Malware Activity
Rising Threats of AI-Enabled Cyber Attacks and Malware
Recently, a new type of malware called GoBruteforcer has emerged, targeting servers that store cryptocurrency and blockchain data. This botnet scans the internet for poorly secured servers, often using default passwords on services like FTP and MySQL, and then uploads malicious software to take control. Many of these vulnerable systems are set up with weak, AI-generated instructions, making them easy targets. Meanwhile, on the dark web, hackers are increasingly using AI as a quick shortcut to carry out cybercrimes, even with little technical skill. They rely on AI tools to create scams, phishing emails, and attack scripts, making hacking more accessible and faster for beginners. This trend is dangerous because it encourages low-skill criminals to participate in illegal activities, leading to a rise in cyber threats that are automated and harder to detect. Staying vigilant and updating security measures is essential to protect against these growing risks. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
- BleepingComputer: New GoBruteforcer Attack Wave Targets Crypto Blockchain Projects article
- BleepingComputer: In 2026 Hackers Want AI Threat Intel on Vibe Hacking And HackGPT article
Threat Actor Activity
Jailbroken AI Becoming New Shortcut in Cybercrime for Hackers and Low-Skill Actors
Hackers are increasingly viewing artificial intelligence as a shortcut to committing cybercrime, rather than debating its technological merits. This perspective is reshaping the cybercrime ecosystem, making it accessible even to those without deep technical skills or experience. The concept of “vibe hacking” embodies this shift, where intuition, guided by AI, replaces the need for mastering tools or systems. AI is seen as a confidence booster, enabling anyone to participate in cybercrime by following intuitive guidance from AI tools. Despite safeguards against generating malicious content, bypassing these restrictions, known as AI jailbreaking, has become a commodity. Techniques to evade safety controls are openly traded and sold. A variety of underground tools branded as AI copilots for crime, such as FraudGPT and PhishGPT, are marketed as solutions that provide step-by-step guidance for cybercriminal activities. These tools often rely on language models wrapped around prompts, offering confidence and ease rather than requiring technical expertise. The crimes being sold, like email hacking and credential access, haven’t changed much, but the language has shifted to emphasize automation and ease. AI is now used as a seal of approval, even when the involvement of AI is unclear. This change in mentality has led to a broader transition away from physical risk towards low-effort, AI-enabled shortcuts. Much of this was outlined and predicted in a previous article written by CTIX analysts: ‘Dark’ AI: The Emergence of Generative AI Tools Tailored for Threat Actors. AI-branded hacking services target first-time fraudsters and low-skill actors, promising that no experience is needed. This mirrors existing models like phishing-as-a-service, scaling cybercrime by reducing fear and friction. AI is making cybercrime feel easy, encouraging reckless behavior and promoting confidence over comprehension. The underground cybercrime landscape is increasingly comfortable acting on imperfect AI results, scaling abuse despite the absence of revolutionary new attack methods. CTIX analysts will continue monitoring emerging threat actor activities and behaviors.
Vulnerabilities
CISA Flags Actively Exploited Critical HPE OneView Vulnerability and Urges Immediate Patching
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a maximum-severity vulnerability in HPE OneView to its Known Exploited Vulnerabilities (KEV) catalog after identifying evidence of active exploitation. The flaw, tracked as CVE-2025-37164, affects all HPE OneView versions prior to 11.00 and allows unauthenticated attackers to achieve remote code execution (RCE) through low-complexity code-injection attacks, posing a serious risk to organizations that rely on the platform to centrally manage servers, storage, and networking infrastructure. HPE released patches and hotfixes in mid-December following responsible disclosure by a security researcher and has emphasized that upgrading to version 11.00 or later is the only effective remediation, as no workarounds or mitigations are available. Although the full scope of exploitation remains unclear, risk has increased due to the public release of a proof-of-concept exploit in late December. Under Binding Operational Directive 22-01, U.S. Federal Civilian Executive Branch (FCEB) agencies must remediate the vulnerability by no later than January 28, while CISA strongly urges private-sector organizations to patch immediately, warning that flaws of this nature are frequently leveraged by malicious actors and represent a significant threat to enterprise environments. CTIX analysts urge any impacted readers to follow the CISA guidance, and patch immediately.
📧 Never Miss a Briefing
Stay informed and secure. Subscribe to Ankura’s Cyber Flash Update, a bi-weekly briefing curated by our top cybersecurity experts. Receive timely insights on emerging threats, vulnerabilities and malicious actors to keep your systems secure.
Join the Cyber Flash Update community today.
© Copyright 2026. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
