AI has been part of offensive operations for a while, mostly before the attack itself: drafting lures, refactoring malware, and hardening obfuscation. What we are observing now is an expansion of that use deeper into the attack lifecycle. It is compressing the reconnaissance and initial-gathering phase, where target research and attack planning that once cost operators real manual effort are increasingly handed to a model, and it is moving into the intrusion itself, where operators react to the environment they actually land in rather than working from a fixed playbook. Once inside, they generate enumeration and credential-theft scripts on the spot, tuned to the hosts and tools in front of them, and a smaller class of malware now queries a remote model at runtime to produce its own offensive logic per host. The tradecraft underneath is unchanged from the pre-AI era, credential theft, lateral movement, persistence, and social engineering; what has shifted is how fast and how cheaply it runs, and how readily it adapts across the operation. This article previews the central findings of our full intelligence report on the weaponization of AI across the attack lifecycle.

Main Takeaways

• Defensive maturity now determines exposure. The defining shift is economic, not technical, and the gap between organizations with mature foundational controls and those without is highly likely (75-85%) to widen over the next 12 to 18 months.
• State actors and criminals have both industrialized AI. Clusters across the DPRK, Russia, Iran, and China have almost certainly (85-100%) operationalized public LLMs across six functions, and cybercriminals have almost certainly (85-100%) integrated AI across the fraud lifecycle, with EUR 322 million in deepfake-fraud losses in Q2 2025 alone.
• AI is moving into the intrusion itself. Operators generate scripts mid-intrusion to fit the host they land on, and the multiple malware families now calling an LLM at runtime are almost certainly (85-100%) going to grow over the next 12 months as proof-of-concept families mature.
• A “dark LLM” market raises the floor, not the ceiling. Commoditized dark-LLM and deepfake-as-a-service offerings are highly likely (75-85%) lifting baseline criminal capability without extending what skilled actors can already do.

The Economic Shift Is Outrunning Programs Built on Pre-AI Cost Assumptions

The underlying tradecraft has not changed: credential theft, lateral movement, persistence, and social engineering. What has changed is the cost and speed of producing it. Independent developers are scaffolding NFC-relay fraud malware outside established criminal ecosystems using uncensored local LLMs, and single operators are now running campaigns at a volume that once required a team.

The same compression is visible in fraud, where AI adds believability and scale rather than novelty. Deepfake-enabled impersonation sits behind losses on the order of the Arup case (EUR 23 million, equivalent to the widely reported HKD 200 million or roughly USD 25 million, in a single incident). The aggregate effect on attacker-generated content is highly likely (75-85%) to degrade linguistic origin as a detection and attribution signal.

The strategic point is that the threat is not waiting for new attack vectors; the rate of execution is what has changed. Organizations with mature foundational controls retain a workable posture, and because this shift is driven by cost rather than target selection, geography offers little protection. The question for a European defender is not whether these techniques are aimed at the region, but whether current controls hold against a higher volume of attempts, run faster and more cheaply than before.

AI Is Becoming an Active Component of the Intrusion

Most AI use by both criminal and state actors still sits before deployment, in refactoring, obfuscation, and lure drafting, with no AI dependency in the running malware. The development worth watching is the movement of AI into the intrusion itself. It shows up first on the operator’s side: in observed cases, attackers generated credential-theft and enumeration scripts mid-intrusion, tuned to the hosts and tools they found once inside, turning script authoring from a pre-campaign step into a live capability.

A smaller class of malware now takes the next step and queries a model at runtime to generate its own logic, with the clearest published example to date set out in the full report. This runtime-integrated class is still small, but it is almost certainly (85-100%) going to grow over the next 12 months as proof-of-concept families mature into operational use. The pattern carries three distinct consequences for defenders, changing where detection has to happen, where the operator is now exposed, and what counts as an indicator of compromise. We set out all three, and what to do about each, in the full report.

For a security leader, the question this forces is whether detection and response were built for this tempo. When operators adapt mid-intrusion and payloads rewrite their own commands on every run, controls tuned to fixed signatures and pre-AI dwell times are defending against behavior they were not designed to see.

Read the Full Report

This article covers only the headline findings. Our full intelligence report provides the underlying evidence and the operational detail that defenders, security leaders, and risk owners need to act on:

• The six operational AI functions observed across DPRK, Russian, Iranian, and Chinese state-aligned ecosystems, with named malware families, threat actor attribution, and country-by-country adoption profiles.
• The five fraud-lifecycle functions across cybercriminal operations, including the full Arup CFO case, deepfake-as-a-service pricing, AI-coached call-center architectures, and ransomware negotiation chatbots.
• The compression of the vulnerability disclosure-to-exploit window, the first publicly documented AI-assisted zero-day, and the PSOA market shift.
• The structure of the underground “dark LLM” market, with pricing, subscriber estimates, and the structural dependencies on commercial AI providers.
• Defender prioritization for 2026, including foundational controls and the three AI-specific mitigations detailed against the threat patterns they address.

Download the full intelligence report to get the complete operational picture, sourcing, and confidence-rated assessments