When Hackers Use GPT: The Dark Side of AI

There is a quiet unease that comes with watching powerful tools spread. We know those tools lift defenders and spur new ideas; we also know they can make attackers faster and more efficient.

This report uses Google’s GTIG data and other sources to map how artificial intelligence is shaping attacker workflows. The focus is evidence-driven: research, troubleshooting, and content generation are the primary uses identified, not novel capabilities.

Iranian and Chinese actors showed the highest activity; Russian use was limited, while North Korea targeted strategic aims like defense and cryptocurrency. The analysis finds that generative models speed scale and tempo—yet current safeguards often prevent dramatic escalation.

Key Takeaways

• Evidence-based report grounded in GTIG data, not speculation.
• Generative tools amplify speed and scale without new attack types.
• Certain actors test models more than others; activity varies by region.
• Detection and security require layered, data-driven defenses.
• Practical steps help U.S. organizations reduce risks while adopting tools.

Executive snapshot: What the past tells us about the dark side of AI

GTIG’s review found actors used generative tools to speed routine work rather than craft new exploits. The report shows productivity gains across recon, coding, and content creation—efficiency, not invention, drove observed changes.

Intelligence-led research highlighted higher usage by Iranian and Chinese groups. Russia’s activity remained limited, while North Korea focused on strategic targets such as military and cryptocurrency systems.

• Guardrails mattered: attempts to jailbreak models like Gemini produced safety fallbacks.
• Common assistance included coding help, translations, and technical explanations.
• Vulnerabilities work targeted public CVEs; zero-day development was not widespread.

“Tools amplified scale and tempo of operations, not their novelty.”

The analysis ties these findings to enterprise risk. Increased frequency and reach of threat attempts mean leaders must prioritize layered controls, monitoring, and resilient systems. For a deeper dive, see this related report.

Defining the problem: AI Misuse in Hacking

What counts as misuse? Models and machine learning tools now augment attacks across recon, code conversion, and social engineering. This lowers the skill needed and expands the pool of actors who can mount campaigns.

Scope matters: systems that integrate models can be indirectly abused via prompt manipulation, while locally run tools can be customized to bypass safeguards. Both paths widen capabilities and reduce time to impact.

Example: Semi‑autonomous workflows chain reconnaissance, payload development, and access planning. Tasks that once took days can complete in hours, compressing the attack lifecycle and raising operational tempo.

• Threats as multipliers: Generative tools polish phishing text, speed exploit development, and improve evasion—amplifying known threats rather than inventing wholly new ones.
• What organizations face: Faster iterations, more targeted content, and greater use of sensitive data that challenge standard detection and access controls.
• Attack categories: Social engineering, malware development, vulnerability discovery, and manipulation of model-driven systems.

Clear access management and tight data controls form the foundation for mapping these risks across the enterprise attack lifecycle.

How attackers really use AI today, not theory

Rather than creating new attack classes, actors favor models for debugging, translation, and content polishing.

Observed patterns show researchers and operators use hosted assistants for pragmatic work: clarifying APIs, converting code, and refining phishing text. These tasks reduce time-to-campaign and broaden participation.

Jailbreak attempts and safety guardrails

Public jailbreak prompts were common, but hosted models often returned filtered responses or safety fallbacks. That limited direct access to explicit exploit instructions.

Productivity gains for skilled and unskilled actors

Skilled operators integrate tools into workflows like familiar exploit frameworks. Less skilled users treat assistants as tutors—asking for code fixes or tone adjustments for phishing.

Example: requests to translate public malware samples or add simple encryption appeared repeatedly—incremental steps, not breakthroughs.

Practical takeaway: defenders should focus on controls that target research and content workflows most enhanced by these tools.

For further technical context, see this adversarial misuse research.

Government-backed threat actors: behaviors observed by Google’s GTIG

The GTIG report separates national behaviors: broad research and localization from Iran, post-access tradecraft from China, and targeted development from North Korea.

Iranian actors led visible use for research and content. They probed defense organizations, public CVEs, WinRM and IoT flaws, and generated multilingual phishing materials. APT42 stood out for tailored messaging and localization to match targets.

