Artificial intelligence (AI) is evolving to achieve ever higher levels of autonomy. It is the main feature of agents, models that not only provide answers to requirements, but are also able to plan and execute tasks on behalf of the user. This potential cannot escape malicious actors, who use this “agent” capability to develop sophisticated, massive, low-cost attack campaigns. Anthropic, an American AI research and development company founded by former members of OpenAI (its CEO is Dario Amodei), has detected what they consider to be “the first documented case of a large-scale cyberattack executed without substantial human intervention” and for which they blame a “Chinese state-sponsored” group, according to a newly published report.
The attack, described as “unprecedented”, was reported in mid-September. “We detected suspicious activity that further investigation determined to be a highly sophisticated espionage campaign. The attackers exploited the capabilities agentic of artificial intelligence not only as a consultancy tool, but to carry out cyber attacks themselves”.
The actor, which Anthropic identifies “with great reliability” as a Chinese state-sponsored group, acted by manipulating that company’s artificial intelligence platform, Claude Code, “to try to infiltrate around thirty global targets and was successful in a small number of cases.” The target, as in most cases of these large-scale attacks, were large technology companies, financial institutions, chemical industries and government agencies.
Following discovery of the attack, Anthropic opened a more than 10-day investigation to assess the scope of the attack, block compromised AI accounts, and notify both authorities and directly affected entities.
Attackers took advantage of the high capabilities of artificial intelligence to collect passwords and data, process and analyze them according to the target. “They can now search the web, retrieve data, and perform many other actions that were previously the exclusive domain of human operators,” explains Anthropic. They later exploited the coding function so that the same AI could develop espionage and sabotage programs.
The program used was the company’s AI program, Claude, although it comes with security measures to prevent malicious use. “He was extensively trained to avoid malicious behavior, but was deceived by breaking down the attacks into smaller, seemingly innocuous tasks, so as not to arouse the platform’s suspicions and prevent the activation of blocking mechanisms. “Claude was led to believe that (the initiator of the processes) was an employee of a legitimate cybersecurity company and that he was being used in defensive tests,” explain the authors of the Anthropic report.
The AI acted autonomously in more than 90% of cases, and human intervention was reduced to between 4% and 6% of critical decisions.
“This attack represents an escalation of piracy, which until now has required increased human intervention,” Anthropic concludes. The company points out, however, that just as AI was used for this attack, it is also developing more sophisticated and effective tools to avoid them.
In this sense, Billy Leonard, head of Google’s Threat Intelligence group, highlights attempts to use legitimate AI tools and how the safeguards developed force attackers to resort to illegal models. “Although adversaries (hackers) are trying to use conventional AI platforms, security barriers have led many to turn to models available on the black market. These tools have no restrictions and can offer a significant advantage to the less advanced,” he explains in a statement.
In this regard, the digital security company Kaspersky has detected new and sophisticated cyber attack campaigns that spread malicious language patterns to put the security of users at risk who resort to them without knowing their nature.
The company has identified a program, called BrowserVenomwhich is distributed via a fake AI assistant called DeepSneak. This impersonates the identity of DeepSeek-R1 and is even promoted via Google ads. “The goal is to get users to install software malicious program that redirects web traffic to servers controlled by attackers, allowing them to steal credentials and sensitive information,” the company warns.
Cybercriminals use websites phishing (hoax) and manipulated versions of legitimate installers such as Ollama or LM Studio to disguise the attack, even bypassing Windows Defender protection.
“These types of threats show how locally executable language models, while useful, have also become a new risk vector if they are not downloaded from verified sources,” warns Kaspersky.
The report from Leonard’s team at Google identifies the provenance of the main players of the new campaigns in China, North Korea, Russia and Iran: “They are trying to use artificial intelligence for everything from executing malwareindications of social engineering and sale of artificial intelligence tools, until the improvement of all phases of its operations.”
