Threat Research

AI Threat Landscape Digest March-April 2026

Checkpoint
AI Threat Landscape Digest March-April 2026
During March–April 2026, commercial AI models like Claude Code moved into real offensive use across criminal campaigns, espionage, phishing-as-a-service, and vulnerability research. The article highlights how attackers weaponized persistent configuration files, harvested AI provider credentials, and compressed the patch window for newly disclosed flaws. #ClaudeCode #GTG-1002 #BissaScanner #EvilTokens #CVE-2025-55182 #CVE-2025-59536 #CVE-2026-21852 #CVE-2026-34197 #CVE-2026-33626

Keypoints

  • Commercial AI models, especially Claude Code, were used in real-world offensive operations rather than only for experimentation.
  • The Mexico breach showed one operator using a dual workflow: Claude Code for live exploitation and GPT-4.1 for post-exploitation analysis.
  • Attackers abused persistent project files such as CLAUDE.md to create jailbreaks that survived across sessions.
  • Bissa Scanner used Claude Code operationally while harvesting .env files for AI provider credentials, including Anthropic, OpenAI, Groq, Mistral, and HuggingFace.
  • Agentic configuration files such as .claude/settings.json, .mcp.json, and ANTHROPIC_BASE_URL were described as a broader supply-chain-style attack surface.
  • EvilTokens commercialized AI-enabled phishing and BEC automation, embedding model selection, jailbreaks, and delivery into the platform itself.
  • AI-assisted vulnerability research is speeding both discovery and exploitation, with working exploits sometimes produced within hours of disclosure.

MITRE Techniques

  • [T1059 ] Command and Scripting Interpreter – Used as AI-generated command execution during exploitation and post-exploitation workflows (‘5,317 AI-executed commands’ and ‘shadow file extraction and timestamp cleanup’).
  • [T1105 ] Ingress Tool Transfer – The attacker built tunnel chains and moved data through attacker-controlled infrastructure during the Mexico breach (‘build tunnel chains’).
  • [T1068 ] Exploitation for Privilege Escalation – Claude Code helped escalate privileges in the Mexico campaign (‘escalate privileges’ and ‘after gaining root’).
  • [T1087 ] Account Discovery – EvilTokens extracted account-related data from stolen emails, including account numbers and routing numbers (‘extracting account numbers, routing numbers’).
  • [T1114 ] Email Collection – EvilTokens processed large batches of stolen emails for intelligence extraction (‘ingests up to 5,000 emails’).
  • [T1589 ] Gather Victim Identity Information – The platform synthesized victim communication style and business context for BEC (‘imitate sender style’ and ‘reference real email threads’).
  • [T1566 ] Phishing – EvilTokens used device-code phishing pages impersonating Adobe, DocuSign, and SharePoint to harvest Microsoft OAuth tokens (‘Device-code phishing pages impersonating Adobe, DocuSign, and SharePoint’).
  • [T1657 ] Financial Theft – EvilTokens generated BEC drafts and payment-change deception to support wire fraud (‘mask payment changes behind “plausible business reasons”’).
  • [T1027 ] Obfuscated Files or Information – The campaign used header fingerprint randomization, DKIM signing, and CSS randomization to disguise delivery (‘header fingerprint randomization, DKIM signing, and CSS randomization’).
  • [T1090 ] Proxy – The report describes privacy-routed proxies used to avoid provider monitoring (‘privacy-routed proxies’).
  • [T1552 ] Unsecured Credentials – API keys were harvested from compromised .env files and malicious proxy redirection could steal authorization headers (‘API keys’ and ‘potentially steals API keys’).
  • [T1204 ] User Execution – Malicious repository and settings files were used to trigger actions when developers opened projects (‘a malicious settings file embedded in a pull request’).
  • [T1195 ] Supply Chain Compromise – Malicious agentic configuration files in repositories and compromised codebases were used to compromise developer machines (’embedded in a pull request, honeypot repository, or compromised codebase’).
  • [T1056 ] Input Capture – The malicious proxy intercepted authorization headers in transit (‘intercepts authorization headers’).
  • [T1065 ] Uncommonly Used Port – The report references proxying and service redirection behavior through custom endpoints (‘redirects ANTHROPIC_BASE_URL to a malicious proxy’).

Indicators of Compromise

  • [Malware/Platform Names ] AI-enabled offensive platforms and toolchains – Claude Code, Bissa Scanner, EvilTokens
  • [CVE IDs ] Vulnerabilities used or discussed – CVE-2025-55182, CVE-2025-59536, and CVE-2026-21852
  • [CVE IDs ] Additional exploited vulnerabilities – CVE-2026-34197, CVE-2026-33626
  • [File/Config Names ] Persistent or malicious configuration files – CLAUDE.md, .claude/settings.json, .mcp.json
  • [Environment Variables ] Sensitive AI routing/credential targets – ANTHROPIC_BASE_URL, .env
  • [AI Model Names ] Models involved in attack workflows – claude-sonnet-4-6, llama-3.1-8b-instant, llama-3.3-70b-versatile, gpt-4o-mini
  • [Organizations/Services ] AI providers targeted for credential theft – Anthropic, OpenAI, Groq, Mistral, OpenRouter, HuggingFace, Replicate, DeepSeek
  • [Infrastructure/Platform References ] Operator and delivery infrastructure – attacker-controlled VPS servers, operator-controlled S3 storage, Telegram bot

Read more: https://research.checkpoint.com/2026/ai-threat-landscape-digest-march-april-2026/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint