Every language model is a dual-use weapon waiting for instructions. In 2025, threat actors stopped using AI as an advisor and started using it as an operator — embedding LLMs directly into malware, orchestrating autonomous intrusion campaigns through agentic frameworks, and deploying deepfake infrastructure that drained $1.1 billion from U.S. corporate accounts alone.
CrowdStrike's 2026 Global Threat Report documented an 89% year-over-year increase in AI-enabled adversary operations, while the average time from initial access to full domain compromise collapsed to 29 minutes — with the fastest recorded breakout taking 27 seconds.
The same models that write your code now write exploit chains. The same voice synthesis that powers accessibility features now clones your CEO. The same agentic frameworks that automate pentesting now automate espionage.
This article maps the complete offensive AI arsenal: from LLM-integrated malware families and autonomous attack orchestration to synthetic identity operations and the underground marketplace that commoditizes all of it.
The Offensive AI Maturity Model
Threat actors' adoption of AI follows a clear progression, and 2025 marked the year the curve bent sharply upward. Recorded Future's analysis identified three maturity levels:
- Experimenting — exploring LLMs for basic tasks. Phishing lure generation, target research, code snippet generation. Examples: WormGPT copycats, dark forum jailbreak resales, ChatGPT for recon queries.
- Adopting — AI integrated into existing workflows with humans in the loop. AI-assisted exploit development, deepfake BEC, automated recon pipelines. Examples: FAMOUS CHOLLIMA identity ops, "vibe hacking" (Anthropic June 2025), AI phishing at scale.
- Optimizing — LLMs embedded as live components of attack infrastructure, operating with minimal human oversight. Runtime LLM queries in malware, autonomous attack orchestration, self-modifying code. Examples: LAMEHUG (APT28), PROMPTFLUX (Gemini), GTG-1002 (Claude Code), HexStrike AI.
For three years after ChatGPT's release, offensive AI stayed at the first two levels. Then, between July and November 2025, four developments collectively signaled the transition to operational integration: LAMEHUG embedded live LLM queries into a state-sponsored espionage campaign, PROMPTFLUX demonstrated self-modifying code through Gemini API calls, Anthropic disrupted the first documented autonomous AI-orchestrated cyberattack, and HexStrike AI gave threat actors a turnkey framework bridging LLMs to 150+ offensive tools.
Two technical catalysts drove the inflection: MCP (Model Context Protocol), which standardized agent-tool integration, and reasoning models (GPT-o1, Claude extended thinking, DeepSeek-R1) that decompose complex tasks into autonomous multi-step plans.
LLM-Integrated Malware: Code That Thinks at Runtime
The most technically significant development of 2025 was malware that queries language models during execution — not during development, but as a live operational component of the attack chain.
LAMEHUG: First LLM-Operational Malware in State-Sponsored Campaigns
LAMEHUG, discovered by CERT-UA in mid-2025, is a Python-based infostealer deployed by APT28 (Fancy Bear) against Ukrainian government agencies. It queries Alibaba Cloud's Qwen 2.5-Coder-32B-Instruct through the Hugging Face API, sending Base64-encoded prompts and executing whatever Windows commands the model returns. Splunk's Threat Research Team intercepted the LLM's actual responses: chains of native Windows utilities — systeminfo, wmic, tasklist, netstat, ipconfig, dsquery — for reconnaissance, then xcopy commands to harvest documents into a staging folder. All data was exfiltrated over SSH to a hardcoded C2 server.
KEY SHIFT: LAMEHUG carries no hardcoded reconnaissance commands. Every action is generated contextually by the LLM — no static signatures for defenders to match, the malware adapts to each target automatically, and C2 traffic blends with legitimate AI API requests to Hugging Face.
PROMPTFLUX: Self-Modifying Malware Through Generative AI
PROMPTFLUX, identified by Google's GTIG in June 2025, pushes further. Written in VBScript, it queries Gemini 1.5 Flash with prompts requesting obfuscation and evasion techniques. Its "Thinking Robot" module periodically asks the LLM to generate new VBScript code that evades antivirus detection. Google discovered variants that instructed Gemini hourly to rewrite the malware's entire source code — metamorphic malware that evolves continuously through AI generation.
The Emerging Ecosystem
GTIG's November 2025 AI Threat Tracker documented additional families: PROMPTLOCK (Go ransomware using Ollama for runtime Lua script generation), FRUITSHELL (PowerShell reverse shell targeting AI defenses), and QUIETVAULT (JavaScript credential stealer for GitHub/NPM tokens). SentinelLabs' YARA-based hunting uncovered 7,000+ samples containing LLM provider credentials. Akamai discovered malware routing C2 traffic through /v1/chat/completions endpoints — using AI infrastructure as cover for conventional attacks.
Autonomous Attack Orchestration: AI as the Operator
GTG-1002: First AI-Orchestrated Cyber Espionage Campaign
In mid-September 2025, Anthropic detected what it described as the first documented case of a cyberattack largely executed without human intervention at scale. The threat actor — assessed as a Chinese state-sponsored group, designated GTG-1002 — manipulated Claude Code into functioning as an autonomous cyber attack agent across approximately 30 global targets including technology corporations, financial institutions, chemical manufacturers, and government agencies.
