AI is not fundamentally changing adversary capabilities but is compressing attack timelines, lowering operational costs, and scaling existing tactics. Breakout times have dropped to an average of 29 minutes, with AI-enabled operations increasing 89% year-on-year. The most significant emerging threats are runtime-LLM malware (PROMPTSTEAL/LAMEHUG, QUIETVAULT) that query language models during execution, and agentic AI operations (GTG-1002) where AI agents conduct multi-stage intrusions with minimal human steering. Defenders face a dual pressure: faster attacks and an expanding attack surface from AI supply-chain dependencies.
AI Attacked and Abused While Perimeter Authentication Collapses
The month's defining shift was the emergence of AI as a two-sided battlefield: organizations deployed AI tools faster than they secured them, while attackers weaponized the same technology against defenders. Critical flaws in LangGraph allowed SQL injection chained to remote code execution, M365 Copilot could be turned into a one-click data exfiltration weapon via SearchLeak, and Langflow was exploited to deploy cryptominers. Meanwhile, the ongoing Shai-Hulud campaign injected prompts to blind AI malware scanners, macOS.Gaslight turned prompt injection against human analysts, and Russia's APT28 began experimenting with LLM-integrated malware. At the same time, perimeter authentication collapsed at scale: FortiBleed exposed credentials for over 73,000 FortiGate firewalls, CVE-2026-50751 let attackers bypass Check Point VPN authentication entirely, and ShinyHunters exploited an Oracle PeopleSoft zero-day across over 100 organizations.
Supply chain attackers followed developers to their new AI tools, compromising the ecosystems where code is written and built. The Shai-Hulud/Miasma worm expanded from npm into PyPI and injected persistent backdoors into AI coding assistant configurations, while North Korea's Sapphire Sleet compromised over 140 Mastra npm packages to steal cryptocurrency wallets, and the ongoing GlassWorm campaign pivoted to WebAssembly malware in VS Code extensions using the Solana blockchain as command-and-control. Social engineering also industrialized: the ErrTraffic framework turned ClickFix deception into a Malware-as-a-Service operation with blockchain dead drops, and EvilTokens hid phishing flows inside browser-side encryption to defeat network scanners while hijacking Microsoft device-code authentication.
Organizations should treat AI deployments as untrusted perimeter assets—restrict their network access, audit third-party skills and extensions, and assume prompt-injection attacks will target both automated scanners and human analysts. Every internet-facing VPN, firewall, and edge appliance should be patched immediately, with credentials rotated and phishing-resistant MFA enforced, because perimeter authentication failures now cascade directly into internal network compromise.
Sekoia's Threat Detection & Research team details the two-decade evolution of APT28's tradecraft, highlighting a strategic shift from monolithic implants to disposable, single-purpose tools and compromised edge-router infrastructure. Recent operations demonstrate a return to custom cloud-resident backdoors and novel experimentation with LLM-driven infostealers.
Multiple Russia-aligned threat actors, including SHADOW-EARTH-066 and Earth Dahu, are actively exploiting a patched WinRAR path traversal vulnerability (CVE-2025-8088) to target Ukrainian organizations. The attackers use crafted RAR archives with NTFS Alternate Data Streams to silently drop malicious payloads, such as the evolved GIFTEDCROOK infostealer or HTA-based espionage tools, into the Windows Startup folder and ProgramData directories.
Active Directory Certificate Services (AD CS) is increasingly targeted by threat actors to achieve privilege escalation and persistence through misconfigured certificate templates and shadow credential abuse. By leveraging tools like Certipy and Whisker, attackers can bypass traditional credential defenses, necessitating behavioral detection strategies focused on LDAP enumeration, anomalous certificate issuance, and directory modifications.
Akamai researchers discovered that Microsoft's patch for an APT28 zero-day (CVE-2026-21510) was incomplete, resulting in a new zero-click authentication coercion vulnerability (CVE-2026-32202). While the patch successfully mitigated remote code execution by adding SmartScreen verification, it failed to prevent Windows Explorer from initiating an SMB connection to resolve UNC paths during icon extraction, allowing attackers to steal Net-NTLMv2 hashes without user interaction.
Sekoia TDR details their methodology for automating .NET malware analysis, focusing on an obfuscated Covenant Grunt implant used by APT28. The researchers demonstrate how to programmatically decrypt strings and decompile code using pythonnet and dnlib, culminating in the release of RePythonNET-MCP, a tool that enables AI-assisted reverse engineering and configuration extraction.
The UK NCSC has issued an advisory warning that the Russian state-sponsored threat group APT28 is compromising vulnerable internet routers to conduct DNS hijacking. By altering DNS configurations, the attackers perform adversary-in-the-middle attacks to covertly reroute user traffic and harvest credentials and access tokens from personal web and email services.
Russian state-sponsored threat actor APT28 is exploiting vulnerable SOHO routers to modify DHCP and DNS settings, redirecting user traffic to malicious infrastructure. This DNS hijacking facilitates Adversary-in-the-Middle (AitM) attacks designed to harvest credentials and OAuth tokens for web and email services.
The Russia-aligned APT group Pawn Storm has launched a sophisticated campaign deploying the PRISMEX malware suite against Ukrainian and NATO defense supply chains. The attack chain leverages two critical vulnerabilities, CVE-2026-21509 and CVE-2026-21513, to achieve zero-click execution, utilizing advanced steganography and COM hijacking to evade detection while communicating via legitimate cloud services.
Insikt Group identified five distinct threat clusters utilizing the ClickFix social engineering technique to trick users into manually executing malicious commands via native system tools. This living-off-the-land approach bypasses traditional browser security to deliver payloads like NetSupport RAT and macOS infostealers across both Windows and macOS environments.
The Sednit threat group (APT28) has deployed a modernized espionage toolkit targeting Ukrainian military personnel. The toolkit consists of custom implants SlimAgent and BeardShell, alongside a heavily modified version of the Covenant framework, utilizing legitimate cloud storage providers for resilient Command and Control (C&C).
Over the next two years, Russia is expected to escalate its hybrid warfare against NATO into a coordinated New Generation Warfare (NGW) campaign. This strategy integrates cyber operations, physical sabotage, influence campaigns, and airspace/maritime incursions to degrade European critical infrastructure and political unity while remaining below the threshold of conventional armed conflict.