PRESENTED BY

Cyber AI Chronicle

By Simon Ganiere · 1^st March 2026

Welcome back!

Edition 100! When I wrote the first AI Threat Edition, the dominant concern in the industry was whether LLMs would make phishing emails slightly better. It was a reasonable question. It was also the wrong one.

This week confirmed what the past year has been building toward: a single threat actor, assessed as low-to-medium skilled, breached 600 FortiGate firewalls across 55 countries in five weeks using commercially available LLMs stitched together with an MCP orchestration layer. No nation-state resource base required. No team. Just DeepSeek for planning, Claude for execution, and enough patience to let the machine do the work.

Simultaneously, CrowdStrike's 2026 Global Threat Report landed with a number that deserves to sit on its own: 89% year-over-year increase in AI-enabled attacks. Prompt injection was confirmed against 90+ organisations exploiting GenAI systems in production. Attacker breakout time hit 29 minutes on average — 65% faster than 2024 — with a recorded case of 4 minutes.

The AI threat landscape did not shift this week. It arrived.

Trend: ↑ Moderate increase

Significance: The quality bar for AI-generated social engineering has effectively merged with the output of skilled human operators. Volume and targeting are now the only remaining differentiators.

Trend: ↑↑ Significant increase

Significance: AI is removing the operational scale constraint that previously required a team. One person can now generate APT-equivalent impact. That changes the threat model.

Trend: ↑↑↑ Major increase — highest activity this week

Significance: The AI developer toolchain is now a primary attack surface. Every MCP server, every skills marketplace, every coding assistant integration is an unverified trust relationship running with developer-level permissions.

Trend: ↑ Moderate increase

Significance: Nation-states are now participants in the ransomware affiliate economy. The line between financially motivated crime and state espionage has effectively dissolved.

Trend: ↑↑ Significant increase

Significance: Enterprise AI deployments are not being secured to the standard their privilege level demands. An AI agent with access to email, files, and code is a privileged identity. Most organisations are not treating it that way.

Trend: → Steady-state

Significance: Model extraction is systematic and cross-platform. The distilled models are stripped of alignment guardrails. Current regulatory frameworks have no mechanism to address it.

SPONSORED BY

Dictate PRDs, acceptance tests, and bug reproductions inside Cursor or Warp and get paste-ready text. Wispr Flow auto-tags file names and preserves variable names so your technical writing stays precise. Try Wispr Flow for engineers.

See a demo

235% — Week-over-week increase in AI threat agent article volume — the largest single-week surge tracked in this edition's history. This is not a detection artefact. The incidents are real.

600 — FortiGate firewalls compromised by a single operator in five weeks using LLM orchestration. Not a team. Not a nation-state programme. One person, commercial APIs, five weeks.

28% — The proportion of ransomware victims who paid in 2025 — the lowest ever recorded — even as attack volume reached record highs. Attackers are adapting their economics, not retreating.

The most consequential finding this week does not involve a nation-state or a sophisticated criminal organisation. It involves a single Russian-speaking threat actor with low-to-medium technical skills who built a custom MCP orchestration layer called ARXON that bridged DeepSeek and Claude across the full kill chain. DeepSeek handled per-target tactical reconnaissance and attack planning, building a persistent knowledge base across 600+ targets. Claude was configured — via a hardcoded settings.json — to autonomously execute Impacket, Metasploit, DCSync, and pass-the-hash attacks against live production networks. No per-action human approval. Fully autonomous execution.

The operation ran from January 11 to February 18, 2026. 600+ FortiGate devices. 55 countries. Post-compromise activity included Active Directory compromise and Veeam backup targeting — consistent with ransomware staging. The actor progressed from the open-source HexStrike offensive AI framework to bespoke custom tooling in approximately eight weeks.

This is the first publicly documented continental-scale AI-powered cybercrime pipeline operated by a single individual. AWS, which attributed the operation, described it as commercially viable AI-augmented cybercrime — not nation-state activity. That framing matters. Nation-state operations have historically been separated from commodity crime by the resource investment required. That separation is gone.

