LLMjacking evolved: Attackers are using stolen AI compute to build offensive agentic tools

MITRE Techniques

• [T1190 ] Exploit Public-Facing Application – The actor targeted an exposed Ollama server reachable on the internet with no authentication and used it as the engine for the offensive pipeline. [‘an Ollama server bound to a public interface with no authentication’]
• [T1046 ] Network Service Scanning – The framework begins by identifying and normalizing network service banners for CVE lookup and service fingerprinting. [‘Normalize a network service banner into a precise software identity for vulnerability lookup’]
• [T1595 ] Active Scanning – The tool runs reconnaissance and scanning stages, including web reconnaissance and sweeps for internal services and gadget sets. [‘ssrf_scan, object_injection_scan so the agent enumerates an internal port range or a gadget set in a single call’]
• [T1068 ] Exploitation for Privilege Escalation – The pipeline explicitly includes privilege escalation as a stage after gaining initial access or code execution. [‘Privilege escalation: Decide the next escalation command’]
• [T1059.004 ] Command and Scripting Interpreter: Unix Shell – The RCE verification uses a shell command to execute id and confirm code execution. [‘echo VAPTb3gin; id; echo VAPTfin’]
• [T1005 ] Data from Local System – The credential extractor is designed to parse looted files for credentials, secrets, and other reusable data. [‘Extract EVERY usable credential and secret present’]
• [T1110 ] Brute Force – The framework includes blind SQL injection payload crafting and filter evasion logic to gain access through login parameters. [‘crafting a BLIND TIME-BASED SQL-injection payload’]
• [T1195 ] Supply Chain Compromise – The report describes abuse of self-hosted AI infrastructure and model-serving software as part of the offensive chain, creating an AI-supply-chain exposure. [‘an AI-supply-chain exposure rather than merely a billing risk’]