1. Executive summary
For a decade, the cyber threat narrative has been one of escalating sophistication. Over the past twelve months, it has become one of escalating speed. Across reporting from Google [1], Microsoft [2], CrowdStrike [3], Mandiant [4], Anthropic [5] and OpenAI [6], a consistent picture has emerged: artificial intelligence is not fundamentally changing what adversaries can do. Instead, it is letting them execute existing tactics faster, at greater scale, and with fewer skilled people.
Those closest to the threat data agree that AI has not been the direct cause of breaches — most intrusions still begin with the same phishing, credential abuse and unpatched systems as before. What has changed is the economics of offense. AI lowers the cost of producing convincing content, accelerates coding and troubleshooting, and lets a single operator run more campaigns in parallel. The result is a measurable compression of the attack timeline that puts pressure on every downstream defensive process.
At the same time, a smaller but significant set of cases points to where the threat is heading: malware that queries large language models mid-execution, and AI agents that carry out multi-stage intrusions with only occasional human steering. These cases are uncommon, but they mark the trajectory.
What this report covers
- Recent attack data on breakout speed, AI-enabled operations and the rise of fraudulent IT-worker schemes.
- How AI is accelerating each phase of the attack lifecycle — reconnaissance, social engineering, malware development, execution and post-compromise — illustrated with documented, actor-attributed examples from 2025–2026.
- Where this is heading: the shift from AI as an adviser to AI as an operator, seen in runtime-LLM malware and the first reported AI-orchestrated espionage campaign.
- How a modern Threat Intelligence Platform turns this picture into action by closing the gap between knowing and acting.
2. From sophistication to speed
The clearest signal of how intrusion has changed is breakout time — the interval between an attacker gaining initial access and moving laterally to a second system. According to CrowdStrike, in 2025 the average attacker breakout time fell to 29 minutes, with the fastest recorded case measured at 27 seconds [3]. Over the same period, the volume of operations attributed to AI-enabled adversaries rose by 89% year-on-year, and the median time for an initial-access actor to hand a foothold to a follow-on group collapsed to 22 seconds.
None of this means AI is breaching networks on its own. It means the humans operating these campaigns are now equipped with tools that remove friction at every step. The defensive implication is structural rather than tactical: any process that assumes hours of dwell time before damage occurs — manual triage, business-hours escalation, batch alert review — is now operating on the wrong clock.

3. AI across the attack lifecycle
The most useful way to understand AI-enabled threat activity is not actor by actor, but phase by phase. The same handful of capabilities — generation, acceleration, automation — reappear at every stage of an intrusion. The examples below are drawn from documented 2025–2026 reporting in which a named actor was observed using a specific AI tool.
Phase 1 · Reconnaissance — industrialized target research
Reconnaissance is the most documented use of AI by threat actors, because it is the lowest-risk and highest-leverage. Google's Threat Intelligence Group reported several state-backed groups using Gemini to accelerate this phase [4]. A North Korean actor (tracked as UNC2970) synthesized open-source intelligence to profile high-value targets at cybersecurity and defense companies, mapping technical roles and salary information. An Iranian actor (APT42) used the same tool to research targets and build credible personas from their biographies. And a Chinese actor (APT31) prompted Gemini with an expert-researcher persona to automate vulnerability analysis against Western targets.
In each case the activity is not novel in kind — it is reconnaissance that a skilled analyst could have done manually. What AI changes is throughput: more targets profiled, in more languages, in less time.
Phase 2 · Social engineering — cheaper, faster, more convincing
This is where AI’s impact is most visible. The economics of producing a convincing lure have collapsed: fluent multilingual phishing, fabricated personas and synthetic media are now within reach of even unsophisticated actors. OpenAI reported a China-aligned cluster using ChatGPT to generate phishing content in English, Chinese and Japanese [6]. Microsoft documented the North Korean IT-worker operation it tracks as Jasper Sleet using generative AI to build culturally consistent identities and face-swapping tools to place operatives’ images into stolen identity documents [7].
The fraudulent IT-worker scheme is the most operationally mature example of AI-enabled social engineering. UN reporting found that the scheme generates between $250 million and $600 million per year in fraudulent salaries across some 40 countries [8]. AI did not create that revenue stream, but it is increasingly the means by which operators sustain and scale it — moving persona support from an experimental capability to an industrialized component of a mature operation.

