A North Korean-linked hacker group leveraged generative artificial intelligence (AI) to infiltrate over 320 companies last year by posing as remote work software developers.
Global cybersecurity firm CrowdStrike disclosed this information in its 2025 Threat Hunting Report on the Monday.
The group, known as FAMOUS CHOLLIMA, primarily targeted large corporations in North America, Western Europe, and East Asia, executing extensive insider attack campaigns. The number of affected companies surged by 220% compared to the previous year.
Notably, the hackers automated their entire attack process using generative AI. They employed AI-generated fake resumes, conducted deepfake interviews, and used fabricated identities to complete tasks, thereby effectively infiltrating corporate networks.
Even after gaining access, they masked their limited English proficiency by utilizing AI agent code and translation tools.
CrowdStrike reported that FAMOUS CHOLLIMA disseminated seven types of malware, continually tweaking file download and execution methods to evade detection. Their operational speed far exceeds that of other state-sponsored groups.
The firm also highlighted that numerous global hackers are now launching swift and sophisticated cyberattacks using generative AI.
Analysts suggest that these hackers are specifically targeting the autonomous AI agents recently adopted by many companies. They exploit vulnerabilities in AI agent development tools to steal internal access rights and credentials, resulting in an increase in malware distribution cases.
The ability to rapidly develop malware using AI presents yet another significant challenge. In some cases, less than 24 hours elapsed between initial infiltration and ransomware deployment.
Meanwhile, cloud breach attacks have risen by 136% compared to the previous year, with 40% of these incidents attributed to Chinese-linked groups. Notable attack groups, such as Genesis Panda and Mucky Panda, have evaded detection by exploiting cloud configuration errors and trusted access rights.
Adam Meyers, Senior Vice President of CrowdStrike’s Attack Response Operations, stated that attackers are targeting AI agents by exploiting software-as-a-service (SaaS) platforms, cloud consoles, and advanced privilege accounts.
