Emerging ThreatsMalware & Ransomware

AI Enables Faster, Cheaper Cyber-Attacks

Analyst 207||Source: InfoSecMag
Darkened hacker workstation with laptop, code on screen, and scattered notes and hardware.

"AI has moved 'closer into the heart of the offensive workflow,'" ReliaQuest reports — and the change is measurable: cheaper attacks, faster scaling, easier customization and subtler tradecraft that slips past the telltale signs defenders have relied on for years.

Two roles for AI in intrusions, according to ReliaQuest

ReliaQuest’s monitoring of the cybercrime underground over the past two years found AI appearing in two distinct capacities. First, it is "embedded in the attack workflow": attackers have used AI to generate phishing pages, build web shells and credential harvesters, pad code to frustrate static analysis, and "improve the fluency of social-engineering content." Second, AI itself is the bait: demand for AI tools and trust in AI brands are being weaponized to get users to install malicious extensions, run commands, or follow fake setup steps that appear routine enough to pass initial scrutiny.

Six concrete ways AI is being applied in attacks

  • Phishing at industrial scale: AI lowers the barrier to entry by enabling mass generation of phishing pages and lures so campaigns can be launched, adjusted and repeated at speed.
  • Malicious tools produced faster: Key components such as web shells and credential harvesters are generated more quickly, and attackers can "vary or pad code to frustrate static analysis."
  • Social engineering polish: AI erases the typos, awkward phrasing, poor grammar and clumsy design that once were telltale signs of phishing.
  • Identity fabrication: ReliaQuest highlights North Korean worker fraud as an example made easier to scale and harder to spot, aided by rapid development of fake profiles and convincing deepfakes for meetings and interviews.
  • Initial‑access acceleration: AI-generated obfuscation appears in ClickFix attacks and AI-assisted pages in device-code phishing campaigns, moving targets from "interaction to compromise."
  • AI‑branded tools as the lure: Attackers disguise malicious installation commands or extensions as downloads for known-branded AI tools — the report cites examples such as Claude or other branded downloads being mimicked to trick users.

AI treated as operational infrastructure

ReliaQuest stresses that threat actors do not see AI as a novelty but as a component of their infrastructure: "something to buy, tune and slot into existing workflows." Their operational calculus focuses on balancing efficiency with reliability and cost: AI makes certain tasks cheaper and faster, but attackers still weigh tradeoffs to maintain dependable access and outcomes.

Action plan for CISOs

The report is explicit that defenders do not need a wholesale, AI-only strategy, but they must adapt to faster, more automated attacks. ReliaQuest recommends that CISOs and security teams take concrete steps:

  • Use behavioral detection across endpoint, identity, network and cloud — especially after access is granted.
  • Automate containment to keep pace with machine-speed attacks.
  • Retrain users on the full range of what AI can fake (for example, voice, video, profile photos and polished text) and require out-of-band verification for sensitive requests such as installs, approvals and payments.
  • Invest in threat research to track the volume and timing patterns that AI‑scaled campaigns create.
  • Use external threat intelligence to spot AI‑enabled tradecraft before it reaches the environment and route it to the right teams.

As the report puts it: "Security teams don’t need a new strategy built around AI as a category," but they do need "strong fundamentals, defense-in-depth, and AI and automation wherever operationally possible to match the new pace."

What this means for CISOs, end users, and adversaries

  • CISOs: Must prioritize detection that watches behavior across endpoints, identity, network and cloud; automate containment workflows; and funnel external threat intelligence and focused threat research into operational teams to identify AI‑scaled campaign patterns.
  • End users: Need retraining on how AI can fake voice, video, profile photos and text; organizations should enforce out-of‑band verification for installs, approvals and payments to blunt AI‑branded lures.
  • Adversaries: From ShinyHunters to North Korean hackers, actors are already using AI to scale phishing, produce malicious tooling faster, fabricate identities and exploit trust in AI brands — consistently enabling "these operators to achieve more, faster, with less effort," the report says.

ReliaQuest’s findings land a specific, practical challenge: AI is changing the tempo and tooling of intrusions without rewriting the playbook. That convergence — machine‑speed scaling of familiar techniques, fused with polished deception and AI‑branded bait — leaves defenders with a clear directive taken straight from the report: solid fundamentals, layered defenses and automation must be aligned to move at machine speed, too.

https://www.infosecurity-magazine.com/news/ai-attacks-cheaper-faster-covert/

Artificial IntelligenceCyber ThreatsCyber WarfareCybercrimeEmerging ThreatsNation-StateThreat IntelligenceMalware OperationsOffensive SecurityAI-Enabled Attacks
Related Intelligence

Continue Reading

Modern cityscape at dusk with glowing abstract computer screen.

AI-Powered Adversaries Compress Cyberattack Timeline

In early 2026, the emergence of advanced agentic AI models marked a chilling new era in cyber threats, enabling attackers to compress the time between discovery and weaponization to mere minutes. This means that the window for detecting and responding to breaches may soon be shorter than the time it takes to finish a cup of coffee.

Analyst 207
Blurred cityscape with office workstation and blank computer screen.

MuddyWater Exploits Ransomware Disguise for Cyber Espionage

The line between ransomware attacks and nation-state espionage is rapidly blurring, as cyber groups like MuddyWater now disguise their operations as financially motivated ransomware attacks to further their strategic objectives. MuddyWater, linked to Iran's Ministry of Intelligence and Security, has been caught posing as the Chaos ransomware group in a deliberate campaign.

Analyst 207
Blurred computer workstation in foreground, network equipment rack in background.

Mistic Backdoor Enables Long-Term Access in Ransomware Attacks

Cyber attackers have deployed a sneaky backdoor called Mistic, allowing them to maintain long-term access to infected systems during ransomware attacks, all while staying remarkably under the radar. This stealthy threat uses clever tactics like running payloads in memory and mimicking legitimate Microsoft security tools to evade detection.

Analyst 207
Server equipment in a clean, clinical data center environment with ambient daylight.

US Seizes Huione Cloud Account Tied to $31 Billion Cyber Scam Laundering

The US Department of Justice has seized a cloud account linked to a staggering $31 billion cyber scam laundering operation, disrupting a vast online marketplace for fraud and money laundering. This massive crackdown targeted HuiOne Group, a Cambodia-based company accused of helping scammers launder billions through its subsidiaries.

Analyst 207