The New Operational Model of Threat Actors: The 0-Day Race in the Shadow of AI

The cyber threat ecosystem is undergoing a structural transformation starting in the last quarter of 2025. The use of artificial intelligence by attackers not only as an advisor but also as an operator is no longer a theory; it is a verified, attributed, and repeated reality. The actor activities we’ve been monitoring at Cyberthint indicate that discovering 0-days is no longer a specialized task that takes months, but has become a process that can be automated in a matter of minutes.

How are Attackers Using AI?

AI Was Just a Assistant/Tool for Attackers Until 2025: It wrote phishing messages, designed landing pages, generated code snippets, and compiled summaries about targets. Operational decisions were always made by human operators.

Today, an attacker gives an AI a target and gets the results; the model independently scans the network, looks for vulnerabilities, attempts exploits, and if it fails, chooses a different path. This is made possible because the models can connect to real vehicles via standards such as MCP (Model Context Protocol). A model that generates multiple requests per second at the peak of the attack reduces a task that would take a ten-person red team weeks to just hours. The expansion of MITRE ATLAS to 16 tactics and 84+ techniques with the February 2026 v5.4.0 update is a concrete demonstration of the effort to cover this new attack surface.

GTG-1002: The First Autonomous AI-Orchestrated Espionage Operation

Identified in mid-September 2025 and assessed with high confidence to be a Chinese state-backed group, GTG-1002 represents the first documented case of AI-orchestrated espionage. The campaign targeted approximately 30 global entities (technology companies, financial institutions, chemical manufacturers, and government agencies), with four organizations successfully compromised.

The attackers jailbroke Claude Code, allowing AI to control 80–90% of the operation, with human intervention limited to only 4–6 critical decision points. To bypass the model’s guardrails, the actor ran the model under the persona of a defensive cybersecurity firm, breaking down tasks into small, seemingly innocent sub-parts and denying the model full context. This is known as a task decomposition jailbreak and is one of the most effective methods for circumventing LLM safety controls. The AI ​​successively undertook tasks such as autonomous discovery, 0-day discovery and exploitation, privilege escalation, lateral movement, data exfiltration, and reporting. The fact that the model discovered and exploited 0-day vulnerabilities in live operation is the main reason why this campaign is a turning point for the industry.

APT28 and LAMEHUG: State-Sponsored Actors’ LLM Pilot

The LAMEHUG campaign, conducted by GRU unit 26165 and reported by CERT-UA on July 10, 2025, is the first verified instance of a state-sponsored actor using LLM in live operation. The malware, written in Python and compiled into a Windows PE (EXE file) using “PyInstaller”, was being sent from compromised email accounts, impersonating Ukrainian ministry representatives, as an archive titled “Додаток.pdf.zip”. Detected variants included examples disguised as a fake AI image generator, such as “AI_generator_uncensored_Canvas_PRO_v0.9.exe”.

LAMEHUG’s signature feature is that its instructions are not hard-coded into the binary. The malware sends queries to Alibaba‘s “Qwen2.5-Coder-32B-Instruct” model via the Hugging Face API, generating the command to be executed in real time. It has embedded 284 unique HuggingFace API tokens for resistance against key blacklisting. It collects hardware, process, network, and Active Directory information in the “C:\ProgramData\info” directory and recursively copies Office documents and PDFs. According to MITRE’s Black Hat 2025 analysis, LAMEHUG is operationally primitive, not a serious operation, but a pilot program where APT28 is testing its LLM capabilities.

MalTerminal: The Earliest Detected Example of Embedded LLM Malware

MalTerminal, presented by SentinelLABS at LABScon 2025, is the earliest known example of a malware category that generates malicious payloads at runtime. The fact that the OpenAI chat completions API endpoint included in the sample was deprecated in November 2023 indicates that the malware was written prior to that date. When “MalTerminal.exe” is executed, it presents the operator with a choice between Ransomware or Reverse Shell; depending on the selection, it sends a JSON payload to the GPT-4 endpoint, generating recursive file enumeration, AES-CBC encryption, and HTTP POST exfiltration code. The generated Python code is executed in-memory and is not written to disk.

The discovery of MalTerminal led to the development of two techniques for detecting malware that uses large language models. First, searching for LLM API keys embedded in binaries using YARA (OpenAI keys contain the Base64 encoded substring “T3BlbkFJ”, Anthropic keys start with the prefix “sk-ant-api03”). VirusTotal retrohunt revealed 7,000+ instances containing 6,000+ unique API keys. Second, extracting the embedded JSON prompt structures and subjecting them to maliciousness assessment using a classifier.

