On Thursday, Google’s Threat Intelligence Group (GTIG) issued a stark warning through its Artificial Intelligence (AI) Threat Report (GTIG AI Threat Tracker: Advances in Threat Actor Usage of AI Tools). The report highlights the alarming trend of cyber attackers actively leveraging AI tools to enhance their malicious activities.
GTIG’s findings reveal that state-sponsored threat actors from China, North Korea, Russia, and Iran are aggressively incorporating AI across their entire operational spectrum. This includes everything from malware execution and social engineering to the sale of illicit AI tools. The report also notes the emergence of a new breed of malware that employs AI in a Just-in-Time manner, signaling a significant evolution in cyber threats.
Sophisticated malware variants such as PROMPTFLUX and PROMPTSTEAL are pushing the boundaries of cyber attacks. These programs dynamically generate malicious scripts by interfacing with large language models (LLMs) during execution. They also employ advanced obfuscation techniques to evade detection, making them particularly dangerous.
This approach marks a departure from traditional methods where malicious functions were pre-coded. Instead, these new AI-powered threats generate attack code on-demand, adapting in real-time to their targets.
GTIG warns that this shift towards real-time, adaptive attack patterns heralds the rise of autonomous and highly flexible malware. The report also highlights that threat actors are simultaneously working to circumvent AI safety mechanisms, further complicating defense efforts.
The dark web and underground cybercrime ecosystems are rapidly evolving to accommodate this new reality. GTIG’s analysis indicates a burgeoning market for malicious AI tools and associated data within these shadowy digital realms.
State-sponsored hacking groups are at the forefront of this AI-driven cybercrime revolution. GTIG reports that nations such as North Korea, Iran, and China are leveraging AI to enhance every phase of their cyber operations. This includes crafting more convincing phishing lures, developing sophisticated remote control (C2) servers, and refining data exfiltration techniques.
Billy Leonard, GTIG’s technical lead, offered a sobering assessment of the current landscape. He noted that this year has seen a surge in the trading of illegal AI tools that combine multiple malicious capabilities. These all-in-one platforms can generate convincing phishing emails, create deceptive web pages, identify system vulnerabilities, and even automate the creation of malware. Leonard emphasized that this technological leap is dramatically lowering the barriers to entry for cybercrime, enabling even those with limited technical expertise to harness the power of AI for nefarious purposes.