Agentic AI coding assistant helped attacker breach, extort 17 distinct organizations

Cybercriminals have started “vibe hacking” with AI’s help, AI startup Anthropic has shared in a report released on Wednesday.

An attacker used the agentic AI coding assistant Claude Code for nearly all steps of a data extortion operation that has targeted at least 17 organizations in a variety of economic sectors.

The attacker provided Claude Code with a CLAUDE.md file that outlined what they expected of the coding assistant and used the AI tool to make tactical and strategic decisions throughout the attack campaign.

“[The CLAUDE.md] file included a cover story claiming network security testing under official support contracts while providing detailed attack methodologies and target prioritization frameworks. This structured approach to victim targeting allowed Claude Code to efficiently standardize attack patterns while maintaining the flexibility to adapt to different organizational structures and security postures. By using this framework, Claude could systematically track compromised credentials, pivot through networks, and optimize extortion strategies based on real-time analysis of stolen data,” the company explained.

“Rather than encrypting systems using traditional ransomware, this actor leveraged the sensitive data Claude Code exfiltrated on their behalf, threatening its public exposure to extort victims into paying. Claude not only performed ‘on-keyboard’ operations but also analyzed exfiltrated financial data to determine appropriate ransom amounts and generated visually alarming HTML ransom notes that were displayed on victim machines by embedding them into the boot process.”

The attacker employed Claude Code on Kali Linux, which served as an attack platform, and used the coding assistant to:

• Perform automated reconnaissance (it searched for vulnerable systems)
• Assist the attacker as they performed network penetration operations (scanned networks, estracted credentials, provided guidance for privilege escalation and lateral movement, etc.)
• Develop malware used in the attacks and imbued it with anti-detection capabilities
• Extract and analyze data from the target organizations, identify sensitive info
• Create customized ransom notes based on the specific exfiltrated data and created multi-tiered extortion strategies for each victim

The company has also identified misuse of Claude Code in a fraudulent employment scheme designed to place North Korean IT workers in companies worldwide, thereby evading international sanctions

These operators can use the coding assistant to develop believable identities/personas, create resumes and cover letters, help them with coding assessments during the interview process and – once they get a job – to “maintain the illusion of competence daily.”

AI-powered ransomware

In related news, ESET researchers discovered on VirusTotal samples of what seems to be proof-of-concept ransowmare that accesses the gpt-oss:20b LLM via the Ollama API, and uses it to generate Lua scripts that will work on Windows, Linux, and macOS systems.

“[The PromptLock ransomware] scans local files, analyzes their content, and – based on predefined text prompts – determines whether to exfiltrate or encrypt the data,” ESET shared.

The code also contains the function to destroy files, though it’s still inactive.

ESET researchers says that they’ve found both Windows and Linux PromptLock variants on VirusTotal. They also pointed out that, as this stage, this malware doesn’t seem to be an active threat.

Still, a future in which generative AI is used for creating or aiding malware is already here.

“Our investigation revealed that a UK-based threat actor (tracked as GTG-5004) has leveraged Claude to develop, market, and distribute ransomware with advanced evasion capabilities,” Anthropic also shared in its report.

“The operation encompasses the development of multiple ransomware variants featuring ChaCha20 encryption, anti-EDR techniques, and Windows internals exploitation.”

AI is super-charging criminals

Security researchers have known for a while that LLMs and genAI solutions have empowered cyber crooks and APT groups.

Anthropic’s report, which also contains other examples of AI misuse has made it obvious to what extent these tools can be leveraged by those who have very limited technical or the required language skills.

“Traditional assumptions about the relationship between actor sophistication and attack complexity no longer hold when AI can provide instant expertise,” the company noted.

It also makes it obvious that identifying and preventing such abuse of AI tools is very hard.

The effort is necessary, but it will likely lead to a never-ending arms race that can limit — but never fully prevent — the malicious misuse of AI-powered tools.

(And this is only in reference to publicly available tools. I have no doubt that well-resourced threat actors will eventually develop their own, if they haven’t already.)

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!