Adversary Universe Podcast

Europe is a prime target for global adversaries. There is a strong emphasis on eCrime across the region as well as a rise in hacktivism and espionage stemming from ongoing conflicts.The CrowdStrike 2025 European Threat Landscape Report breaks down these trends. In this episode, Adam and Cristian cover the highlights.They start with cybercrime, a major theme of the report. The five most targeted European nations were the U.K., Germany, Italy, France, and Spain, which also represent the region’s largest economies (excluding Russia). The most targeted sectors were manufacturing, professional services, technology, industrials and engineering, and retail. Adam explains how eCrime threat actors are looking for victims with a high need to stay operational.“With manufacturing, if they’re knocked offline because of ransomware, they can count the downtime in dollars and cents,” he shares as an example.On the nation-state front, Russia is top of mind. Since its invasion of Ukraine in 2022, many Russian threat actors who operated globally are more focused on Ukraine and areas related to the conflict. Adam and Cristian discuss reports of North Korean threat actors supporting the Russians with weapons and personnel, North Korea targeting Ukraine, and the tactics and techniques that stand out most. The European threat landscape is crowded and complex. Tune in to understand the key findings, and download the full report for more details. https://www.crowdstrike.com/en-us/resources/reports/2025-european-threat-landscape-report/

Ransomware is not new, but the ransomware of today is very different from the ransomware of 1989. Today’s episode doubles as a history lesson, as Adam and Cristian look back at how a prolific global threat has evolved over the decades. Gone are the days of malware arriving on floppy disks and victims waiting weeks to restore their systems in exchange for $200 ransom payments. “The early days of viruses were weird,” Adam points out. But much has changed since then. Several factors — the advent of cryptocurrency, the rise of enterprise targeting, and the shift to ransomware as a service — have caused the threat to transform. Today’s adversaries run ransomware like a business and collect hundreds of millions of dollars in payments. The hosts reflect on the first ransomware to hit a business, the first to make news headlines, and the first major botnet operator to deploy ransomware, among other key events. Tune in for a discussion that spans years of ransomware evolution, highlights the key adversaries involved, and explains how businesses can defend themselves as the threat landscape continues to change.

This year at Black Hat, the topic of AI was everywhere — from hallway chats to the expo floor. Adam and Cristian took a break from the action for a rare in-person conversation about how adversaries are weaponizing AI, how defenders are using agentic AI, and what we should all be thinking about as AI evolves as an offensive and defensive tool.The AI threat is real, and advanced adversaries in particular are using it to their advantage. They’re improving the wording in social engineering attacks, creating deepfakes in fraudulent job interviews, and targeting victims on a more personal level. FAMOUS CHOLLIMA is an example of one adversary “using it for everything,” the hosts say. SCATTERED SPIDER is another adversary to watch.On the other side, defenders are adopting agentic AI to expedite their response. Adam and Cristian explore the importance of protecting AI workloads, the potential for insider threats with AI models, and the growing need for AI governance and security guardrails. If AI is monitoring security services, they ask, who guards the guardian? Tune in for an in-depth conversation on what AI is really capable of — and stick around for a sneak peek of an upcoming guest episode, where a guest joins to discuss young adversaries moving from online gaming to organized cybercrime.

They never really left — they just got quieter, faster, and bolder. In this episode of the Adversary Universe podcast, Adam and Cristian trace the resurgence of SCATTERED SPIDER, one of today’s most aggressive and sophisticated adversary groups. Once known for SIM swapping and gaming community exploits, SCATTERED SPIDER has evolved into a high-speed, high-impact ransomware crew targeting the retail, insurance, and aviation sectors. Adam shares CrowdStrike’s front-line insights into how the group operates, from conducting help desk social engineering and bypassing multifactor authentication (MFA) to hijacking hypervisors and exfiltrating data via software as a service (SaaS) integrations. Tune in to learn: How SCATTERED SPIDER blends SIM swapping, voice phishing, and cloud-native tradecraft Why they’re one of the fastest threat actors we’ve seen, sometimes encrypting systems within 24 hours What defenders must do to spot them early and act fast And yes, why they still haven’t been arrested Check the show notes for CrowdStrike’s latest guidance and technical blog on SCATTERED SPIDER.

Physical security and IT security have gone hand in hand for a long time. While cybersecurity teams are rightfully focused on protecting their virtual environments, they should also have an eye on whether an adversary is walking through the front door. “Anytime there’s a physical boundary, an adversary is going to look to cross over that — whether it be in person or using some technology to get over that boundary,” Adam says in this episode on physical security threats. Not too long ago, it was common for someone to walk into a business, slide behind the counter, and insert a USB device into a point-of-sale system to deploy malware or remote access tools. Now, this type of activity is less common, but it still occurs; China-nexus threat actor MUSTANG PANDA, for example, is dropping USB sticks to gain access to targets across the Asia Pacific region. This conversation is full of twists, turns, and interesting stories. Tune in to hear about adversaries physically breaking into target organizations, Adam’s adventures in pen testing, the physical security implications for internet of things (IoT) and operational technology (OT) environments, and what organizations should know about protecting their physical environments.

Today’s adversaries are increasingly operating in the cloud — and Sebastian Walla, Deputy Manager of Emerging Threats at CrowdStrike, is watching them. In this episode, he joins Adam and Cristian to dive into the latest cloud attack techniques and the adversaries behind them. So, who are they? SCATTERED SPIDER and LABYRINTH CHOLLIMA are two of the threat actors targeting and navigating cloud environments, but they have distinct methods of doing so. This conversation explores the different ways they slip into organizations undetected, some of the tools they rely on, and how they operate under the radar. It also touches on the future of cloud threat activity and AI’s influence on how these attacks are evolving. Of course, no Adversary Universe episode is complete without guidance. Adam, Cristian, and Sebastian share best practices for protecting enterprise cloud environments from these threats as adversaries continue to take aim.

Ransomware has become more difficult for organizations to defend against, but easier for adversaries to deploy. The rise of ransomware-as-a-service (RaaS) — a model in which ransomware operators write the malware and affiliates pay to launch it — has lowered the barrier to entry so threat actors of all skill levels can participate and profit. OCULAR SPIDER is one such operator. This adversary, newly named by CrowdStrike, is associated with the development of ransomware variants including Cyclops, Knight, and RansomHub. They targeted hundreds of named victims between February 2024 and March 2025, according to CrowdStrike intelligence, and they focus on industries such as professional services, technology, healthcare, and manufacturing in regions including the United States, Canada, Brazil, and some European countries. But OCULAR SPIDER is one of many operators in the ransomware space. Adam and Cristian take listeners back to the early days of ransomware and track its evolution, variants, and key players from the mid-2010s through the launch of RansomHub in 2024. They explain how RaaS works, why it appeals to adversaries and complicates attribution, and how defenders can prepare to face today’s ransomware threats. Come for an update on Adam’s adventures in bread-making; stay for a deep-dive into the RaaS evolution and the threat actors driving it.