Estafette
Compose Login
You are browsing eu.zone1 in read-only mode. Log in to participate.
rss-bridge 2026-02-12T11:00:47+00:00

Malicious Campaigns Using AI-generated Malware in 2026

In this blog post I am collecting the campaigns that show evidence of being AI-generated, or make use of AI tools to increase their impact. As always I will continue to update the list as soon as new campaigns emerge.

---

- Post author:Paolo Passeri

- Post published:February 12, 2026

- Post category:Cyber Attacks Timelines / Security

- Post comments:0 Comments

- Reading time:1 min read

Views: 4,824

Last modified: February 26, 2026

[Image: View Paolo Passeri's LinkedIn profile]

Connect on Linkedin

[Image: Follow me on Twitter]

Follow me on X

[Image: Follow me on Bluesky]

Follow me on Bluesky

[Image: View Paolo Passeri's Mastdon profile]

Connect on Mastodon

In this blog post I am collecting the campaigns that show evidence of being AI-generated, or make use of AI tools to increase their impact. As always I will continue to update the list as soon as new campaigns emerge.

Motivations - AI Generated Campaigns

HACKMAGEDDON.COM

No Data Found

Targets - AI Generated Campaigns

HACKMAGEDDON.COM

No Data Found

AI Purpose - AI Generated Campaigns

HACKMAGEDDON.COM

No Data Found

Check out the interactive charts and the statistics, immediately after the infographic. And please support my work, sharing the content, and of course connect on Linkedin, or even follow @paulsparrows on X (formerly Twitter), psparrows.bsky.social on Bluesky, or @ppasseri@Infosec.exchange on Mastodon for the latest updates.

| ID | Date Reported | Date Occurred | Date Discovered | Author | Target | Description | Attack | Target Class | Attack Class | Country | Link | AI Used For...

| 1
| 13/01/2026
| Since at least December 2025
| During December 2025
| Chinese-affiliated developers
| Cloud-based Linux systems
| Researchers at Check Point uncover "VoidLink," a cloud-native malware framework leveraging serverless computing and legitimate cloud services for command-and-control.
| Malware
| Information/Communication
| Cyber Crime
| Global
| Malware coding

| 2
| 21/01/2026
| Late 2025 through January 2026 (ongoing at discovery)
| Late 2025 through January 2026 (ongoing at discovery)
| Unknown threat actor (Malware family: Android.Phantom)
| Android mobile device users
| Researchers at Doctor Web discover the Android.Phantom trojan, which employs TensorFlow.js machine learning to automate ad-fraud. It spreads through modified popular apps and games on Xiaomi’s GetApps, Telegram, and Discord, mimicking authentic user behavior.
| Malware
| Individual
| Cyber Crime
| Global
| Running models in browsers or on servers using Node.js.

| 3
| 22/01/2026
| During January 2026
| During January 2026
| Blockchain and software engineers
| Researchers at Check Point reveal that the Konni group is targeting blockchain engineers via LinkedIn, using AI-generated malware disguised as technical coding assessments. By tricking victims into downloading malicious repositories, the attackers deploy a remote access trojan (RAT) to steal sensitive information and credentials from developers in the cryptocurrency and fintech sectors.
| Malware
| Fintech
| Cyber Crime
| Global
| PowerShell malware Coding

| 4
| 29/01/2026
| Late January 2026
| Late January 2026
| Iranian protesters, activists, and human rights organizations
| Researchers at HarfangLab identified "RedKitten," an AI-accelerated campaign targeting Iranian protesters. Attackers use AI-generated personas and deepfake videos on social media to build trust before deploying modular Python malware via "secure" communication tools.
| Malware
| Other Service
| Cyber Espionage
| IR
| Malicious VBA macro coding

| 5
| 03/02/2026
| 28/11/2025
| 28/11/2025
| Unknown
| Undisclosed Organization
| Researchers at Sysdig disclose the details of an AI-assisted cloud intrusion that escalated from initial access to full administrator privileges in just eight minutes, leveraging LLMs to analyze misconfigurations and automate exploitation.
| Account Takeover
| Unknown
| Cyber Crime
| Unspecified
| Automate reconnaissance, generate malicious code, and make real-time decisions.