Chinese actors emphasized post-access techniques: lateral movement, privilege escalation, data exfiltration, and detection evasion. Their workflows paired reconnaissance on U.S. military and IT providers with development focused on persistence and stealth.

North Korean operations pursued infrastructure research, payload development, scripting, and crypto-related information. Their work included drafting covert cover letters and targeted intelligence for strategic sectors.

Takeaway: intelligence shows actors use tools where they compress time and raise consistency—defenders must assume adversaries read the same public guidance and plan accordingly.

Iran-focused trends: phishing campaigns, defense recon, and multilingual content

Iran-linked groups focused activity on tailored reconnaissance and multilingual outreach that targeted defense specialists and organizations. More than ten distinct actors conducted research on known enterprise protocols and translated findings for regional audiences.

APT42 accounted for over 30% of observed usage and emphasized phishing content aimed at U.S. defense targets. Their workflows show deliberate creation of cyber-themed narratives and careful localization to match target expectations.

APT42’s phishing operations and localization workflows

APT42 assembled believable pretexts and refined tone to increase engagement. They translated messages and attachments across Farsi, Hebrew, and English to broaden reach.

Research into CVEs, WinRM, IoT, and defense organizations

Concrete research threads included WinRM nuances, IoT flaws, SSRF methods, and router tools such as RomBuster. These cases reveal a focus on leveraging known frameworks rather than inventing new exploits.

“Consistent content creation and localization can compress planning to launch timelines.”

• Iran-linked actors blended target research with tailored text and media to craft convincing outreach.
• Output quality—clear terminology and structure—raised the chance of victim engagement.
• Example workflows translated source materials to increase coherence across regions and campaigns.

From horizon to mature: the evolution of AI-enabled crime

A clear progression frames how tool-driven crime escalates across time and capability. We map three phases—horizon, emerging, and mature—to help leaders match defenses to evolving threats. This model focuses on operations, capabilities, and practical tradeoffs.

Horizon: autonomous agents and critical infrastructure risks

At the horizon stage, autonomous agents gain limited access to enterprise systems and industrial controls. These actors test agentic workflows against critical infrastructure; the concern is not widespread yet, but the potential blast radius is large.

Emerging: deepfakes, disinformation, and automated fraud

The emerging phase centers on media manipulation and social media campaigns. Interpol and Europol alerts document deepfake scams, BEC-style fraud, and automated deception that scale content distribution.

Mature: when systems surpass human scale and speed

In a mature state, agents coordinate continuous tasks and pursue profit autonomously. Example cases from crypto ecosystems show how toolsets can run without constant human input, blending malware delivery with tailored lures.

“Scale and speed will favor actors that automate decision loops.”

Analysis in this report recommends prioritizing current emerging risks while preparing systems for horizon-stage agents. Leaders should harden endpoints, monitor automated workflows, and align investments to phase-specific threats.

AI-enabled phishing and social engineering at scale

Phishing campaigns now blend precise reconnaissance with tailored text to mimic trusted internal workflows. Generative text creates realistic content that mirrors tone, project names, and approval chains. That increases engagement and lowers suspicion.

Generative text for personalized phishing campaigns

Tools speed the creation of phishing emails and multi-step campaigns. Attackers assemble localized drafts that reference meetings, payroll dates, or benefits enrollment to prompt action.

Documented cases include fraudulent HR messages that led to credential theft and campaign templates translated across languages. Social media research supplies context—timing, roles, and project terms—that boosts plausibility.

Voice cloning and deepfake video in BEC and extortion

Voice cloning and deepfake media convert a convincing email into an urgent, multi-channel demand. Executives’ voices or staged video calls pressure staff to approve transfers or disclose credentials.

Practical defense: require out-of-band verification for funds movement; do not trust voice alone.

• Techniques like tone mirroring and domain-similar senders make content harder to flag.
• Media-rich lures—fake calls or clips—raise plausibility at key corporate events.
• Assume sequencing: phishing that escalates to recorded calls or video demands.

