The impacts of cyber attacks are increasingly part of the headlines, but thus far AI’s role has largely been limited to productivity boosts for bad actors, and enhanced content for social engineering. New cyber security research from the Google Threat Intelligence Group (GTIG) this week suggests we’re seeing the first signs of direct LLM use in malware and active operations. The research states: “This marks a new operational phase of AI abuse, involving tools that dynamically alter behaviour mid-execution.”
This research builds on their Adversarial Misuse of Generative AI report from January 2025 which documented how state-sponsored actors from over 20 countries were already exploiting Gemini for various stages of cyber operations, from reconnaissance to payload development. The new research identifies three malware families; PROMPTFLUX, PROMPTSTEAL and PROMPTLOCK that connect to LLM services during attacks, rewriting their own code to evade detection. One piece of malware queries Gemini’s API to mutate its VBScript faster than traditional defences can respond. A simple idea, but now operationally deployed.
Cyber attacks are a growing concern. According to a newly published European Threat Landscape Report from CrowdStrike, ransomware deployment has accelerated by 48% in the past year, with average attack times now just 24 hours from initial breach to encryption. The economic impacts can be significant; estimates suggest the Jaguar Land Rover attack in August has cost the UK economy £1.9 billion, making it the most financially damaging cyber incident in British history. The attack forced production shutdowns across JLR’s UK plants for over five weeks, reducing output by nearly 5,000 vehicles weekly and cascading through more than 5,000 organisations in the supply chain, with smaller suppliers forced to lay off nearly half their workforce in some cases. The incident required a £1.5 billion government loan guarantee to prevent wider economic collapse and prompted the Bank of England to acknowledge measurable impacts on UK GDP.
For the UK specifically, the convergence of state-sponsored and criminal activity presents unique challenges. Manufacturing, professional services and technology sectors face constant targeting. Iranian groups like APT42 use AI to craft phishing campaigns tailored to British defence organisations. North Korean actors deploy HTTPSpy malware against defence manufacturers whilst spoofing UK energy companies. Actors are exploiting vulnerabilities in AI software to gain initial access, harvest credentials, and deploy ransomware, treating AI development infrastructure including APIs, serialised models, and dependencies as primary targets. Google’s Secure AI Framework (SAIF) identifies eight primary risk categories. Prompt injection allows attackers to manipulate AI behaviour. Model theft threatens intellectual property. Data poisoning corrupts training sets. Sensitive data disclosure exposes everything from user conversations to system credentials. The underground economy has already adapted, with subscription-based jailbroken AI services available for as little as £50 monthly, offering uncensored capabilities for writing malware and crafting business email content.
So where do we go from here? If attackers use AI to dynamically mutate malware, the logical counter is AI that dynamically adapts defences. CrowdStrike’s own Charlotte AI promises a fleet of specialised AI agents trained on millions of real SOC decisions, with each agent handling specific tasks like malware analysis, threat triage, and correlation rule building, whilst their AgentWorks platform enables security teams to build custom agents using plain language without coding, creating an “agentic security workforce”. Darktrace’s Self-Learning AI creates a baseline of normal behaviour for each organisation’s digital environment, then uses its Antigena system to contain threats. Vectra AI maps attacker behaviour against the MITRE ATT&CK framework, using ML to detect command-and-control communications, lateral movement, and data exfiltration patterns etc. These products represent part of the defensive arms race: rather than racing to update signatures against polymorphic threats, they use AI to understand intent, predict next moves, and respond much more quickly.
But protection actually starts with understanding that attacks often gain initial access through traditional social engineering. Google’s November 2025 fraud advisory highlights how cybercriminals now exploit job seekers with fake recruitment sites, deploy AI-impersonation apps promising “exclusive access” to harvest credentials, and run fraud recovery schemes targeting previous victims with promises to reclaim lost funds. These advisory documents key recent vectors, with negative review extortion against businesses, to malicious VPN apps containing banking trojans, and seasonal shopping scams using hijacked brand terms all surging. These attacks succeed not through technical sophistication but by exploiting human psychology: urgency, fear, opportunity, and trust, reminding us that whilst AI accelerates both attack and defence capabilities, the human element remains the critical vulnerability requiring constant vigilance.
The emergence of LLM-in-the-loop malware represents both a technical evolution and demonstrates the adaptability of cybercrime operations. As attack tools become autonomous, traditional security approaches based on recognising known patterns become obsolete. And yet the defensive response is equally powerful. The challenge isn’t technology but education, execution speed, and a renewed thoroughness that we will all have a responsibility to employ
Takeaways: Whilst the technology arms race accelerates, basic human vulnerabilities remain the primary means of attack, making security awareness and robust identity controls more important than ever. These are the three key areas for organisations to make progress:
- Educate your workforce specifically on AI-enhanced social engineering – Security awareness training reduces successful phishing by 40-70%, and with AI making scams more convincing, regular training on fake recruitment schemes, deepfake calls, and AI-impersonation tactics is essential. Focus on the psychology attackers exploit: urgency, authority, and fear.
- Lock down your AI integration – Treat every AI API call like a financial transaction. Implement gateways that manage connections, log all prompts and responses, and rotates API tokens regularly. Think of it as putting a corporate credit card approval process around AI usage; no employee should be able to connect company systems to external AI without explicit permission.
- Build an integration-centric AI inventory (AI-BOM) – Document every AI agent, model, MCP server, and integration in your organisation, including shadow AI. Track dependencies, data flows, and decision-making capabilities. This is your AI-BOM (Bill of Materials), and just like software components, you need to know what you’re running, where it came from, and what it can access.