to join events across time and systems — now matter more than secrecy.

Identity as the new sovereignty

When 60 per cent of cloud incidents stem from credential abuse, identity systems become a national-level risk vector.
Control over authentication infrastructure — Entra ID, Okta, Google Workspace — now defines geopolitical influence.

The rise of the access-broker economy

The surge in browser-based credential theft shows espionage moving from craft to commerce.
Elastic’s GhostPulse and Lumma detections illustrate how state actors can purchase rather than steal access — outsourcing infiltration to the criminal marketplace.

Attribution collapse

AI-generated code and cross-sold credentials obscure provenance.
Elastic’s telemetry shows similar patterns across regions, hinting at toolkits rather than teams.
In this new ecosystem, the question isn’t who hacked us, but which AI system enabled it.

5. Lessons from Elastic’s Recommendations

Elastic ends its report with five pragmatic recommendations — a rare synthesis of technical and strategic insight.

1. Adopt automation with human oversight.
   Machine-speed detection is vital, but judgment must remain human. Elastic calls this “human-in-the-loop defence”.

2. Strengthen browser defences.
   Browser credentials are now the keys to the kingdom. Harden extensions, instrument telemetry, and treat browsers as high-risk endpoints.

3. Elevate identity validation.
   Replace static MFA with continuous, risk-based authentication. Verify devices, sessions, and context — not just passwords.

4. Prioritise memory protection.
   With execution surging, Elastic emphasises runtime memory monitoring for injection and obfuscation.

5. Secure the development and supply chain.
   The GitHub case studies show how a single leak can persist indefinitely across forks and mirrors.

Each of these is less a checklist than a philosophical shift — from perimeter defence to continuous verification.

Share

6. A Geopolitical Recalibration

Elastic’s data, while technical, has geopolitical weight.

Democratisation of Espionage

With AI-generated loaders available to anyone, cyber-espionage is no longer the preserve of intelligence agencies.
Small states, mercenary groups, and ideologically motivated actors can now field credible operations.

Compression of Time

Elastic’s finding that attack lifecycles are measured in minutes, not months, means incident response must move from forensics to foresight.
The first 30 minutes of an intrusion may now decide the outcome.

Erosion of Deterrence

When attribution becomes probabilistic, deterrence collapses.
You can’t retaliate against an algorithm.

The Defender’s Paradox

AI gives attackers scale, but defenders context.
Elastic’s closing argument is almost philosophical:

“The central conflict in cybersecurity has shifted from a battle of prevention to a race for context.”

Victory will go to those who can analyse data faster than adversaries can generate attacks.

7. The Next Frontier: AI versus AI

Elastic’s internal machine-learning systems — trained on millions of samples and achieving a 98 per cent true-positive rate with under 0.5 per cent false positives — demonstrate what defensive AI can do.

But even this precision arms race comes with uncertainty.
Attackers can already experiment with adversarial learning — poisoning models or generating payloads tuned to evade specific detectors.

We are entering an era of algorithmic espionage: models probing other models, defenders deploying AI to interpret AI-driven attacks.
The human role shifts from operator to strategist.

8. A New Balance of Power

The 2025 Elastic data quantifies what geopolitical analysts have long intuited:

• Espionage is moving into the cloud layer.

• AI has made scale and speed more important than secrecy.

• Identity is now the ultimate prize.

In this “shadow network” era, power will belong to those who can see and act fastest.
Governments and corporations that master AI-driven detection and contextual analytics will hold the high ground — not by keeping secrets, but by understanding patterns.

9. What to Do Next

For CISOs and boards, the strategic takeaway is clear:

1. Treat identity as infrastructure.
   Monitor Entra, Okta, and Google ID telemetry continuously.

2. Invest in behavioural analytics.
   Use AI to find anomalies, not just threats.

3. Harden browsers.
   Deploy managed enterprise browsers or sandboxed environments.

4. Automate containment.
   Build playbooks that can quarantine and revoke credentials within minutes.

5. Collaborate at speed.
   Share anonymised telemetry through ISACs (US - CISA) or CiSP (UK - NCSC), which are public-private partnerships to enable cross-industry exchanges.

Resilience now depends on visibility and collaboration as much as firewalls or patching.

10. The Shadow Network Era

The Elastic Global Threat Report 2025 closes with a line that captures the moment:

“Victory belongs to the teams who can search and analyse data the fastest to understand the full story of an attack as it unfolds.”

That is the ethos of the new cyber order.
Espionage has become data analytics by other means.
The shadows have multiplied — but so have the sensors.

In this race for context, AI is both weapon and shield.
The question is no longer whether machines will change espionage, but who will teach them to tell truth from deceit.