June 11th, 2025
Who:
Russian-speaking threat actors: Used disposable ChatGPT accounts to refine Windows malware (coined as ScopeCreep by OpenAI), develop command-and-control (C2) infrastructure, and evade detection.
Chinese nation-state groups (APT5 / Keyhole Panda and APT15 / Vixen Panda): Employed ChatGPT for OSINT, script tweaking, Linux admin support, infrastructure setup, Android/social app automation, brute‑force attacks, and FTP scripts.
Additional state-linked clusters: Included actors from North Korea, Iran, the Philippines, Cambodia—who used AI for fraudulent job scams, social media influence campaigns, and multilingual propaganda.
What:
OpenAI banned dozens of ChatGPT accounts tied to these actors across multiple countries.
Account usage patterns were sophisticated: temporary email sign-ups, single-purpose conversations to incrementally improve malicious code, then abandonment to maintain OPSEC.
The malware ScopeCreep was distributed via a fake gaming tool, escalated privileges, evaded Defender, stole credentials, and exfiltrated through Telegram alerts.
Impact:
While ScopeCreep saw limited use and early disruption—GitHub repositories were taken down to prevent wide spread use—the campaign showed attackers leveraging AI to scale and refine malware development .
Influence operations spanned platforms like Facebook, TikTok, Reddit, X, Telegram and were multi-lingual, though engagement remained low—still showcasing early-stage campaigns .
Tactics such as job‑scam schemes (e.g., North Korea, Cambodia) and automated comment generation underline how LLM's are amplifying cyber-crime and disinformation efforts.
Leveraging of AI tools such as ChatGPT aids attackers in launching increasingly sophisticated attacks, while continuously reducing the need for a sophisticated attack arsenal and/or skill-set.
Campaigns such as these are indicative of a threat landscape that is evolving alongside Artificial Intelligence.
Recommendations:
Adopt AI monitoring and anomaly detection: Organizations should deploy tools that flag suspicious usage patterns—such as one-time queries from disposable accounts or code-debugging prompts.
Harden code repositories and software delivery chains: Strengthen detection of trojanized tools, enforce code signing, and scan repositories for malware.
Enhance social media vetting and threat intel sharing: Platforms should coordinate with cyber threat intelligence communities to identify and remove coordinated campaigns swiftly.
Update cybersecurity defenses: Incorporate indicators from OPSEC patterns and LLM-assisted malware in IOC feeds; reinforce user-awareness training to guard against credential‐stealing and C2 threats.
Read the full article HERE