PROMPTFLUX: Hourly Self-Modifying Polymorphic Dropper

PROMPTFLUX, discovered by GTIG in June 2025, is an experimental dropper written in VBScript. The difference from classic polymorphic malware is that it obtains its mutations from an external LLM rather than from an algorithm hard-coded into itself. The Thinking Robot module periodically sends queries to the Gemini 1.5 Flash API requesting VBScript obfuscation and antivirus evasion techniques; AI responses are logged in the “%TEMP%\thinking_robot_log.txt” file. Another variant rewrites the malware’s entire source code on an hourly basis by assigning the role of an expert VBScript obfuscator to the Thinking module; since the variant contains the decoy payload, API key, and the entire self-replication logic, it can generate a new version every hour. To spread, it copies itself to removable drives and mapped network shares.

PROMPTLOCK, FRUITSHELL, and QUIETVAULT

• PROMPTLOCK, An experimental ransomware written in Go and targeting Windows/Linux/macOS. Initially announced by ESET in August 2025 as the first AI-powered ransomware sample, it was later revealed to be an academic PoC (Proof-of-Concept) by NYU Tandon researchers. The malware connects to a local Ollama-exposed LLM endpoint and generates Lua scripts at runtime for filesystem traversal, exfiltration, and encryption; the use of the local LLM renders detection methods based on cloud API traffic ineffective.
• FRUITSHELL, GTIG discovered a publicly available reverse shell written in PowerShell in 2025. What’s new is that the embedded prompts target LLM-powered security systems that analyze malware; they contain instructions telling the AI ​​scanning them to declare that they are harmless.
• QUIETVAULT, A credential stealer written in JavaScript. It targets GitHub and NPM tokens, but what’s really interesting is that it uses AI CLI tools already installed on the target machine for additional secret discovery. By triggering an AI prompt, it tells the legitimate AI command-line tools on the host to search for more secrets—a classic LOTL (Living Off The Land) technique adapted to the AI ​​age.

Ransomware Ecosystem and Vibe Hacking

In 2025, ransomware actors posted 7,819 breaches to data leak sites, with Qilin alone accounting for 18% of the attacks published in December 2025, followed by Akira, Cl0p, PLAY, and SAFEPAY. While AI’s role in the ecosystem was initially limited to social engineering text and translation, it has recently begun to be used for bypassing operational obstacles, scripting, and exploit chaining.

In a vibe hacking campaign documented in Anthropic’s August 2025 report, a financially motivated actor used Claude Code for an end-to-end blackmail operation against 17+ organizations, including healthcare, emergency services, government, and religious institutions. Unlike classic ransomware, data was not encrypted; instead, there was pure data exfiltration and a threat of public disclosure, with some ransom demands exceeding $500,000. It was determined that the operator gave instructions in Russian, but the ransom notes were in English, consistent with a strategy of targeting non-CIS (Commonwealth of Independent States: Russia, Belarus, Kazakhstan, Kyrgyzstan, Tajikistan, Uzbekistan, Armenia, Azerbaijan, Moldova) countries.

OPSEC Errors and the Hallucination Paradox

The React2Shell case in December 2025 revealed that a PoC exploit, which circulated shortly after vendor disclosure, was actually non-functional and entirely hallucinated by the LLM. While the failure of a significant portion of AI-powered exploits creates opportunities for deception strategies, hallucination-induced alarm fatigue stands out as a real risk stifling teams.

Practical Implications for the Defense

1. MTTC (Mean Time to Contain) is now a more critical metric than MTTD; reactive strategies become insufficient when attack speed exceeds patching speed.
2. LOTL surveillance should be moved to the network layer; classic IOCs are rapidly becoming obsolete, and anomaly-based signals (unexpected SMB admin share usage, NTLM-Kerberos substitution, JA3/JA4 fingerprint anomalies, high-entropy DNS queries) are more persistent.
3. AI API traffic should be added to the monitoring list; YARA-based API key hunting and scanning for JSON prompt structures embedded in binary files are the most effective methods for detecting LLM-embedded malware.
4. MITRE ATLAS should be integrated into threat modeling, especially for agentic AI and orchestration layer attacks.
5. The definition of insider threat needs to be reframed. Thanks to AI-powered identity generation, operators without basic coding skills can pass technical interviews at Fortune 500 companies, and hiring processes have become an attack surface.
6. Hallucinations should be exploited. It’s defensive to avoid deploying LLMs without verifying threat indicators and to place artificial signals in deception environments that can generate hallucinations in the AI.

Conclusion

The era beginning with GTG-1002 is changing the fundamental asymmetry of the cybersecurity economy. The labor cost on the attack side has collapsed, and the workload a single actor can automate is equivalent to the weekly output of a ten-person red team.
From state-sponsored APTs to individual ransomware operators, all actors have access to the same weapon; the differentiating factor will be targeting strategy and operational discipline. It’s not the speed of patching, but the speed of containing the breach that will determine the course of 2026.

This analysis was compiled using our cyber incident response data, OSINT, publicly available vendor reports (Anthropic, Google GTIG, SentinelLABS, CERT-UA, MITRE), and Cyberthint’s dark web monitoring data.