Adversary Universe Podcast

Supply chain attacks targeting AI have recently been making headlines — and keeping the CrowdStrike OverWatch team busy. Jared Myers, director of CrowdStrike OverWatch, joins Adam in this episode to discuss his team’s approach to detecting and responding to these attacks.

When a supply chain attack uses a zero-day vulnerability to breach a target, it’s often the CVE that grabs attention. But the zero-day isn’t what CrowdStrike OverWatch is after, Jared says. It’s the follow-on tradecraft once the adversary is inside. He takes listeners behind the scenes of the team’s response to recent supply chain attacks, including the MOVEit attack of 2023 and the Axios supply chain incident of March 2026, to share the technical details of how the team learns and acts on information as attacks are unfolding.

Identity is an essential component in supply chain attacks, Jared explains. Once an adversary is in, they’re looking for a user account to help them move laterally. He shares advice with listeners and key takeaways from the team’s identity threat hunting.

CrowdStrike OverWatch is a 24/7/365 operation, with experts working around the clock across time zones with visibility into trillions of events per day. By the time an attack makes headlines, CrowdStrike OverWatch may have known about it for months.

“We don’t ever stop looking; we don’t ever stop hunting,” says Jared.

Notes:
• Blog: STARDUST CHOLLIMA Likely Compromises Axios npm Package [https://www.crowdstrike.com/en-us/blog/stardust-chollima-likely-compromises-axios-npm-package/]
• Blog: From Scanner to Stealer: Inside the trivy-action Supply Chain Compromise [https://www.crowdstrike.com/en-us/blog/from-scanner-to-stealer-inside-the-trivy-action-supply-chain-compromise/]

The Trump administration has released a national cybersecurity strategy that commits to strengthening defenses through six core pillars: employing more offensive cyber operations, streamlining regulations, modernizing and protecting federal networks, securing critical infrastructure, leading in new technologies, and developing talent.

In this episode, Rob Sheldon, Sr. Director of Public Policy and Strategy at CrowdStrike, joins Adam and Cristian for a deep dive into three of the pillars that are top of mind for them: offensive cyber operations, updating federal systems, and protecting critical infrastructure. They discuss why these are difficult problems to solve and key considerations for how to approach them, including relevant threat activity and the involvement of the private sector. 

Though they could have talked about this for hours, this is a busy team! Check out the full cybersecurity strategy text for more details. [https://www.whitehouse.gov/wp-content/uploads/2026/03/President-Trumps-Cyber-Strategy-for-America.pdf]

Interested in government cybersecurity? Register here for Fal.Con Gov 2026, taking place March 18 in Washington, D.C. [https://www.crowdstrike.com/en-us/events/fal-con/gov/register/]

It’s that time of year: The CrowdStrike 2026 Global Threat Report is live, and Adam and Cristian are here to break down the key findings. This year’s report spotlights adversaries’ heightened speed, their evolving use of AI, an increase in activity from China and North Korea, and the growth of supply chain attacks, zero-day exploitation, and cloud targeting.

For new listeners, the annual Global Threat Report delivers an analysis of the modern threat landscape based on CrowdStrike's frontline observations and real-world threat intelligence from the previous year.

2026 was the year of the evasive adversary. As defenses get stronger, adversaries are focused on refining their techniques to target security blind spots and bypass detection. AI is helping them accelerate and find creative ways around defenses for hands-on-keyboard operations. In 2025, AI-enabled adversaries increased attacks by 89% year-over-year.

The trend is poised to continue: “I don’t think AI is going to create the malware — I think AI is going to be the malware,” Adam said.

But AI isn’t the only factor shaping the modern threat landscape. Below are a few key stats from the report:

• The average eCrime breakout time fell to 29 minutes — a 65% increase in speed from 2024. The fastest breakout we observed occurred in just 27 seconds.
• 82% of detections were malware-free, continuing a steady trend in recent years.
• North Korea-nexus incidents jumped 130%, and FAMOUS CHOLLIMA's activity doubled compared to 2024.
• We observed a 42% increase in vulnerabilities exploited prior to public disclosure and a 37% rise in cloud-conscious intrusions.

Tune in to learn about these findings and more from the CrowdStrike 2026 Global Threat Report.

Threat hunting is hard to define, but Brody Nisbet, Sr. Director of CrowdStrike OverWatch, breaks down the basics in an episode that starts with the CrowdStrike OverWatch mission and dives into his stories from the front lines of threat hunting.

This team detects adversaries in customer environments before they can achieve their nefarious goals. “Our mission is to outcompete your adversary,” Brody says. His team notifies customers of adversary activity and provides them with the actionable intelligence required to protect themselves. A staggering amount of data goes into the CrowdStrike OverWatch team's process: 5.7 trillion events per day (65 million events per second). The team triages this data and “sorts the wheat from the chaff” to figure out what’s most important for each business.

As you might imagine, this work leads to some fascinating findings and stories. Tune in to hear Adam, Cristian, and Brody chat about encounters with FAMOUS CHOLLIMA and OPERATOR PANDA — and a cold case centered around malware dubbed Fluffy Cannoli.

LABYRINTH CHOLLIMA, which is among the most prolific DPRK-nexus adversaries that CrowdStrike tracks, has evolved into three separate threat actors: GOLDEN CHOLLIMA, PRESSURE CHOLLIMA, and LABYRINTH CHOLLIMA.

Each adversary has specialized goals and tradecraft. While LABYRINTH CHOLLIMA continues to prioritize espionage and targets specific industries, GOLDEN CHOLLIMA and PRESSURE CHOLLIMA focus on cryptocurrency entities and stand out for the scale and scope of their operations. In this episode, Adam and Cristian explain when it became clear that one adversary had evolved into three and discuss how they differ — and, interestingly, what they still have in common. Despite operating independently, the three adversaries still share tools and infrastructure, a sign of coordination within the DPRK cyber ecosystem.

To put this development into context, the hosts take us back to the early days of North Korea's cyber activity and trace the progression of the many nation-state threat actors operating on its behalf. Tune in to learn about a significant update for a prolific nation-state adversary.

Learn more about:
• The LABYRINTH CHOLLIMA evolution in our new blog post
• Fal.Con Gov 2026
• CrowdTour 2026