Recommendation: deploy layered detection, behavioral verification, and training that simulates multi-vector campaigns. We advise combining technical controls with clear approval policies to reduce successful creation and execution of these attacks.

Vulnerability discovery and malware development with generative models

Generative pipelines have shrunk the gap between discovery and weaponization, accelerating how quickly flaws become exploitable.

Machine learning-driven fuzzing and pattern-guided scanning compress timelines for finding vulnerabilities on public-facing systems and internal services.

Development pipelines can generate lateral movement scripts, adapt payloads to target systems, and refine techniques that bypass basic EDR heuristics.

Automated fuzzing, exploit generation, and lateral movement scripts

Operations now chain discovery to action. Tools and templates turn CVE feeds and GitHub code into proof-of-concept exploits with minimal edits.

Research workflows pair feeds with generated payloads that iterate quickly. That reduces skill barriers and compresses attacker tasks.

Polymorphic malware and adaptive ransomware operations

Example: operators build polymorphic malware that mutates structure to defeat signature scanners and static analysis.

• Ransomware orchestration prioritizes business-critical targets to maximize leverage.
• Evasion methods include in-memory execution, sandbox checks, and geofencing to avoid detection.
• Build chains automate exploit generation, payload packaging, and delivery sequencing.

Case: OPSWAT’s Martin Kallas demonstrated a guided malware chain produced under two hours that evaded most VirusTotal engines and slipped past behavioral sandboxes.

Practical takeaway: defenders should assume polymorphism is normal—move from single-engine scanning to multi-engine and behavior-based analytics, and prioritize patch management to reduce the attack surface.

Local, unrestricted models as a force multiplier for attackers

Locally hosted, unrestricted models let operators run tailored workflows outside platform oversight. Running model weights on private hardware removes many commercial guardrails. That freedom speeds testing and shortens the path from idea to execution.

Open-source LLMs and fine-tuning for offense

Open-source models and use generative techniques let adversaries sculpt bespoke capabilities. Tools for fine-tuning reduce friction: operators add domain data, expand prompt vocabularies, and iterate architectures to shape outputs for offensive tasks.

OPSWAT noted millions of publicly available models on repositories like Hugging Face. Local GPUs or cloud compute plus retrainable weights enable rapid payload customization without platform logs.

Safeguard bypass and local pipelines

Unrestricted runs let attackers refine evasion and attacks offline, then stage delivery through disposable infrastructure. That workflow widens intelligence gaps because defenders lose platform signals that indicate preparatory development.

• Faster cycles: payload variants, obfuscation, and encryption get generated and tested on-demand.
• Scaled capabilities: models chained with schedulers form semi-autonomous build and recon pipelines.
• Defender response: assume out-of-band iteration and apply endpoint and network controls to close blind spots.

Mapping AI misuse to the attack lifecycle

Tracing tool-assisted workflows across recon, weaponization and post-access tasks clarifies defensive priorities. This lifecycle view ties observed development to practical controls.

Reconnaissance

Actors performed focused research on organizations and information targets—US military ranges, defense firms, and hosting providers.

Examples include domain discovery and free-hosting identification to stage campaigns and phishing emails.

Weaponization

Tools sped code conversion and added encryption routines: webcam code in C++, adapting Chrome infostealer functions, and inserting AES libraries.

These techniques reduced manual development and lowered the bar for operators to prepare payloads.

Delivery and exploitation

Content and text generation supported targeted campaigns. Advanced phishing content targeted defense organizations while research focused on WinRM and IoT vulnerabilities.

Installation, C2, and actions on objectives

Installation explored signed VSTO plugins, AD certificate misuse, and persistence tied to enterprise systems. C2 tasks ranged from remote event log access to AD commands and JWT routing.

Actions on objectives included automating Gmail extraction to EML and staging large OneDrive uploads for data exfiltration.

“Lifecycle mapping sharpens where operations compress effort and where detection should focus.”