Phase 3 · Malware development — a co-pilot for adversaries
AI is widely used to write, debug and obfuscate code. GTIG observed a Chinese actor (APT41) using Gemini for C++ and Golang development — including support for a command-and-control framework the actor called OSSTUN — and for code obfuscation [9]. Separately, an Iranian actor (MuddyWater) posed as a student to coax Gemini into helping develop custom malware. This is further evidence that well-resourced actors have moved from generic experimentation to documented support for intrusion-enabling tooling.
The effect is not that skilled developers become unnecessary, but that they work faster and hand less to junior operators. Notably, several vendors identified AI-assisted code by its tell-tale residue — conversational in-line comments and emoji status markers left in malware samples.

Phase 4 · Execution — malware that thinks at runtime
One of the clearest escalations in 2025 was malware engineered to consult a large language model during execution. GTIG reported that the Russian actor APT28 deployed PROMPTSTEAL (also tracked as LAMEHUG) against Ukraine — its first observation of malware querying an LLM in live operations [9]. Rather than hard-coding its commands, PROMPTSTEAL asks a model to generate them on the fly. Mandiant’s M-Trends 2026 confirmed the pattern, noting the QUIETVAULT credential stealer checked infected systems for local AI command-line tools to run prompts that hunt for further secrets [4].
This is distinct from other examples because it places AI-driven decision-making inside the victim environment, not just on adversary infrastructure. It also creates a new, detectable signal: malware reaching out to an LLM API mid-operation.

Phase 5 · Post-compromise — the rise of agentic operations
The furthest-reaching cases involve AI not as an adviser but as an operator. Anthropic reported disrupting what it described as the first AI-orchestrated cyber-espionage campaign [10], tracked as GTG-1002 and assessed with high confidence to be Chinese state-sponsored. According to Anthropic, the actor manipulated its Claude Code tool into attempting intrusions against roughly thirty global targets, with the AI performing the majority of the work and humans intervening at only a handful of decision points. Anthropic also documented a separate “vibe hacking” extortion operation in which an AI agent automated reconnaissance, intrusion and even the calculation of ransom demands.
It is worth noting that the most dramatic of these claims — the degree of autonomy in GTG-1002 — has been questioned by some independent researchers, and detailed indicators have not been widely published. The verifiable point stands regardless: adversaries are actively wiring AI agents into offensive tooling, and the same patterns enterprises use to automate work can be turned against them.

