AI isn’t just transforming how we work. It’s reshaping how cybercriminals attack, with threat actors exploiting AI to mass produce malicious code loaders, steal browser credentials and accelerate cloud attacks, according to a new report from Elastic.
The 2025 Global Threat Report, based on more than 1 billion data points derived from real production environments, finds that generic threats — typically loaders built using AI — jumped 15.5% in the past year, while malicious code execution on Windows nearly doubled to 32.5%.
AI-created malware and easy access to stolen browser credentials are fuelling a new class of bad actors who are less reliant on stealth attacks and are leaning into continuous, steady probes for entry into corporate networks.
“Attackers are shifting from stealth to speed, launching waves of opportunistic attacks with minimal effort,” said Devon Kerr, head of Elastic Security Labs and director of Threat Research. “This evolution shows how urgent it is for defenders to harden identity protections and to adapt their detection strategies for this new era of speed attacks.”
Key findings
Browsers are the new front line
- One in eight malware samples targeted browser data, making credential theft the most common sub-technique for access.
- Infostealers increasingly exploit Chromium-based browsers to bypass built-in protections.
Execution has overtaken evasion
- On Windows, execution tactics nearly doubled to 32%, surpassing defence evasion for the first time in three years.
- GhostPulse accounted for 12% of signature events, often delivering infostealers like Lumma (6.67%) and Redline (6.67%).
AI lowers the barrier to entry
- Generic threats rose 15.5%, fuelled by adversaries using LLMs to churn out simple but effective malicious loaders and tools.
- Off-the-shelf malware families remain widely used, with RemCos (9.33%) and CobaltStrike (~2%)
Cloud identity is under siege
- Over 60% of cloud security events involved Initial Access, Persistence, or Credential Access.
- Authentication gaps in Microsoft Entra ID stood out: 54% of anomalous Azure signals originated from audit logs, climbing to nearly 90% when all Entra telemetry was included.
While Elastic Security takes a defence-in-depth approach with Elastic XDR unified threat detection, investigation, and response across the entire IT ecosystem to detect AI-created and other malware, here are additional recommendations for defenders:
- Adopt automation with human oversight: Use AI-assisted detection and behavioural analytics to accelerate response, while keeping human judgment at key decision points.
- Strengthen browser defences: Harden plugins, extensions, and third-party integrations, and expand visibility into credential theft attempts.
- Elevate identity validation: Invest in stronger identity verification, reinforce know-your-customer (KYC) practices, and treat identity assurance as a core security control.