GTIG AI Threat Tracker: Adversaries Leverage AI for Vulnerability Exploitation, Augmented Operations, and Initial Access

What Happened

Cybercriminals and state-sponsored hackers are increasingly using Artificial Intelligence (AI) to improve their attacks. They are using AI to find new software flaws, write confusing code to hide their malware, and even create autonomous viruses that can navigate a victim's phone without human help. This matters because AI allows attackers to work faster and more effectively, making it harder for traditional security tools to catch them. Organizations should secure their AI software supply chains, monitor for unusual automated account registrations, and ensure their mobile devices are protected by built-in security features like Google Play Protect.

Key Takeaways

• Threat actors are leveraging AI to discover and weaponize zero-day vulnerabilities, including a recent 2FA bypass in a system administration tool.
• Malware families like CANFAIL and LONGSTREAM utilize LLM-generated decoy logic and junk code to obfuscate malicious functionality and evade static detection.
• The PROMPTSPY Android backdoor uses the Gemini API for autonomous attack orchestration, navigating the device UI by serializing screen data to XML and parsing AI-generated JSON responses.
• Adversaries are industrializing LLM access using custom middleware, proxy relays, and automated registration pipelines to bypass safety guardrails and billing constraints.
• Supply chain attacks by actors like TeamPCP target AI environments and dependencies (e.g., LiteLLM, OpenClaw) to extract cloud secrets and deploy ransomware.

Affected Systems

• Android devices (targeted by PROMPTSPY)
• AI software dependencies and orchestration layers (LiteLLM, BerriAI, OpenClaw)
• Open-source web-based system administration tools

Vulnerabilities (CVEs)

• Zero-day 2FA bypass vulnerability in a popular open-source, web-based system administration tool

Attack Chain

Threat actors utilize AI models during the resource development phase to discover vulnerabilities, generate decoy code, and build autonomous agents. In the case of PROMPTSPY, the malware gains initial access to an Android device and establishes persistence by rendering invisible overlays over uninstall buttons. It then autonomously navigates the device's UI by serializing the screen to XML, sending it to the Gemini API, and parsing the JSON response to execute simulated physical gestures like clicks and swipes. In separate supply chain attacks, actors compromise AI dependencies via malicious PyPI packages to extract cloud secrets and deploy ransomware.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

The article does not provide specific detection rules, but notes that Google Play Protect automatically protects Android users against known versions of the PROMPTSPY malware.

Detection Engineering Assessment

EDR Visibility: Medium — EDR can detect the execution of decoy logic and unauthorized access to cloud secrets, but AI-driven autonomous actions (like PROMPTSPY's UI navigation) may blend in with legitimate accessibility service usage. Network Visibility: Medium — Network monitoring can identify connections to AI API endpoints and proxy relays, but the traffic is typically encrypted and may resemble legitimate developer activity. Detection Difficulty: Hard — Threat actors are using AI to generate polymorphic code and decoy logic, making signature-based detection ineffective. Autonomous agents mimic legitimate user interactions.

Required Log Sources

• Network flow logs
• Process execution logs
• Cloud audit logs (AWS CloudTrail, GitHub audit logs)
• Android Accessibility API logs

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for unusual or high-volume outbound connections to AI API endpoints (e.g., Gemini, OpenAI) from unexpected processes or mobile applications.	Network flow logs, DNS query logs	Command and Control	High
Monitor for the execution of scripts containing large blocks of inert or repetitive logic (e.g., repeatedly querying daylight savings time) which may indicate AI-generated decoy code.	Process command-line arguments, Script block logging (Event ID 4104)	Defense Evasion	Medium
Hunt for unauthorized access or exfiltration of cloud secrets (AWS keys, GitHub tokens) originating from CI/CD pipelines or AI development environments.	Cloud audit logs, CI/CD pipeline execution logs	Credential Access	Low

Control Gaps

• Lack of visibility into AI model interactions and prompt contents
• Difficulty distinguishing AI-generated decoy code from benign administrative scripts
• Inadequate security scanning of third-party AI dependencies and agent skills

Key Behavioral Indicators

• High-volume, repetitive API calls to LLM providers from single endpoints
• Scripts with hallucinated or nonsensical comments and docstrings
• Mobile apps requesting excessive Accessibility permissions combined with connections to generative AI APIs

False Positive Assessment

• Medium

Recommendations

Immediate Mitigation

• Ensure Google Play Protect is enabled on all enterprise Android devices to block known versions of PROMPTSPY.
• Audit AI development environments and CI/CD pipelines for compromised dependencies (e.g., LiteLLM, BerriAI).

Infrastructure Hardening

• Implement network segmentation to restrict access to AI API endpoints from unauthorized network segments.
• Integrate automated security scanning (e.g., VirusTotal Code Insight) into AI skill marketplaces and internal code repositories.
• Monitor and restrict the use of API gateways and aggregators (e.g., Claude-Relay-Service) on corporate networks.

User Protection

• Enforce strict least-privilege access for mobile applications, particularly regarding Android Accessibility services.
• Deploy advanced anti-phishing controls that account for highly targeted, AI-generated lures.

Security Awareness

• Train developers on the risks of AI supply chain attacks and the importance of verifying third-party AI packages.
• Educate users on the existence of high-fidelity AI-generated deepfakes and voice cloning used in information operations.

MITRE ATT&CK Mapping

• T1592.001 - Gather Victim Host Information: Hardware
• T1591.002 - Gather Victim Org Information: Business Relationships
• T1591.004 - Gather Victim Org Information: Identify Roles
• T1587.001 - Develop Capabilities: Malware
• T1587.004 - Develop Capabilities: Exploits
• T1588.002 - Obtain Capabilities: Tools
• T1588.005 - Obtain Capabilities: Exploits
• T1588.006 - Obtain Capabilities: Vulnerabilities
• T1588.007 - Obtain Capabilities: Artificial Intelligence
• T1566 - Phishing
• T1027.014 - Obfuscated Files or Information: Polymorphic Code
• T1027.016 - Obfuscated Files or Information: Junk Code Insertion
• T1090.003 - Proxy: Multi-hop Proxy

Additional IOCs

• Command Lines:
  • Purpose: Execute decoy logic to obfuscate malicious PowerShell scripts | Tools: PowerShell | Stage: Defense Evasion | [System.TimeZoneInfo]::Local.IsDaylightSavingTime($memoryconfigresource)
  • Purpose: Execute decoy network requests in JScript/JavaScript malware | Tools: JScript, ActiveXObject | Stage: Defense Evasion | new ActiveXObject("MSXML2.XMLHTTP")
• Other:
  • gemini-2.5-flash-lite - Specific Gemini AI model targeted by the PROMPTSPY malware for generating device interaction commands.