Adversary Universe Podcast

Threat hunting is hard to define, but Brody Nisbet, Sr. Director of CrowdStrike OverWatch, breaks down the basics in an episode that starts with the CrowdStrike OverWatch mission and dives into his stories from the front lines of threat hunting.

This team detects adversaries in customer environments before they can achieve their nefarious goals. “Our mission is to outcompete your adversary,” Brody says. His team notifies customers of adversary activity and provides them with the actionable intelligence required to protect themselves. A staggering amount of data goes into the CrowdStrike OverWatch team's process: 5.7 trillion events per day (65 million events per second). The team triages this data and “sorts the wheat from the chaff” to figure out what’s most important for each business.

As you might imagine, this work leads to some fascinating findings and stories. Tune in to hear Adam, Cristian, and Brody chat about encounters with FAMOUS CHOLLIMA and OPERATOR PANDA — and a cold case centered around malware dubbed Fluffy Cannoli.

LABYRINTH CHOLLIMA, which is among the most prolific DPRK-nexus adversaries that CrowdStrike tracks, has evolved into three separate threat actors: GOLDEN CHOLLIMA, PRESSURE CHOLLIMA, and LABYRINTH CHOLLIMA.

Each adversary has specialized goals and tradecraft. While LABYRINTH CHOLLIMA continues to prioritize espionage and targets specific industries, GOLDEN CHOLLIMA and PRESSURE CHOLLIMA focus on cryptocurrency entities and stand out for the scale and scope of their operations. In this episode, Adam and Cristian explain when it became clear that one adversary had evolved into three and discuss how they differ — and, interestingly, what they still have in common. Despite operating independently, the three adversaries still share tools and infrastructure, a sign of coordination within the DPRK cyber ecosystem.

To put this development into context, the hosts take us back to the early days of North Korea's cyber activity and trace the progression of the many nation-state threat actors operating on its behalf. Tune in to learn about a significant update for a prolific nation-state adversary.

Learn more about:
• The LABYRINTH CHOLLIMA evolution in our new blog post
• Fal.Con Gov 2026
• CrowdTour 2026

How do you take down a cybercriminal? Last month, we explored that question through the lens of Operation Endgame. Today, we ask Shawn Henry, former Executive Assistant Director of the FBI and current Executive Advisor to the Founder and CEO of CrowdStrike.

In some ways, it’s similar to taking down criminals in the physical world. But the speed and scale of cybercrime operations exacerbate the challenge of stopping them. While infrastructure can be dismantled, the impact is now short-lived as adversaries pivot to other setups. While law enforcement considers how to replicate successful operations, cybercriminals are thinking about how they can adapt and stay ahead.

For those pursuing adversaries, speed and scale are difficult to achieve. As Shawn explains, successful takedowns require collaboration among dozens of groups; among them law enforcement agencies, international partners, intelligence analysts, reverse engineers, prosecutors, and private sector organizations that have visibility into adversary infrastructure.

“A takedown isn’t a single door-kick moment. It’s a monthslong choreography of legal process and infrastructure mapping and partner synchronization,” he says. Are there ways to accelerate the process? He has a few ideas.

Tune in as Shawn joins Adam and Cristian to share a behind-the-scenes take on stopping cybercrime. Learn the key challenges law enforcement faces, how a takedown comes together, why arrests alone aren’t enough to stop adversaries, and where there is still an opportunity to have real impact.

This was a busy year for the Adversary Universe podcast. We covered the emergence of new adversaries, the weaponization of AI, critical CrowdStrike research, and how cyberattacks look in different regions of the world.

To recap 2025, we’re revisiting the topics that resonated most with our listeners to share year-end updates. Adam and Cristian cover the I-Soon data leaks, evolution of China as a nation-state threat, re-emergence of SCATTERED SPIDER, and the latest in ransomware-as-a-service. Tune in to learn the factors that may shape Chinese cyber operations in 2026 and why SCATTERED SPIDER activity looks different now compared to its summer of cybercrime. As a bonus, Adam shares some of the latest eCrime stats his team is seeing as we close out 2025 and explains why he believes we’ll see “an explosion of zero-days” in the months ahead.

The adversary never slows down — and neither do we. We look forward to bringing you more information on the newest cyber threats in 2026.

For more information:
• I-Soon episode: See You I-Soon: A Peek at China’s Offensive Cyber Operations
• Blog post: Unveiling WARP PANDA, a New Sophisticated China-Nexus Adversary
• Blog post: CrowdStrike Services Observes SCATTERED SPIDER Escalate Attacks Across Industries

In November 2025, a major public-private sector collaboration took down three significant malware networks. Operation Endgame involved law enforcement agencies from six EU countries, Australia, Canada, the U.K., and the U.S., along with Europol and 30 private sector partners, including CrowdStrike. The dismantled infrastructure consisted of hundreds of thousands of infected computers containing several million stolen credentials.

Operation Endgame was a critical disruption of adversary operations — but it wasn’t the first. Law enforcement has for years sought to take down adversary infrastructure and often partners with private sector organizations like CrowdStrike to inform their operations. By disrupting the tools and processes threat actors rely on, these takedowns raise the cost for adversaries and make it harder for them to operate.

As Adam and Cristian discuss in this episode, takedowns require careful planning and constant innovation. Adversaries are always finding new techniques and tools, and law enforcement must do the same. While disruption may slow them down, threat actors are often quick to pivot and find new ways to achieve their goals.

In this episode, we examine how law enforcement takedowns disrupt adversary operations, how adversaries respond, where the private sector provides support, and what this all means for organizations facing modern threats.