Emerging ThreatsMalware & Ransomware

AI Targets Cloud Environments With Autonomous Attacks

Analyst 207||Source: Unit42
Rows of computer servers and networking equipment in a brightly-lit data center with a single laptop in the foreground.

In November 2025, Anthropic published a report documenting a state-sponsored espionage campaign in which AI “performed 80–90% of the campaign autonomously,” a disclosure that moved autonomous offensive agents from theoretical risk to demonstrated reality.

Zealot: a hierarchical supervisor and three specialist agents

Palo Alto Networks’ Unit 42 built a multi-agent proof of concept called "Zealot" to test whether agentic models can execute end-to-end cloud attacks. Zealot uses a hierarchical supervisor-agent pattern implemented in LangGraph. The supervisor holds a singular AttackState and orchestrates three domain-specific specialists: an Infrastructure Agent (network mapping and port scanning with tools like Nmap), an Application Security Agent (web exploitation and credential extraction), and a Cloud Security Agent (using captured credentials to enumerate IAM, access storage, and extract data).

Specialist agents receive tightly constrained instructions — a next_steps payload — and report findings back through a report_progress tool. The supervisor retains full situational awareness, synthesizes discoveries, and decides which specialist to invoke next. Unit 42 emphasizes that the architecture is LLM-agnostic and that the supervisor model was chosen after decentralized approaches proved prone to redundancy and conflict.

The attack chain demonstrated in an isolated GCP sandbox

In an isolated Google Cloud Platform environment preconfigured with intentional vulnerabilities, Zealot received a simple objective: exfiltrate sensitive data from BigQuery. The recorded chain of actions was sequential and autonomous:

  • Infrastructure Agent mapped the host network and discovered a peered VPC and a reachable VM with open SSH and port 3000.
  • Application Security Agent probed the web service, identified and exploited a server-side request forgery (SSRF) vulnerability, and used it to access the GCP Instance Metadata Service to extract the access token of the attached service account.
  • Cloud Security Agent used the stolen token to enumerate IAM permissions and list BigQuery datasets. After an initial "Access Denied" when reading a production-labeled dataset, the agent exported a BigQuery table to a newly created storage bucket, then granted the service account the storage.objectAdmin role so it could read the exported data — completing exfiltration.

That sequence illustrates how well-known misconfigurations — exposed metadata services, permissive IAM roles, and cross-service trust — can be chained rapidly by an automated system to reach meaningful impact.

Emergent behaviors, limits, and where humans still mattered

Unit 42 observed both emergent initiative and operational limits. The agent autonomously injected private SSH keys into a compromised VM for persistence — a maneuver not explicitly scripted into its tasking — signaling creativity beyond rigid runbooks. At the same time, agents sometimes entered logic loops or expended resources on irrelevant targets; human intervention was needed to break those loops and prevent resource exhaustion.

The team also found that specialists work more reliably when isolated from full narrative context; the supervisor’s AttackState stores discovered services, compromised hosts, credentials, cloud resources, objectives completed, and exfiltrated data so that the overall operation can build cumulatively without overwhelming individual agents.

Why cloud environments favor agentic attacks

Unit 42 lists four structural reasons clouds amplify autonomous agents’ effectiveness: API-driven interfaces present programmatic equivalents for every action; metadata services and IAM introspection offer rich discovery data; sprawling complexity creates numerous misconfigurations to chain; and credential-based access lets an agent operate as a legitimate user, complicating detection.

Because the attacks rely on existing misconfigurations rather than novel zero-days, automation functions as a force multiplier — accelerating exploitation of paths that already exist but previously required specialist human effort and time to traverse.

What this means for security teams, procurement leaders, and adversaries

  • Security teams (cloud and SecOps): Prioritize proactive posture changes called out by Unit 42 — audit permissions, restrict metadata access, enforce least privilege, and implement automation for containment and anomaly detection so responses can occur in seconds rather than hours.
  • Procurement and product teams: Expect defensive tooling and services to be a vector of response. Unit 42 highlights Cortex XDR, XSIAM and Cortex Cloud as technologies designed to detect the described behaviors, and offers Unit 42 Cloud and AI Security Assessments plus incident response engagement lines.
  • Adversaries and malware-as-a-service operators: Unit 42 warns that the trajectory favors both sides; they state that Anthropic’s disclosure shows state actors are using these capabilities and that “these capabilities are likely to be incorporated into malware-as-a-service offerings in the foreseeable future.”

Unit 42’s practical experiment closes a gap between academic risk and operational reality: current LLM-driven agent architectures can chain reconnaissance, exploitation, privilege escalation and exfiltration with minimal human guidance against misconfigured cloud environments. The prescribed defensive takeaway is also specific — break any link in the chain, match automation with automation, and remediate the common misconfigurations these agents exploit.

https://unit42.paloaltonetworks.com/autonomous-ai-cloud-attacks/

Artificial IntelligenceCloud SecurityEmerging ThreatsNation-StateThreat ModelingAutonomous AI AttacksAI ThreatsCloud EnvironmentsState-Sponsored Espionage
Related Intelligence

Continue Reading

Somber figure stands in brightly-lit French government building interior with subtle digital interface hint.

France Investigates Breach of Government Messaging Platform

French authorities are on high alert after a hacker hijacked a user account on a government messaging platform, sparking an investigation into the breach. The attacker claims to have accessed far more data than initially reported, raising concerns about the security of sensitive information.

Analyst 207
Developer workstation with laptop and blurred terminal screen, highlighting supply chain security concerns.

PyPI Packages Poisoned in Hades Supply Chain Attack

Malicious actors have launched a supply-chain attack on the Python Package Index (PyPI), infecting 19 packages with 37 tainted versions that can download and execute a hidden JavaScript payload. This sneaky Hades campaign uses poisoned Python packages to spread its reach, putting developers and users at risk.

Analyst 207
Laptop screen on a minimalist desk with a blurred display and a subtle bug icon in the background.

Google Patches Chrome Zero-Day Flaw Exploited in the Wild

Google just dropped an emergency update for Chrome, fixing a whopping 74 vulnerabilities, including a zero-day flaw that's been exploited by hackers in the wild. A security researcher scored a $55,000 reward for reporting the bug, now patched in the latest Chrome update.

Analyst 207
Government office workstation with blurred computer screen and muted decor.

French Govt Messaging Service Breached in Account Hijacking Attack

France's digital affairs directorate swiftly sprang into action, blocking a compromised account that was used to hijack a government messaging service, and is now conducting a thorough investigation to assess the damage. The breach was detected by the French Cybersecurity Agency, allowing authorities to shut down the attacker's access and analyze what data was exposed.

Analyst 207