Logo
TLCTC
Blog / Strategic Analysis

TLCTC Analysis: CrowdStrike 2025 Threat Report

Strategic Velocity Shift: Why 81% of intrusions are now malware-free, and how the "Cloud Control Plane" has become the primary battleground.

TL
TLCTC Framework
Loading read time...
Report Context

This analysis applies the TLCTC v2.0 framework to the findings of the CrowdStrike 2025 Global Threat Report.

Strategic Velocity Shift

81% Malware-Free Intrusions

Adversaries have shifted away from #7 Malware as the initial vector. Speed is gained by using #4 Identity Theft (Valid Creds) and #1 Abuse of Functions (Living off the Land).

Cloud Control Plane

The "Cloud" is not a separate threat; it is an environment where #1 Abuse of Functions is the primary weapon.

Cluster Velocity Heatmap

#4 Identity Theft
CRITICAL VELOCITY
#1 Abuse of Functions
HIGH VELOCITY
#10 Supply Chain
BRIDGE VECTOR
#7 Malware
COMMODITIZED

Adversary Spotlight & TLCTC Mapping

SCATTERED SPIDER

eCrime
Primary Attack Path
#9 #4 #1
  • #9: Vishing Help Desk / MFA Reset
  • #4: Valid Account Pivot
  • #1: Entra ID & Okta Abuse
"Help desk impersonation enables rapid identity takeover without malware."

GENESIS PANDA

China-Nexus
Primary Attack Path
#2 #4 #1
  • #2: Exploit Public Apps (Jenkins)
  • #4: Steal Metadata Creds
  • #1: Cloud Control Plane Abuse
"Targets the Cloud Control Plane via public-facing server flaws."

MURKY PANDA

China-Nexus
Primary Attack Path
#10 #4 #1
  • #10: Compromise Vendor/Partner
  • #4: Pivot via Trusted Tenant
  • #1: Backdoor Service Principals
"Abuses the trust boundary between suppliers and victims."

FAMOUS CHOLLIMA

DPRK-Nexus
Primary Attack Path
#9 #4 #1
  • #9: Deepfakes / Hiring Deception
  • #4: Employee Credential Theft
  • #1: Insider Threat Actions
"Uses GenAI to infiltrate organizations as rogue IT workers."

Visualized Attack Paths

Enlarge
Scenario A: Scattered Spider #9 Social Eng Vishing Help Desk #4 Identity Theft Valid Session #1 Abuse Func Lateral Move #1 Exfiltration Data Loss
Enlarge
Scenario B: Cobalt Strike #9 Social Eng Phishing #7 Malware Beacon C2 Loop PowerPick Reflective DLL #1 Abuse #7 More Malware

Strategic Defense Matrix (10x5 Focus)

Target Cluster Generic Vulnerability Primary Defense Strategy (NIST) CrowdStrike 2025 Context
#4 Identity Theft Secrets used for Trust PROTECT
FIDO2 / Phishing-Resistant MFA
 Prevent attackers from "logging in" via stolen sessions/passwords.
#1 Abuse of Functions Logic/Scope of Legitimate Software DETECT
Behavioral Baselines / Script Logging
 Distinguish "Admin doing work" from "Admin exfiltrating data" (Cloud Control Plane).
#10 Supply Chain Trust in 3rd Party Components IDENTIFY
Trust Boundary Mapping
 Treat Vendor Service Principals as external threats. Limit scope.
#9 Social Eng Human Trust / Psychology PROTECT
Process Hardening (Help Desk)
 Stop "Vishing" attacks where attackers call Help Desk to reset MFA.

Conclusion

The shift to malware-free intrusions signifies a maturity in adversary tradecraft. By mapping these trends to TLCTC Clusters #4 (Identity), #1 (Abuse), and #10 (Supply Chain), organizations can move beyond "chasing IOAs" and focus on architectural chokepoints.

References

  1. Kreinz, B. Top Level Cyber Threat Clusters (TLCTC), White Paper V2.0
  2. CrowdStrike 2025 Global Threat Report