The proliferation and evolution of AI-powered hacking tools – how generative AI has changed the cyber attack ecosystem and response strategies

MITRE Techniques

• [T1059.006 ] Command and Scripting Interpreter: Python – Used for an AI-assisted zero-day exploit and automation scripts; the article describes a “Python-based script” that bypassed 2FA and Bissa Scanner’s large-scale scanning workflow (‘the exploit was a Python-based script that bypassed the two-factor authentication (2FA)…’ ; ‘used a combination of Claude Code and OpenClaw as an attack orchestration tool’).
• [T1059.005 ] Command and Scripting Interpreter: Visual Basic – Honestcue requested VBScript obfuscation in real time to alter its behavior and evade detection (‘requesting VBScript obfuscation techniques in real-time through the Gemini API’).
• [T1027 ] Obfuscated Files or Information – Promptflux rewrites its source code, Canfail – Longstream uses decoy code, and Honestcue requests obfuscation to hide malicious behavior (‘periodically rewrite its own source code’; ‘tens of thousands of lines of decoy code’; ‘requesting VBScript obfuscation techniques’).
• [T1027.016 ] Junk Code Insertion – Canfail – Longstream used massive decoy code to mask malicious logic (‘tens of thousands of lines of decoy code generated by LLM to mask its malicious behavior’).
• [T1027.001 ] Binary Padding – Promptflux and other self-morphing malware altered code content to defeat static signatures (‘rewrite its own source code, bypassing static signature-based detection’).
• [T1055 ] Process Injection – Promptspy used a transparent overlay and UI manipulation to interfere with user actions during app removal (‘placing a transparent overlay over the “delete” button to intercept touch events’).
• [T1113 ] Screen Capture – Promptspy analyzed the device UI structure to drive autonomous interaction (‘automatically analyzes the device’s UI structure through the Gemini API’).
• [T1204 ] User Execution – Phishing automation and social-engineering support were a major use case for these tools, lowering the skill required to craft lures (‘phishing phrases’ ; ‘automating advertising, phishing, and fraud documents’).
• [T1588.002 ] Obtain Capabilities: Tool – Threat actors acquired AI hacking tools through SaaS, Telegram, GitHub, and forums (‘sold as monthly, annual, and lifetime subscriptions’; ‘Released on GitHub for free’).
• [T1105 ] Ingress Tool Transfer – Open-source distribution and local execution enabled deployment of AI tools and models on attacker systems (‘Released for free on GitHub’; ‘can be run locally’).
• [T1595 ] Active Scanning – Bissa Scanner automated large-scale scanning and exploit validation (‘automate large-scale scanning that exploited a vulnerability in the Next.js framework’).
• [T1590 ] Gather Victim Network Information – AI-assisted reconnaissance and vulnerability analysis were used repeatedly across the ecosystem (‘reconnaissance automation’; ‘AI was involved in the entire attack flow, from reconnaissance, vulnerability exploitation’).
• [T1082 ] System Information Discovery – Promptspy and other tools queried device or system state to guide malicious actions (‘automatically analyzes the device’s UI structure’; ‘query the system’s daylight saving time (DST) status 32 times’).
• [T1518.001 ] Software Discovery: Security Software Discovery – The malware and scanning workflows aimed to evade or understand defenses through analysis and mutation (‘bypass static signature-based detection’; ‘evades detection’).
• [T1203 ] Exploitation for Client Execution – The article describes exploit use against a vulnerable Next.js framework and 2FA bypass in a web-based administration tool (‘exploited a vulnerability in the Next.js framework’; ‘bypassed the two-factor authentication (2FA)’).
• [T1040 ] Network Sniffing – The report’s emphasis on credential screening and infrastructure operations indicates credential-focused collection and processing (‘credential screening’; ‘real-time breach results through a Telegram bot’).