LLMjacking Has Evolved Into Automated Attack Infrastructure

This is the story that matters most for AI tool operators and developers.
Sysdig researchers found threat actors using a misconfigured Ollama model server as the reasoning engine for a multi-stage offensive security tool called the VAPT framework. This is not someone reselling stolen API access or running crypto miners. The attacker wired the hijacked AI compute directly into a software pipeline that scans targets, matches them to known vulnerabilities, writes proof-of-concept exploits, and attempts to break into victim environments — with the model making decisions at every step.
That is a qualitative shift in what LLMjacking means. Previously, the risk was financial: stolen credentials run up your cloud bill. Now the risk is operational: your compute becomes the attacker’s reasoning engine for targeting other organizations.
If you are running any self-hosted model server, misconfigured access controls are no longer just a cost problem. They are an infrastructure liability.
Prompt Injection Is a Structural Problem, Not a Configuration Bug
New academic research has put a precise name to something the AI security community has been circling for years: role confusion.
The core finding is that large language models perceive the source of text by how it sounds, not by its labeled role. A command injected into a web page or tool output can hijack an AI agent simply because it reads like user input, regardless of how it is technically labeled in the prompt structure.
The researchers demonstrated an attack called CoT Forgery, which injects fabricated reasoning into user prompts and tool outputs. The model mistakes the forged reasoning for its own internal thinking and acts on it. Against frontier models, this attack achieved a 60% success rate.
That number is significant. It means that in agentic workflows where AI tools browse the web, read documents, or process external data, more than half of well-crafted injection attempts succeed against the best available models. Any AI agent that touches untrusted external content is exposed to this class of attack by design, not by misconfiguration.
BlueHammer: A Zero-Day That Went From Disclosure to Ransomware Fast
CISA confirmed that BlueHammer, tracked as CVE-2026-33825, was exploited in active ransomware attacks. The vulnerability affects Microsoft Defender and was first disclosed as a zero-day by an anonymous researcher in April 2026.
The patch exists. The exploitation happened anyway.
This follows a pattern that repeats every quarter: a high-visibility security tool becomes the attack surface. Microsoft Defender is trusted precisely because it sits deep in the system. That trust is what makes a flaw in it so valuable to ransomware operators. The identity of the ransomware group behind the BlueHammer exploitation has not been confirmed at the time of writing.
Fake INTERPOL Emails Are Delivering Custom Ransomware
A phishing campaign documented by Bitdefender is targeting small businesses across Europe, Asia, the Middle East, and the United States with emails impersonating law enforcement officials.
The emails claim to contain evidence of suspicious company activity and pressure recipients into opening a password-protected archive hosted on Proton Drive. The archive delivers a custom ransomware payload that does not match any known ransomware family.
What makes this campaign operationally interesting is the absence of a fixed ransom demand. Victims are directed to contact attackers through a Tox chat channel, where ransom negotiations begin only after the victim makes contact. This allows the threat actors to size the ransom based on the organization’s perceived ability to pay.
The use of Proton Drive for hosting and Tox for negotiation reflects deliberate choices to avoid infrastructure that triggers standard detection. The social engineering angle — law enforcement authority, urgency, password-protected files — is designed to bypass both technical filters and human skepticism simultaneously.
Claude Cowork Sandbox Escape: When “Not a Security Issue” Is Still a Risk
Armadin researchers disclosed an attack chain affecting Claude Cowork on Windows that allows an attacker with local code execution to run arbitrary commands as root inside Claude Cowork’s sandbox, with no network egress restrictions.
The exploit plants a malicious file in Claude Desktop’s application directory, hijacking a trusted process to communicate with the underlying VM service. Two unvalidated parameters in the service interface allow the attacker to bypass network filtering and exfiltrate data to attacker-controlled infrastructure.
Anthropic’s response was that exploitation requires pre-existing local code execution on the host, and therefore does not constitute a security issue on their end. That framing is technically defensible but practically narrow. In enterprise environments where AI coding tools run alongside other software, local code execution is not a rare precondition. It is a realistic starting point for lateral movement.
Platform-Aware Phishing Is Replacing Spray-and-Pray
Cofense documented a meaningful shift in phishing campaign architecture. Threat actors are now fingerprinting victims through User-Agent data and delivering different payloads depending on the operating system.
Windows users receive Itarian RAT or ConnectWise via Ninite Loader. macOS and Android users receive credential harvesting pages. The same phishing URL serves different attacks to different devices.
This matters for AI tool security specifically because enterprise AI deployments increasingly span multiple platforms. A phishing link that looks harmless on one device may be actively malicious on another. Detection and response workflows built around Windows-centric assumptions miss this entirely.
Millenium RAT Hits 62,000 Devices — and Targets Other Criminals Too
Group-IB documented that Millenium RAT 4.x, a Telegram-based remote access trojan offered as malware-as-a-service, has infected over 62,000 devices. The malware captures screenshots, logs keystrokes, records audio, exfiltrates browser data, and runs arbitrary executables.
The operational detail worth noting: the threat actor cluster behind active campaigns, codenamed Y2K Operators, also backdoors other RATs, builders, and exploit kits before redistributing them. Attackers downloading tools from underground markets are getting infected by the same infrastructure they intended to use offensively.
Opera’s Paste Protect Addresses a Real and Growing Attack Vector
ClickFix attacks — which trick users into pasting malicious commands into terminals — accounted for over 53% of all malware loader activity in 2025 according to Huntress. ReliaQuest data through May 2026 shows the technique remained dominant and expanded to macOS.
Opera’s new Paste Protect feature detects when a website attempts to replace clipboard content or plant malicious commands, and warns users before execution. The feature addresses a social engineering vector that bypasses most traditional endpoint controls because it uses legitimate system functionality.
The broader point is that clipboard-based attacks succeed because they exploit trust in familiar actions. Pasting something you copied feels safe. That assumption is now a documented attack surface.
What This Week Actually Tells You
The through-line across every story this week is the same: attackers are not breaking through walls. They are walking through gaps that were already there.
A misconfigured model server. An unvalidated parameter. A trusted process that can be hijacked. A clipboard action that feels routine. A browser extension that looks legitimate. A phishing email that sounds official.
For anyone building with AI tools or deploying them in production, the practical takeaway is this: your AI infrastructure needs the same threat modeling as your application infrastructure. Exposed model servers, agentic workflows that process external content, and AI tools with broad system permissions are not just productivity assets. They are attack surfaces.
The attackers have already figured that out. The question is whether your security posture has caught up.
Comments (0) No comments yet
Want to join this discussion? Login or Register.
No comments yet. Be the first to share your thoughts!