CrowdStrike has found that China-nexus cyber actors increased targeted intrusion activity by 38 percent in 2025, including an 85 percent rise in attacks on logistics organizations, as Chinese hacking groups accelerated their exploitation of corporate technology systems and artificial intelligence (AI) tools.
The American cybersecurity firm made the findings in its 2026 Global Threat Report, and in a related June 9 press release, which CrowdStrike framed around the Chinese regime’s effort to “steal AI capabilities it can’t build.”
The report said China-nexus adversaries repeatedly targeted internet-facing “edge” devices, such as VPN appliances, firewalls, and gateways, to gain access to networks and maintain long-term footholds for intelligence collection.
CrowdStrike said 67 percent of the vulnerabilities exploited by China-nexus actors in 2025 provided immediate system access. Of the vulnerabilities those actors exploited, 40 percent targeted internet-facing edge devices, according to the report.
The company said China-nexus attacks also rose 30 percent against telecommunications organizations and 20 percent against financial services.
Logistics, Telecom, Finance Targeted
CrowdStrike said the targeting pattern aligned with the Chinese Communist Party’s strategic priorities, including telecommunications surveillance, economic espionage, and technology transfer.
The report said China-nexus actors continued to focus on sectors containing valuable intellectual property, trade secrets, communications data, and infrastructure access.
Logistics was the sharpest sector increase cited in the report. Adam Meyers, CrowdStrike’s head of counter adversary operations, said during a CrowdStrike presentation on June 9 that logistics was “probably the top target” the company saw among Chinese threat actors, with an 85 percent increase.
The report said telecommunications remained a specialized target for China-nexus actors. CrowdStrike said OPERATOR PANDA consistently targeted telecom providers between 2021 and July 2025, while Genesis Panda focused on telecom entities in East Asia, East Africa, and North America.
CrowdStrike said those patterns indicate China likely prioritizes communication interception capabilities.
Edge Devices Used for Access
The report said China-nexus groups—including Warp Panda, Operator Panda, Hollow Panda, Genesis Panda, Phantom Panda, Vault Panda, and Veiled Panda—exploited vulnerabilities in VPN appliances, firewalls, gateways, and other internet-facing systems.
Remote code execution vulnerabilities allow attackers to run commands on a targeted system from outside the network. CrowdStrike said many of the flaws exploited by China-nexus actors gave attackers direct access without requiring additional steps to gain control.
CrowdStrike said Operator Panda exploited one vulnerability six days after researchers published public proof-of-concept code. Phantom Panda exploited another vulnerability three days after a vendor disclosed it, while Vault Panda and Genesis Panda exploited React2Shell vulnerabilities two days after public disclosure, according to the report.
The company assessed with high confidence that China-nexus adversaries maintain dedicated resources for monitoring vulnerability disclosures and quickly turning newly published flaws into working intrusion tools.
CrowdStrike said that the pattern indicates the actors are trying to exploit the short window between public disclosure and patching by targeted organizations.
In one case cited by the report, Warp Panda targeted U.S.-based legal, technology, and manufacturing entities by exploiting VPN appliances. CrowdStrike said the actor maintained persistent access in one victim environment for 22 months, from October 2023 to mid-2025.
AI Enters the Tradecraft
The report said attacks by AI-enabled adversaries rose 89 percent year over year in 2025.
CrowdStrike said AI use has mostly accelerated existing cyber techniques rather than creating entirely new attack methods. The company said threat actors used AI to support social engineering, information operations, malware development, code generation, and post-exploitation activity.
In one China-specific example, CrowdStrike said Chinese intelligence services used AI to create credible consulting firms to target former U.S. government employees on job recruitment platforms.
The report said AI tools have helped threat actors plan reconnaissance, create convincing phishing messages and landing pages, scale spamming activity, and bypass safeguards to produce illicit content.
CrowdStrike also said adversaries have begun targeting AI systems themselves. In one 2025 incident, malicious packages uploaded to the Node Package Manager software registry were designed to use victims’ own local AI command-line tools, including Claude and Gemini, to generate commands to steal authentication materials and cryptocurrency assets.
CrowdStrike said its teams responded to more than 90 customers whose systems were running that malicious code.
Speed Narrows the Response Window
CrowdStrike said the average eCrime “breakout time”—the time between initial access and lateral movement toward higher-value systems—fell to 29 minutes in 2025, down from 48 minutes in 2024. The fastest breakout time was 27 seconds, according to the report.
Meyers said during the presentation that the speed leaves defenders with very little time to detect and respond before intruders move deeper into a network.
“There’s potentially a breach every 30 seconds that defenders need to identify, invest, and respond to,” he said.
The report said 82 percent of CrowdStrike detections in 2025 were malware-free, meaning adversaries often used legitimate credentials, authorized tools, identity systems, cloud services, or trusted software relationships rather than traditional malware.
That type of activity can be harder to detect because it may resemble normal user behavior.
US Agencies Warn About Similar Tactics
U.S. and allied cybersecurity agencies have also warned about Chinese state-sponsored cyber actors targeting critical infrastructure.
In an August 2025 advisory, the National Security Agency and partner agencies said Chinese state-sponsored actors were targeting telecommunications, government, transportation, lodging, and military infrastructure networks globally.
The advisory said the activity partly overlapped with cybersecurity industry reporting on Chinese state-sponsored threat actors known by names including Salt Typhoon.
Microsoft, in its 2025 Digital Defense Report, said China was continuing a broad espionage push across industries and that state-affiliated actors were using covert networks and vulnerable internet-facing devices to gain entry and avoid detection.
CrowdStrike recommended that organizations prioritize patching edge devices within 72 hours of critical vulnerability disclosure, increase monitoring for signs of edge-device compromise, and segment networks to limit lateral movement from compromised perimeter systems.
Friends Read Free
Copy
Facebook
Tweet
