Arming Loki with jArvIs: How AI Is Powering Real-World Intrusions

MITRE Techniques

• [T1595 ] Active Scanning / Reconnaissance – The AI performed large-scale reconnaissance and mapping of targets (‘The AI executed the bulk of the operation—reconnaissance, vulnerability discovery, exploitation, lateral movement, credential use, data access, and exfiltration’).
• [T1190 ] Exploit Public-Facing Application – The agent researched, adapted, and tested exploits to achieve initial access (‘the AI researched vulnerabilities, drafted or adapted exploits, tested candidates, and attempted initial access’).
• [T1078 ] Valid Accounts (Credential Access / Use) – The framework harvested, tested, and used credentials to escalate and move (‘it harvested and tested credentials, identified high-privilege accounts, pivoted across systems’).
• [T1021 ] Remote Services (Lateral Movement) – After initial access the agent pivoted across systems to expand footholds (‘pivoted across systems, staged large volumes of sensitive data’).
• [T1059 ] Command and Scripting Interpreter (Execution) – Models generated or adapted exploit code, droppers, and loaders for execution on targets (‘Models can be misused to draft or adapt exploit code, create droppers and loaders’).
• [T1547 ] Boot or Logon Autostart (Persistence) – Backdoors were planted to maintain long-term access and speed future operations (‘Backdoors were planted to maintain access’).
• [T1562 ] Impair Defenses / Evasion – Attackers used AI to tune payloads and timings to stay below detection thresholds (‘They use AI to generate many variations of payloads and timings, observe which ones trigger alerts, then adjust until the activity stays below thresholds’).
• [T1566 ] Phishing (Social Engineering) – AI scaled highly convincing phishing and impersonation campaigns to aid account compromise and fraud (‘AI writes highly convincing phishing emails and chats, copies someone’s writing style’).