A new analysis from ReliaQuest shows that up to 45% of initial access attempts due to automated vulnerability discovery and SQL injection scans are increasingly commercializing and improving the use of artificial intelligence (AI) in operations.
AI skewed threat landscape
Based on ReliaQuest research and threat detection data, reports detail how AI-powered bots and frameworks can automate many of the early-stage attack processes. Not only does these tools accelerate the pace of exploitation, they also reduce technical barriers to entry for less skilled attackers, making advanced tactics more widely accessible.
With automation, attackers are using AI as the “brain” behind malware campaigns. While the previous use of large-scale language models (LLMS) and deepfark technology amplified existing strategies, ReliaQuest has made these technologies more broad and refined in both criminal and national operations.
Malware adapts to AI defense
Reports observe that LLM generated scripts often contain distinctive markers such as redundant code comments and generic variable names, but attackers adapt quickly. For example, “Skynet” malware not only integrates sandbox avoidance and TOR encrypted communication, but also employs rapid injection loaded into memory to operate AI-based security tools.
ReliaQuest's analysis states, “It's not enough to rely solely on NGAV or other single-layer defenses. Companies need to embrace on continuous innovation and advance by combining detailed strategies with sophisticated detection capabilities.”
Malware and ease of use
Attackers continue to deploy features that support existing malware variants with new AI. The report highlights the evolution of “Rhadamanthys” Infostealer into an AI-driven toolkit that includes AI-driven password recovery, optical character recognition for data extraction, and AI analysis for data tagging and campaign tracking.
These developments allow even inexperienced cybercriminals to run sophisticated campaigns. “Its integrated AI capabilities allow even new criminals to run large-scale theft campaigns. The latest iterations automatically tag and filter stolen data based on recognized values, providing a dashboard to track campaign statistics.”
Commercialization of deep fakes
“The group now positions itself as a professional 'Deep Fark as a Service' operator, combining smooth marketing with the shadow ambiguity of dangerous Deep Fark technology in the wrong hands,” the report states.
Services like Creo Deepfakes and VHQ Deepfake sell very realistic video content for applications, from spoofing scams to cryptocurrency marketing. Deepfake operators advertise advanced features such as geographic targeting and optimized traffic alignment, and the number of service providers is growing. The report states that “attacks are becoming smarter, more frequent and more difficult to detect.”
Malicious GPT and Jailbreak Trends
ReliaQuest's research has seen a growing trend towards breaking out of mainstream LLM models such as Openai GPT-4O, Claude of Mankind, and X's Grok. Jealbreak-as-a-Service Marketplaces offers pre-built malicious prompts for phishing campaigns, malware scripts, credit card verification and cryptocurrency washing.
Many new, malicious GPT products are repackaging public models that are sold at simply inflated prices. “The research revealed that many of these models used open APIs, added bypass instructions, and repackaged tools at a much larger price tag.
The report adds, “The jailbreaked version removes ethical perimeters, content restrictions, security filters and converts regulated tools into an unregulated cybercrime engine.” This notification lowers the technical threshold for less experienced offenders.
Automate vulnerability discovery at scale
ReliaQuest's latest data shows that 45% of initial access to customer cases in the past quarter are associated with vulnerability exploitation, highlighting the impact of AI-driven automation. Autonomous AI frameworks and bots can now handle tasks like asset scans, vulnerability checks, and exploitation with little human surveillance.
The report finds that “AI-powered bots are changing the way they identify weaknesses that are superior in tasks such as scanning open ports, detecting misconceptions, identifying outdated software with unparalleled speed and accuracy.
SQL Injection Automation
Automation also impacts SQL Injection (SQLI) attacks, allowing attackers to easily discover and exploit vulnerabilities in web applications. For example, the tool “BSQLBF” specializes in automating blind SQLI, allowing attackers to test payloads and see vulnerabilities without directly accessing the underlying data.
“Automation has transformed SQLI attacks and dramatically reduced the time, effort and expertise required. By streamlining discovery and exploitation, automated tools allow attackers to leverage large-scale vulnerabilities and amplify the risks posed by insecure applications and databases.”
Defenses and important recommendations
ReliaQuest advises organizations to adopt a multi-layered, proactive security stance. Key recommendations include prioritizing threat hunting, ensuring comprehensive system logging, training employees to find AI-generated attacks, deploying advanced detection tools, and reviewing the use of AI within sensitive production environments.
The report emphasizes, “As AI-powered threats evolve, defenders must stay ahead by focusing on detecting malicious techniques, restructuring security processes, and tackling AI-related risks.”
