Elastic 2025 Global Threat Report Reveals AI is Supercharging Old-School Tactics with New Scale

SAN FRANCISCO--(BUSINESS WIRE)--AI isn’t just transforming how we work. It’s reshaping how cybercriminals attack, with threat actors exploiting AI to mass produce malicious code loaders, steal browser credentials and accelerate cloud attacks, according to a new report from Elastic (NYSE: ESTC), the Search AI Company.

The 2025 Global Threat Report, based on more than 1 billion data points derived from real production environments, finds that generic threats — typically loaders built using AI — jumped 15.5% in the past year, while malicious code execution on Windows nearly doubled to 32.5%.

AI-created malware and easy access to stolen browser credentials are fueling a new class of bad actors who are less reliant on stealth attacks and are leaning into continuous, steady probes for entry into corporate networks.

“Attackers are shifting from stealth to speed, launching waves of opportunistic attacks with minimal effort,” said Devon Kerr, head of Elastic Security Labs and director of Threat Research. “This evolution shows how urgent it is for defenders to harden identity protections and to adapt their detection strategies for this new era of speed attacks.”

Key Findings

Browsers are the new front line

• One in eight malware samples targeted browser data, making credential theft the most common sub-technique for access.
• Infostealers increasingly exploit Chromium-based browsers to bypass built-in protections.

Execution has overtaken evasion

• On Windows, execution tactics nearly doubled to 32%, surpassing defense evasion for the first time in three years.
• GhostPulse accounted for 12% of signature events, often delivering infostealers like Lumma (6.67%) and Redline (6.67%).

AI lowers the barrier to entry

• Generic threats rose 15.5%, fueled by adversaries using LLMs to churn out simple but effective malicious loaders and tools.
• Off-the-shelf malware families remain widely used, with RemCos (9.33%) and CobaltStrike (~2%)

Cloud identity is under siege

• Over 60% of cloud security events involved Initial Access, Persistence, or Credential Access.
• Authentication gaps in Microsoft Entra ID stood out: 54% of anomalous Azure signals originated from audit logs, climbing to nearly 90% when all Entra telemetry was included.

While Elastic Security takes a defense-in-depth approach with Elastic XDR unified threat detection, investigation, and response across the entire IT ecosystem to detect AI-created and other malware, here are additional recommendations for defenders:

1. Adopt automation with human oversight: Use AI-assisted detection and behavioral analytics to accelerate response, while keeping human judgment at key decision points.
2. Strengthen browser defenses: Harden plugins, extensions, and third-party integrations, and expand visibility into credential theft attempts.
3. Elevate identity validation: Invest in stronger identity verification, reinforce know-your-customer (KYC) practices, and treat identity assurance as a core security control.

Additional Resources

• Download the report for actionable recommendations to address these findings.
• Read the blog

About the Report

The 2025 Elastic Global Threat Report is a distillation of security insights from Elastic Security Labs, Elastic’s dedicated cybersecurity intelligence team. Elastic Security Labs used Elastic technologies to search, sort and refine hundreds of millions of events between June 2024 and July 2025. This includes Elastic telemetry, public and third-party data voluntarily submitted to surface threats to Elastic Security Labs. All information has been sanitized and anonymized where applicable.

About Elastic

Elastic (NYSE: ESTC), the Search AI Company, integrates its deep expertise in search technology with artificial intelligence to help everyone transform all of their data into answers, actions, and outcomes. Elastic's Search AI Platform — the foundation for its search, observability, and security solutions — is used by thousands of companies, including more than 50% of the Fortune 500. Learn more at elastic.co.

Elastic and associated marks are trademarks or registered trademarks of Elasticsearch BV and its subsidiaries. All other company and product names may be trademarks of their respective owners.