4. The second-order effects: Pressure on defenders
Not all of AI's impact runs through the attacker. As AI-assisted vulnerability discovery becomes routine among security researchers and vendors, the volume of newly disclosed vulnerabilities — and the patches that follow — is rising sharply. This is, in principle, a defensive gain: flaws are being found and fixed faster than ever. But it lands hardest on the organizations least able to absorb it. Those that already struggled to keep systems current now face a patch velocity they cannot match, leaving a widening gap between what is known to be vulnerable and what has actually been remediated. The result is a double burden on IT and security teams, who must simultaneously test and deploy an accelerating stream of updates while fending off the faster attacks described above.
A second pressure comes from AI adoption itself. As organizations embed AI into their operations, they pull in a wide range of new dependencies from across their supply chain — models, libraries, plugins and connectors that few teams fully vet. These components are emerging as an attack vector in their own right: a fresh and fast-growing surface for malware and compromise, expanding precisely as defenders are already stretched.
5. Closing the gap: From intelligence to action
One factor underlies every example in this report: time. AI has not rewritten the adversarial playbook so much as accelerated it, letting familiar tactics move at unfamiliar speed. The defensive challenge, therefore, is not simply to know more — it is to act on what is known before the window closes.
This is precisely the gap a modern Threat Intelligence Platform is built to close. Three capabilities matter most in an AI-accelerated environment:
- Speed of operationalization. Intelligence is only useful if it reaches detection and response tooling faster than the adversary can iterate. A TIP that shortens the path from new indicator to deployed detection turns a sub-30-minute breakout window from a liability into a manageable target.
- Relevance through prioritization. In an AI-accelerated environment, technique outpaces attribution. A TIP that prioritizes AI-enabled techniques over attribution lets teams focus on the behaviors that shorten time-to-impact for them, rather than on who is behind them.
- Visibility of the new signals. Runtime-LLM malware, agentic tooling and synthetic-media lures all generate detectable artifacts. A TIP that incorporates these emerging indicators ensures defenders are looking for the threats of 2026, not those of 2023.
The organizations that fare best in this environment will be those that handle intelligence as an operational input rather than a reading exercise — wiring it directly into the controls and workflows that need to keep pace with a faster adversary.
6. Conclusion
The evidence from the past year supports a measured conclusion. AI has not yet handed adversaries a fundamentally new class of attack, and the threat-intelligence community is broadly aligned that intrusion fundamentals still decide most outcomes. But AI has decisively changed the economics of offense — compressing timelines, lowering barriers and scaling what once required scarce expertise.
Crucially, this is not a story of defenders falling behind. The same tools are available to both sides: the rapid code generation, automated triage and large-scale data processing that speed up attackers are compressing blue-team timelines too — in detection engineering, alert handling and incident summarization. The net effect on the offense–defense balance remains unresolved, and this report does not claim otherwise. What it does suggest is that the defensive advantage lies not in acquiring new capabilities but in tuning existing ones to the tempo of today's threat.
For security leaders, the strategic question is therefore no longer whether a given actor uses AI. It is where AI changes how fast that actor can reach impact — and whether the organization’s detection, response and intelligence functions are built for that timeline. The arms race is real. What organizations can control is the gap between knowing and acting — and on the evidence of 2025–26, that gap, not any single adversary capability, is what determines outcomes.
7. References
- Google Threat Intelligence Group (2025) GTIG AI Threat Tracker: Advances in Threat Actor Usage of AI Tools. Available at: https://cloud.google.com/blog/topics/threat-intelligence/threat-actor-usage-of-ai-tools (Accessed: 22 June 2026).
- Microsoft Threat Intelligence (2026) AI as tradecraft: How threat actors operationalize AI. Available at: https://www.microsoft.com/en-us/security/blog/2026/03/06/ai-as-tradecraft-how-threat-actors-operationalize-ai/ (Accessed: 22 June 2026).
- CrowdStrike (2026) 2026 Global Threat Report. Available at: https://www.crowdstrike.com/en-us/global-threat-report/ (Accessed: 22 June 2026).
- Mandiant (2026) M-Trends 2026: Data, Insights, and Strategies From the Frontlines. Available at: https://cloud.google.com/blog/topics/threat-intelligence/m-trends-2026 (Accessed: 22 June 2026).
- Anthropic (2025) Threat Intelligence Report: August 2025. Available at: https://www.anthropic.com/news/detecting-countering-misuse-aug-2025 (Accessed: 22 June 2026).
- OpenAI (2025) Disrupting malicious uses of AI: October 2025. Available at: https://openai.com/global-affairs/disrupting-malicious-uses-of-ai-october-2025/ (Accessed: 22 June 2026).
- Microsoft Threat Intelligence (2025) Jasper Sleet: North Korean remote IT workers’ evolving tactics to infiltrate organizations. Available at: https://www.microsoft.com/en-us/security/blog/2025/06/30/jasper-sleet-north-korean-remote-it-workers-evolving-tactics-to-infiltrate-organizations/ (Accessed: 22 June 2026).
- United Nations Security Council (2024) Final report of the Panel of Experts submitted pursuant to resolution 2680 (2023)(S/2024/215). Available at: https://undocs.org/S/2024/215 (Accessed: 22 June 2026).
- Google Threat Intelligence Group (2026) GTIG AI Threat Tracker: Distillation, Experimentation, and (Continued) Integration of AI for Adversarial Use. Available at: https://cloud.google.com/blog/topics/threat-intelligence/distillation-experimentation-integration-ai-adversarial-use (Accessed: 22 June 2026).
- Anthropic (2025) Disrupting the first reported AI-orchestrated cyber espionage campaign. Available at: https://www.anthropic.com/news/disrupting-AI-espionage (Accessed: 22 June 2026).
- Palo Alto Networks Unit 42 (2025) 2025 Global Incident Response Report. Available at: https://www.paloaltonetworks.com/resources/research/unit-42-incident-response-report-2025 (Accessed: 22 June 2026).

