AI, once relegated to helping hackers with certain tasks, can now power every stage of a cyberattack

Yuichiro Chino/Getty Images

Researchers determined that AI was used in steps across entire cyber operations to identify security flaws, generate commands and carry out parts of intrusions, sometimes with little human oversight. Both U.S. and Chinese AI models have been involved.

Just two years ago, hackers were tapping into generative artificial intelligence to probe targets, translate technical material and troubleshoot malicious code. The technology sped up some key parts of a cyber operation, but other stages remained solely in human hands.

That line is now beginning to blur. In a range of cyberattacks observed over the past year, AI systems generated commands, tested vulnerabilities and helped hackers move through victim networks, sometimes carrying out thousands of commands with less human direction than researchers had previously seen, according to research released Monday night by cybersecurity firm Check Point.

It means AI has now been used in some form at every stage of a cyberattack, from identifying targets to exploiting vulnerabilities to stealing data, to help hackers achieve their goals.

The shift does not yet amount to fully autonomous hacking, a top company executive told Nextgov/FCW, but it shows that AI is moving from an occasional aid to an extra set of hands throughout the entirety of an intrusion process. The findings also highlight how rapidly the global cyber ecosystem has adopted AI, with the technology now embedded across every part of an offensive operation rather than confined to isolated tasks.

“We watched criminal groups breach government agencies at scale, using AI as the primary operator rather than a background assistant,” the Check Point report says. In most cases, the AI model’s role was revealed by the attacker’s own mistakes or monitoring by the AI provider, rather than tools or safeguards deployed by the victim organization.

For these AI-enabled pursuits, hackers have used open-source models and purpose-built malicious AI tools sold on the dark web, but major commercial providers remain their primary choice, company threat intelligence lead Sergey Shykevich said in an interview.

The research points to the Gentlemen ransomware group as one instance of how AI is being folded into routine criminal operations. Members compared mainstream commercial models based largely on which imposed the fewest restrictions and used AI to help build internal tools, including a management platform developed in three days.

The findings also highlight VoidLink — a sophisticated toolkit for remotely controlling infected computers — that researchers initially believed had taken a team several months to build. Check Point later found that a single developer produced roughly 88,000 lines of working code in under a week using a commercial AI coding tool. 

Hackers tend to first choose U.S. AI models like ChatGPT or Claude because their responses are generally considered higher-quality, but they have a tougher time exploiting those families of models because of stronger guardrails designed to prevent malicious use of the tools, Shykevich said. When those attempts fail, they then pivot to Chinese-made AI platforms that have lower guardrails. 

“They are trying to jailbreak those [Western] models, but when they are not successful, they just go to DeepSeek, Qwen and Trae,” he said, referring to a trio of AI models and platforms originating in China. Qwen is a suite of AI and large language models developed by Alibaba, while Trae is an AI-backed code editor and programming platform built by ByteDance. Ransomware gangs have been heavily leaning on those Chinese models to help generate code for their exploits, he noted.

Chinese AI models have recently grown more capable and widely used for coding tasks. Beijing has discussed restricting overseas access to some advanced models, underscoring their growing national security value and their appeal to cybercriminals seeking tools to help with their exploits.

When asked how these new dynamics involve targeting U.S. government and critical infrastructure organizations, Shykevich said there are certainly higher and faster levels of exploitation attempts, though he assessed that’s due to a combination of AI-enabled speed and geopolitical tensions. 

He said that, in an ideal world, security flaws should now be patched within several hours of discovery, though he immediately acknowledged that would be next to impossible. The Cybersecurity and Infrastructure Security Agency recently revamped its remediation timeline guidance, ranging from three days for the highest-risk flaws to 60 days for lower-priority issues. 

The move is part of CISA’s response “to the current threat landscape where AI software services can assist threat actors to find and exploit vulnerabilities,” the agency said last month.

The findings come as the latest tranche of frontier AI models is showing sharp gains in their ability to perform cybersecurity tasks. OpenAI last week released GPT-5.6, which it called its strongest cybersecurity model yet, reporting substantial gains over its predecessor on benchmarks testing exploit development and proof-of-concept generation.

The Trump administration, meanwhile, has given the National Security Agency, CISA and other federal officials until Aug. 1 to develop a classified process for benchmarking the advanced cyber capabilities of frontier AI models and determining which systems need additional government scrutiny.

“The most significant shift this report documents is not a new technique. It is pace,” the Check Point report says. “A vulnerability now becomes a working exploit within hours of disclosure. Phishing campaigns run at a quality and volume no human team could match. Intrusions span dozens of targets simultaneously, with AI handling the operational work between check-ins. Security teams working at human speed cannot match that cadence.”

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.