Adversary Universe Podcast

It’s that time of year: The CrowdStrike 2026 Global Threat Report is live, and Adam and Cristian are here to break down the key findings. This year’s report spotlights adversaries’ heightened speed, their evolving use of AI, an increase in activity from China and North Korea, and the growth of supply chain attacks, zero-day exploitation, and cloud targeting.

For new listeners, the annual Global Threat Report delivers an analysis of the modern threat landscape based on CrowdStrike's frontline observations and real-world threat intelligence from the previous year.

2026 was the year of the evasive adversary. As defenses get stronger, adversaries are focused on refining their techniques to target security blind spots and bypass detection. AI is helping them accelerate and find creative ways around defenses for hands-on-keyboard operations. In 2025, AI-enabled adversaries increased attacks by 89% year-over-year.

The trend is poised to continue: “I don’t think AI is going to create the malware — I think AI is going to be the malware,” Adam said.

But AI isn’t the only factor shaping the modern threat landscape. Below are a few key stats from the report:

• The average eCrime breakout time fell to 29 minutes — a 65% increase in speed from 2024. The fastest breakout we observed occurred in just 27 seconds.
• 82% of detections were malware-free, continuing a steady trend in recent years.
• North Korea-nexus incidents jumped 130%, and FAMOUS CHOLLIMA's activity doubled compared to 2024.
• We observed a 42% increase in vulnerabilities exploited prior to public disclosure and a 37% rise in cloud-conscious intrusions.

Tune in to learn about these findings and more from the CrowdStrike 2026 Global Threat Report.

Threat hunting is hard to define, but Brody Nisbet, Sr. Director of CrowdStrike OverWatch, breaks down the basics in an episode that starts with the CrowdStrike OverWatch mission and dives into his stories from the front lines of threat hunting.

This team detects adversaries in customer environments before they can achieve their nefarious goals. “Our mission is to outcompete your adversary,” Brody says. His team notifies customers of adversary activity and provides them with the actionable intelligence required to protect themselves. A staggering amount of data goes into the CrowdStrike OverWatch team's process: 5.7 trillion events per day (65 million events per second). The team triages this data and “sorts the wheat from the chaff” to figure out what’s most important for each business.

As you might imagine, this work leads to some fascinating findings and stories. Tune in to hear Adam, Cristian, and Brody chat about encounters with FAMOUS CHOLLIMA and OPERATOR PANDA — and a cold case centered around malware dubbed Fluffy Cannoli.

LABYRINTH CHOLLIMA, which is among the most prolific DPRK-nexus adversaries that CrowdStrike tracks, has evolved into three separate threat actors: GOLDEN CHOLLIMA, PRESSURE CHOLLIMA, and LABYRINTH CHOLLIMA.

Each adversary has specialized goals and tradecraft. While LABYRINTH CHOLLIMA continues to prioritize espionage and targets specific industries, GOLDEN CHOLLIMA and PRESSURE CHOLLIMA focus on cryptocurrency entities and stand out for the scale and scope of their operations. In this episode, Adam and Cristian explain when it became clear that one adversary had evolved into three and discuss how they differ — and, interestingly, what they still have in common. Despite operating independently, the three adversaries still share tools and infrastructure, a sign of coordination within the DPRK cyber ecosystem.

To put this development into context, the hosts take us back to the early days of North Korea's cyber activity and trace the progression of the many nation-state threat actors operating on its behalf. Tune in to learn about a significant update for a prolific nation-state adversary.

Learn more about:
• The LABYRINTH CHOLLIMA evolution in our new blog post
• Fal.Con Gov 2026
• CrowdTour 2026

How do you take down a cybercriminal? Last month, we explored that question through the lens of Operation Endgame. Today, we ask Shawn Henry, former Executive Assistant Director of the FBI and current Executive Advisor to the Founder and CEO of CrowdStrike.

In some ways, it’s similar to taking down criminals in the physical world. But the speed and scale of cybercrime operations exacerbate the challenge of stopping them. While infrastructure can be dismantled, the impact is now short-lived as adversaries pivot to other setups. While law enforcement considers how to replicate successful operations, cybercriminals are thinking about how they can adapt and stay ahead.

For those pursuing adversaries, speed and scale are difficult to achieve. As Shawn explains, successful takedowns require collaboration among dozens of groups; among them law enforcement agencies, international partners, intelligence analysts, reverse engineers, prosecutors, and private sector organizations that have visibility into adversary infrastructure.

“A takedown isn’t a single door-kick moment. It’s a monthslong choreography of legal process and infrastructure mapping and partner synchronization,” he says. Are there ways to accelerate the process? He has a few ideas.

Tune in as Shawn joins Adam and Cristian to share a behind-the-scenes take on stopping cybercrime. Learn the key challenges law enforcement faces, how a takedown comes together, why arrests alone aren’t enough to stop adversaries, and where there is still an opportunity to have real impact.

This was a busy year for the Adversary Universe podcast. We covered the emergence of new adversaries, the weaponization of AI, critical CrowdStrike research, and how cyberattacks look in different regions of the world.

To recap 2025, we’re revisiting the topics that resonated most with our listeners to share year-end updates. Adam and Cristian cover the I-Soon data leaks, evolution of China as a nation-state threat, re-emergence of SCATTERED SPIDER, and the latest in ransomware-as-a-service. Tune in to learn the factors that may shape Chinese cyber operations in 2026 and why SCATTERED SPIDER activity looks different now compared to its summer of cybercrime. As a bonus, Adam shares some of the latest eCrime stats his team is seeing as we close out 2025 and explains why he believes we’ll see “an explosion of zero-days” in the months ahead.

The adversary never slows down — and neither do we. We look forward to bringing you more information on the newest cyber threats in 2026.

For more information:
• I-Soon episode: See You I-Soon: A Peek at China’s Offensive Cyber Operations
• Blog post: Unveiling WARP PANDA, a New Sophisticated China-Nexus Adversary
• Blog post: CrowdStrike Services Observes SCATTERED SPIDER Escalate Attacks Across Industries