• Detection pressure points: content anomalies during delivery, certificate misuse at installation, and unusual log queries during C2.
• Practical defense: prioritize monitoring for tool-specific behaviors and harden mailbox and cloud storage controls.
• Further reading: see strategies for escalating cyber attacks at escalating cyber attacks.

Adversarial machine learning: prompt injection, evasion, and poisoning

Adversarial tricks now treat embedded assistants as attack vectors. Prompt injection can make a model reveal sensitive information or follow hidden commands tucked into files, links, or metadata. This turns automation and parsing logic into new sources of risk.

How prompt injection turns enterprise systems into an attack surface

Prompt injection hides instructions inside benign-looking content. Attackers craft payloads that the assistant executes when handling uploads or document parsing.

Controls include rigorous input/output validation, strict access boundaries, and kill switches for risky functions.

Classifier evasion and data poisoning against detection systems

Classifier evasion uses subtle changes so malicious files look benign to scanners. Data poisoning skews training corpora to bias outcomes or hide indicators.

GTIG’s analysis found few persistent prompt attacks in the dataset; public jailbreaks were attempted and mostly failed. Still, local models can lack these safeguards and need separate controls.

Practical techniques: adversarial testing, runtime telemetry for tool-model calls, versioning, red teaming, and fast rollbacks.

Treat models as production software: enforce governance, monitor model-tool interactions, and test for evasion and poisoning to reduce emerging threats.

AI Misuse in Hacking: top risks for U.S. organizations

Recent regulator alerts show deception tactics that pair realistic media with tailored phishing emails to breach payroll and vendor systems.

Financial services fraud, ransomware, and synthetic identities

U.S. organizations face concentrated risk where synthetic identities enable account opening and deepfake-enabled business email compromise (BEC) scales fraud.

Attackers combine breached data and public sources to craft precise campaigns that target payment flows, payroll, and vendor management.

Social media scraping refines timing and pretext, while models speed creation of convincing voice and video lures used in real-time impersonation.

Regulatory intelligence: Treasury and FinCEN reports note rising deepfake-enabled fraud and increased use of synthetic identities in financial scams.

• Phishing emails during benefits enrollment have led to credential theft at several large employers.
• Adaptive malware targets business-critical systems; unpatched vulnerabilities remain common landing zones.
• Operations tempo pressures incident response—rapid lateral movement shortens recovery windows.

Cases from recent alerts show voice and video deepfakes are operational tools, not edge scenarios. Leaders should align budgets to the highest risk areas and invest in identity-proofing, resilient backups, and transactional monitoring.

For guidance on model-aware defenses and technical controls, consult SentinelOne’s overview of model security risks.

Detection and defense: layered controls that collapse AI-driven attacks

Layered defenses collapse tool-accelerated attacks by forcing multiple checkpoints before harm reaches critical systems. This approach reduces single-point failures and raises the cost for actors who test evasion and rapid payload variants.

Multiscanning and sandboxing to catch polymorphic payloads

Defense-in-depth must combine signature engines, heuristics, and behavior analysis. OPSWAT’s Metascan Multiscanning shows how multiple engines increase catch rates against polymorphic malware and obfuscated payloads.

Sandboxes like MetaDefender reveal runtime actions that static checks miss. Teams should tune environment timing and emulate real hosts to expose delayed or environment-aware evasion.

Content disarm and reconstruction to neutralize file-borne threats

Deep CDR rebuilds files to preserve business content while removing active components. That solution limits delivery success and short-circuits many common exploit chains.

AI security testing and red teaming for LLM-integrated systems

Regular red teaming tests prompt injection, classifier evasion, and unsafe tool invocation. Tools and governance—allowlists, safe function calling, and output constraints—close abuse paths and harden workflows.

Practical checklist: instrument ingress points, enforce quarantine workflows, keep rapid update cycles, and test backups to limit ransomware impact.

Policy, regulation, and cross-sector collaboration in the United States

Policy coordination now shapes how organizations prepare for fast-moving threats across sectors. U.S. agencies recommend clear governance so defensive measures scale with operational tempo. Consensus is forming around frameworks that tie technical controls to process and oversight.

