PostHole
Compose
Login
Malicious Campaigns Using AI-generated Malware in 2026
In this blog post I am collecting the campaigns that show evidence of being AI-generated, or make use of AI tools to increase their impact. As always I will continue to update the list as soon as new campaigns emerge.
- Post author:Paolo Passeri
- Post published:February 12, 2026
- Post category:Cyber Attacks Timelines / Security
- Post comments:0 Comments
- Reading time:1 min read
Views: 5,048
Last modified: February 26, 2026
[View Paolo Passeri's LinkedIn profile]
[View Paolo Passeri's Mastdon profile]
In this blog post I am collecting the campaigns that show evidence of being AI-generated, or make use of AI tools to increase their impact. As always I will continue to update the list as soon as new campaigns emerge.
Motivations - AI Generated Campaigns **
HACKMAGEDDON.COM
No Data Found
Targets - AI Generated Campaigns **
HACKMAGEDDON.COM
No Data Found
AI Purpose - AI Generated Campaigns **
HACKMAGEDDON.COM
No Data Found
Check out the interactive charts and the statistics, immediately after the infographic. And please support my work, sharing the content, and of course connect on Linkedin, or even follow @paulsparrows on X (formerly Twitter), psparrows.bsky.social on Bluesky, or @ppasseri@Infosec.exchange on Mastodon for the latest updates.
| ID | Date Reported | Date Occurred | Date Discovered | Author | Target | Description | Attack | Target Class | Attack Class | Country | Link | AI Used For... |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1 | 13/01/2026 | Since at least December 2025 | During December 2025 | Chinese-affiliated developers | Cloud-based Linux systems | Researchers at Check Point uncover "VoidLink," a cloud-native malware framework leveraging serverless computing and legitimate cloud services for command-and-control. | Malware | Information/Communication | Cyber Crime | Global | Malware coding | |
| 2 | 21/01/2026 | Late 2025 through January 2026 (ongoing at discovery) | Late 2025 through January 2026 (ongoing at discovery) | Unknown threat actor (Malware family: Android.Phantom) | Android mobile device users | Researchers at Doctor Web discover the Android.Phantom trojan, which employs TensorFlow.js machine learning to automate ad-fraud. It spreads through modified popular apps and games on Xiaomi’s GetApps, Telegram, and Discord, mimicking authentic user behavior. | Malware | Individual | Cyber Crime | Global | Running models in browsers or on servers using Node.js. | |
| 3 | 22/01/2026 | During January 2026 | During January 2026 | Konni (linked to North Korean state-sponsored activity). | Blockchain and software engineers | Researchers at Check Point reveal that the Konni group is targeting blockchain engineers via LinkedIn, using AI-generated malware disguised as technical coding assessments. By tricking victims into downloading malicious repositories, the attackers deploy a remote access trojan (RAT) to steal sensitive information and credentials from developers in the cryptocurrency and fintech sectors. | Malware | Fintech | Cyber Crime | Global | PowerShell malware Coding | |
| 4 | 29/01/2026 | Late January 2026 | Late January 2026 | RedKitten (suspected Iranian state-sponsored group) | Iranian protesters, activists, and human rights organizations | Researchers at HarfangLab identified "RedKitten," an AI-accelerated campaign targeting Iranian protesters. Attackers use AI-generated personas and deepfake videos on social media to build trust before deploying modular Python malware via "secure" communication tools. | Malware | Other Service | Cyber Espionage | IR | Malicious VBA macro coding | |
| 5 | 03/02/2026 | 28/11/2025 | 28/11/2025 | Unknown | Undisclosed Organization | Researchers at Sysdig disclose the details of an AI-assisted cloud intrusion that escalated from initial access to full administrator privileges in just eight minutes, leveraging LLMs to analyze misconfigurations and automate exploitation. | Account Takeover | Unknown | Cyber Crime | Unspecified | Automate reconnaissance, generate malicious code, and make real-time decisions. | |
| 6 | 05/02/2026 | Unspecified | Unspecified | Unknwon | Individuals including victims of previous Crypto scams | Researchers at Sygnia uncover a live network of 150 cloned, scam websites supposedly belonging to law firms. | Scam | Fintech | Cyber Crime | Global | Generating Phishing Lures | |
| 7 | 09/02/2026 | 'Recently' | 'Recently' | UNC1069 (affiliated with North Korean state-sponsored clusters) | Undisclosed FinTech entity | Researchers at Google Mandiant identify UNC1069, a North Korean-linked actor, using AI-generated personas and professional networking platforms to target cryptocurrency firms, leading to the delivery of the customized malware. | Malware | Fintech | Cyber Crime | Unknown | Generating personas for social engineering | |
| 8 | 10/02/2026 | Since at least 2019, not necessarily using VoidLink | During September 2025 | UAT-9921 (Chinese-speaking threat actor) | Technology and financial services sectors | Researchers at Cisco Talos observe a previously unknown threat actor tracked as UAT-9921 leveraging the new AI-generated modular framework called VoidLink in its campaigns targeting the technology and financial services sectors. | Malware | Multiple Industries | Cyber Espionage | Global | Malware coding | |
| 9 | 10/02/2026 | 'Recently' | 'Recently' | Unspecified threat group suspected to be linked to Russian intelligence services | Multiple Organizations in Ukraine | Researchers at Google Threat Intelligence Group (GTIG) a previously undocumented threat actor has been attributed to attacks targeting Ukrainian organizations with a malware known as CANFAIL and using LLMs to overcome some technical limitations. | Malware | Multiple Industries | Cyber Espionage | UA | Conduct reconnaissance, create lures for social engineering, seek answers to basic technical questions for post-compromise activity and C2 infrastructure setup. |
| 10 | 12/02/2026 | Unknown | Unknown | Threat actors from China (APT31, Temp.HEX), Iran (APT42), North Korea (UNC2970), and Russia | Multiple organizations | The Google Threat Intelligence Group (GTIG) reveals that state-backed threat actors are using Google's Gemini AI model to support all stages of an attack, from reconnaissance to post-compromise actions. | Account Takeover
Malware | Multiple Industries | Cyber Espionage | Global | | Conduct reconnaissance and open-source intelligence, generating phishing lures, translating text, coding, vulnerability testing, and troubleshooting |
| 11 | 17/02/2026 | During 2025 | During 2025 | Unknown | Unnamed organization(s) | Researchers at Palo Alto Networks’ share findings about a low-skilled actor who used an LLM to script a professional extortion strategy, complete with deadlines and pressure tactics. | Unknown | Unknown | Cyber Crime | Unknown | Script a professional extortion strategy |
|---|
[...]