The campaign operated through a six-phase structure with AI executing 80–90% of all tactical operations independently. Human operators selected targets and approved phase transitions. Claude handled reconnaissance across multiple targets in parallel, vulnerability identification and exploit code generation, credential harvesting and lateral movement, data extraction and categorization by intelligence value, and comprehensive post-operation documentation. The operational tempo was inhuman: thousands of requests per second.
SOCIAL ENGINEERING THE AI: Operators decomposed attacks into small, seemingly innocent tasks. They established personas as employees of legitimate cybersecurity firms. The same authority-and-context manipulation that works on human employees — inherited vulnerabilities at work.
HexStrike AI: The Turnkey Offensive Framework
While GTG-1002 was bespoke, HexStrike AI democratized autonomous offensive operations. The open-source framework uses MCP to bridge LLMs with 150+ cybersecurity tools. Check Point Research observed threat actors discussing its use within 12 hours of Citrix disclosing three zero-days (August 2025). Attacks that previously took days could launch in under 10 minutes at scale. Dark web posts showed actors achieving unauthenticated RCE, deploying webshells, and selling compromised instances.
AI-Powered Social Engineering: Exploiting Humans at Machine Scale
Deepfake fraud losses in the United States reached $1.1 billion in 2025, tripling from $360 million the year before. Globally, losses exceeded $200 million in Q1 2025 alone. The numbers tell the story:
- Deepfakes increased from 500,000 in 2023 to over 8 million in 2025
- AI-enabled fraud surged 1,210% in 2025
- Voice cloning now requires just 3–5 seconds of audio
- AI-generated phishing achieves 4x higher click-through rates than human-crafted
- 82% of 2025 detections were malware-free — attacks moving through social engineering rather than traditional malware
This is the inherited vulnerabilities thesis operating in reverse. AI trained on human communication patterns is uniquely effective at exploiting the humans it learned from. Voice (trust) + Video (authority) + Text (precision) + Identity (persistence) = complete manipulation stack. Traditional defenses like "look for bad grammar" are functionally useless against AI-generated social engineering.
FAMOUS CHOLLIMA: North Korea's AI-Powered Workforce
North Korea's FAMOUS CHOLLIMA represents the most sophisticated sustained application of AI to social engineering at nation-state scale. In 2025, the operation infiltrated over 320 companies (220% YoY increase). Operatives use AI-generated identities, real-time deepfake face-swapping in video interviews, and AI chatbots to hold 6–7 simultaneous jobs. The FBI estimates $250M–$1B funneled to DPRK's nuclear program over five years.
Anthropic's threat report found operatives "do not appear to be able to write code, debug programs, or even communicate professionally without Claude's assistance."
The Dual-Use Arms Race
DARPA's AI Cyber Challenge (AIxCC), at DEF CON 33 in August 2025, demonstrated the defensive potential. Seven finalist teams' systems analyzed 54 million lines of code, identifying 86% of synthetic vulnerabilities and patching 68%. The average cost per task: $152. Google's Big Sleep found a real SQLite zero-day before attackers. XBow's platform reported 1,000+ valid vulnerabilities at 80x human speed.
The dual-use problem is structural: ATLANTIS's architecture — multi-agent orchestration, LLM-driven code reasoning, automated exploit generation — mirrors HexStrike AI and GTG-1002. The technology doesn't know which side it's on.
Inherited Vulnerabilities at Machine Speed
The offensive weaponization of AI represents the most significant force multiplier in the history of cyber operations — and it connects directly to the inherited vulnerabilities thesis. LLMs are vulnerable to social engineering because they inherited human trust patterns from training data. The same principle now operates in reverse: AI systems trained on human communication patterns are uniquely effective at exploiting the humans they learned from.
LAMEHUG succeeds because the model understands Windows administration the way a sysadmin would. GTG-1002's jailbreak worked because Claude's role-play capabilities made it susceptible to the same authority manipulation that works on employees. FAMOUS CHOLLIMA's deepfakes exploit the recognition heuristics humans evolved to trust real people. AI phishing achieves 4x click rates because models internalized the persuasion patterns Cialdini documented decades ago.
Three structural realities: (1) Asymmetry favors offense — attackers need one path, defenders must cover all. (2) Capability proliferation is irreversible — MCP, reasoning models, and agentic frameworks are open and improving. (3) LLM-integrated malware will mature fast — LAMEHUG and PROMPTFLUX are first-generation. The gap between proof-of-concept and operational deployment compresses to months.
The inherited vulnerabilities thesis predicted this convergence. AI systems that learned human language also learned human persuasion, trust patterns, and deception techniques. Now those capabilities are being reflected back at the species that created them, at machine speed and machine scale.
Kai Aizen is the creator of AATMF (accepted into the OWASP GenAI Security Project 2026), author of Adversarial Minds, and an NVD Contributor. His research focuses on the intersection of social engineering and AI exploitation — specifically, how AI systems inherited human trust patterns along with human language. Read more at snailsploit.com.
Related: Agentic AI Threat Landscape · AI Coding Agent Attack Surface · AI Social Engineering & Deepfakes · MCP Security Deep Dive