AI risk management frameworks aligned to NIST guidance

The CFTC Technology Advisory Committee urged adoption of NIST-aligned risk management for financial markets. Regulators and industry groups expect documented testing, logging, and continuous monitoring as part of model governance.

Risk management should map models to business processes: define acceptable tool use, review protocols, and audit trails. That link reduces ambiguity about who owns residual risks and what remediation looks like.

Public-private information sharing and industry initiatives

Information sharing accelerates warning cycles and coordinated takedowns. FinCEN and Treasury alerts on deepfake-enabled fraud show how shared intelligence can spotlight new threats fast.

Public-private partnerships—backed by initiatives like the Counter Ransomware Initiative—help disseminate playbooks, IOCs, and secure channels for collaboration. Media literacy campaigns complement technical controls and lower user susceptibility to deceptive content.

Practical point: harmonized standards let defenders trade signals and solutions with less friction while keeping sensitive information protected.

Bottom line: actors adapt quickly; policy must be iterative. Pairing incentives for responsible innovation with clear penalties, shared playbooks, and tested operations makes defense more resilient and practical.

Operations playbook: preparing teams for AI-accelerated threats

Rapid change requires a practical playbook that keeps human judgment central. SOC leaders should blend automated enrichment with clear review gates so analysts decide final actions. Short routines and repeatable steps reduce error and speed response.

SOC workflows, continuous red teaming, and model governance

Daily operations must adopt AI-aware investigation tools while preserving human oversight. The FBI stresses that analysts validate outputs and never treat suggestions as final. Ponemon found only 37% of security pros feel prepared—this gap frames urgent work.

• Define cadence: daily tasks include AI-assisted triage, correlation, and analyst sign-off.
• Tools: link case management with multiscanning, sandboxing, CDR, and automated containment.
• Governance: enforce access controls, prompt policies, versioning, and audit trails for models.
• Detection & analysis: feed incident learnings into rules, signatures, and pipeline updates.
• Red teaming: run regular prompt-injection and classifier-evasion drills to harden defenses.

“Trust but verify” should guide operational doctrine: train analysts to escalate unclear results.

For teams seeking a readiness baseline, review guidance on how to be prepared for an AI-powered cyber attack and align hiring, training, and development to this operations playbook.

What’s changing next: from tool-assisted attackers to autonomous agents

Emerging agentic systems are shifting attacker workflows from hands-on orchestration to continuous, automated campaigns. These programs can link browsers, databases, and wallets to pursue clear goals across multiple systems. The trend uses artificial intelligence to close feedback loops and shorten decision cycles.

We anticipate a shift: attackers use semi‑autonomous agents that coordinate recon, payload iteration, and delivery without constant human direction. When operators pair human strategy with tool-driven persistence, actors gain new capabilities to chain tasks and adapt to defenses.

• Example: autonomous triage that refines target lists and spawns iterative payloads.
• Decentralized infrastructure rotation to avoid takedowns and prolong campaigns.
• Agents with tool access will press identity and transaction controls—raising market and payment system risks.

Defenders must upgrade operations: automated containment, policy-based rollbacks, and anomaly throttling at scale. Actors will blend human creativity with machine persistence, making intent harder to detect and windows for response shorter.

Practical closing: this report urges investment in monitoring model-tool interactions, shared intelligence on agent frameworks, and guardrails by default to future‑proof controls.

Conclusion

, This report’s analysis finds that misuse centers on speeding familiar playbooks: actors scale reconnaissance, content creation, and technical troubleshooting rather than inventing new exploit classes.

Threats and risks rise as barriers fall; organizations must assume more attempts and faster cycles across operations. Research-backed defenses favor layered solutions—multiscanning, sandboxing, and content reconstruction—that catch polymorphic variants more reliably than single-point tools.

Security programs should institutionalize red teaming and governance for model-integrated workflows. Train staff to verify polished content and unusual requests, harden identity and approval paths, and rehearse responses regularly.

Report takeaway: align investments to controls that reduce impact, share intelligence across sectors, and convert these insights into measurable actions this quarter.