| 6
| 05/02/2026
| Unspecified
| Unspecified
| Unknwon
| Individuals including victims of previous Crypto scams
| Researchers at Sygnia uncover a live network of 150 cloned, scam websites supposedly belonging to law firms.
| Scam
| Fintech
| Cyber Crime
| Global
| Generating Phishing Lures

| 7
| 09/02/2026
| 'Recently'
| 'Recently'
| Undisclosed FinTech entity
| Researchers at Google Mandiant identify UNC1069, a North Korean-linked actor, using AI-generated personas and professional networking platforms to target cryptocurrency firms, leading to the delivery of the customized malware.
| Malware
| Fintech
| Cyber Crime
| Unknown
| Generating personas for social engineering

| 8
| 10/02/2026
| Since at least 2019, not necessarily using VoidLink
| During September 2025
| UAT-9921 (Chinese-speaking threat actor)
| Technology and financial services sectors
| Researchers at Cisco Talos observe a previously unknown threat actor tracked as UAT-9921 leveraging the new AI-generated modular framework called VoidLink in its campaigns targeting the technology and financial services sectors.
| Malware
| Multiple Industries
| Cyber Espionage
| Global
| Malware coding

| 9
| 10/02/2026
| 'Recently'
| 'Recently'
| Unspecified threat group suspected to be linked to Russian intelligence services
| Multiple Organizations in Ukraine
| Researchers at Google Threat Intelligence Group (GTIG) a previously undocumented threat actor has been attributed to attacks targeting Ukrainian organizations with a malware known as CANFAIL and using LLMs to overcome some technical limitations.
| Malware
| Multiple Industries
| Cyber Espionage
| UA
| Conduct reconnaissance, create lures for social engineering, seek answers to basic technical questions for post-compromise activity and C2 infrastructure setup.

| 10
| 12/02/2026
| Unknown
| Unknown
| Threat actors from China (APT31, Temp.HEX), Iran (APT42), North Korea (UNC2970), and Russia
| Multiple organizations
| The Google Threat Intelligence Group (GTIG) reveals that state-backed threat actors are using Google's Gemini AI model to support all stages of an attack, from reconnaissance to post-compromise actions.
| Account Takeover
Malware
| Multiple Industries
| Cyber Espionage
| Global
| Conduct reconnaissance and open-source intelligence, generating phishing lures, translating text, coding, vulnerability testing, and troubleshooting

| 11
| 17/02/2026
| During 2025
| During 2025
| Unknown
| Unnamed organization(s)
| Researchers at Palo Alto Networks’ share findings about a low-skilled actor who used an LLM to script a professional extortion strategy, complete with deadlines and pressure tactics.
| Unknown
| Unknown
| Cyber Crime
| Unknown
| Script a professional extortion strategy

| 12
| 19/02/2026
| Unspecified
| Unspecified
| Unknown
| Mobile users in Argentina
| Researchers at ESET uncover PromptSpy, the first known Android malware to exploit Google’s Gemini AI to maintain persistence. The malware can capture lockscreen data, block uninstallation attempts, collect device information, take screenshots, and record screen activity as video, marking a concerning evolution in AI-assisted mobile threats.
| Malware
| Finance & insurance
| Cyber Crime
| AR
| Maintain Persistence

| 13
| 19/02/2026
| Between October 2025 and December 2025
| During October 2025
| Arkanix
| Users interested in cryptocurrencies and online banking
| Researchers at Kaspersky discover Arkanix, a sophisticated infostealer targeting browser data, crypto-wallets, and system information. The malware employs advanced obfuscation and anti-analysis techniques to evade detection. It exfiltrates stolen data via Telegram, highlighting a growing trend of utilizing legitimate platforms for malicious command-and-control communication and data theft.
| Malware
| Multiple Industries
| Cyber Crime
| Global
| Malware coding

| 14
| 20/02/2026
| Between 11/01/2026 and 18/02/2026
| Between 11/01/2026 and 18/02/2026
| Undisclosed Russian-speaking financially motivated threat actor
| Multiple Organizations across South Asia, Latin America, the Caribbean, West Africa, Northern Europe, Southeast Asia, and additional regions.
| Amazon warns that a Russian-speaking financially motivated threat actor used multiple generative AI services as part of a campaign that breached more than 600 FortiGate firewalls across 55 countries in five weeks.
| Brute-force
| Information/Communication
| Cyber Crime
| Global
| Conduct reconnaissance

| ID | Date Reported | Date Occurred | Date Discovered | Author | Target | Description | Attack | Target Class | Attack Class | Country | Link | AI Used For...

BE NOTIFIED OF NEW BLOG POSTS: SUSCRIBE!

SUPPORT MY WORK, MAKE A DONATION!

[Image: 1-15 February 2026 Cyber Attacks Timeline]

####
1-15 February 2026 Cyber Attacks Timeline

---

[Original source](https://www.hackmageddon.com/2026/02/12/malicious-campaigns-using-ai-generated-malware-in-2026/)

Reply