The operational implication is uncomfortable but clear: a motivated individual with access to commercial LLMs and a few weeks of development time can now achieve APT-scale impact against vulnerable network infrastructure. If your FortiGate patching cadence is measured in weeks rather than hours, and your detection relies on seeing human-speed attack patterns, you are not calibrated to this threat. Audit Claude and AI tool configurations across your developer and operations environments for autonomous execution settings. Publish detection rules for the confirmed ARXON infrastructure: 212.11.64[.]250 and 185.196.11[.]225.

Three distinct campaigns this week converge on a single attack surface: the tools developers use to build software.

The SANDWORM_MODE campaign delivered 19 malicious npm packages carrying a module called McpInject — documented in detail by The Hacker News — that deploys a rogue MCP server masquerading as a legitimate tool provider. When a developer installs an affected package and opens their AI coding assistant, the malicious server injects prompt instructions that silently exfiltrate SSH keys, AWS credentials, and API keys from nine LLM providers. The malware simultaneously runs a local DeepSeek Coder LLM via Ollama to autonomously rewrite its own code between executions — renaming variables, restructuring control flow, encoding strings — to defeat signature detection.

Separately, researchers disclosed RoguePilot, a confirmed indirect prompt injection vulnerability in GitHub Copilot where hidden HTML comments in GitHub Issues hijack the AI assistant's execution pipeline to exfiltrate GITHUB_TOKEN without user interaction. The attack requires only the ability to open an issue on a public repository. Microsoft patched the specific vector. The underlying architecture — AI agents that ingest and act on untrusted external context — is not patched and cannot be patched at the platform level.

Check Point then disclosed three CVEs in Claude Code (CVSS 8.7, 8.7, 5.3) exploiting project hooks, MCP server initialisation, and environment variable handling to execute arbitrary commands and exfiltrate Anthropic API keys. The attack vector is opening a malicious repository.

These are not independent stories. They share a threat model: AI coding assistants run with developer-level permissions, ingest untrusted data from multiple sources, and are configured to act autonomously. The attack surface is any data source the AI touches. Until AI agent frameworks implement cryptographically verified context provenance, every MCP server, every plugin, every repository an AI assistant opens is a potential injection point. Security teams need to implement a mandatory allowlist for MCP server registration and treat AI configuration files with the same protection level as PKI material.

Anthropic disclosed this week that three Chinese AI firms — DeepSeek, Moonshot AI, and MiniMax — collectively executed over 16 million Claude API queries through approximately 24,000 fraudulent accounts using hydra cluster proxy architectures to conduct industrial-scale model distillation. The queries were not random. They targeted specific capability domains: reasoning, agentic tool use, computer vision. Google disclosed a parallel campaign against Gemini, confirming this is systematic and cross-platform.

The distilled models are not just copies. They lose alignment guardrails as a byproduct. The techniques used to extract Claude's capabilities produce models that will answer questions Claude is trained to decline. DeepSeek specifically targeted censorship-safe alternatives for politically sensitive queries. The downstream risk is not a competitor gaining market share. It is the proliferation of capable but unaligned AI models available for military, intelligence, and surveillance applications.

Apply Rosling's fear instinct here: is this genuinely alarming? Yes, but not in the way most coverage frames it. The commercial competitiveness angle is noise. The substantive concern is the systematic production of high-capability, safety-stripped models at national scale, and the fact that current AI regulation — including DORA, GDPR, and proposed AI Act frameworks — has no mechanism to address it. The EU AI Act's risk classification assumes the models being deployed have safety controls. Model extraction systematically removes that assumption.

The practical implication for CISOs is narrower but real: if your organisation is evaluating AI vendors, verify whether the models you are being sold are distillations of commercial models with stripped guardrails. Ask the vendor directly. If they cannot answer, treat the risk accordingly. Implement API usage monitoring with anomaly detection — sudden consumption spikes or off-hours query patterns may indicate stolen key abuse feeding further extraction campaigns.

🤖 AI-Enabled Attacks 

The CrowdStrike 2026 Global Threat Report documents an 89% year-over-year increase in AI-enabled attacks, with GenAI systems confirmed as a primary attack surface and average breakout time compressing to 29 minutes — 65% faster than 2024. Kali Linux integrated Claude via MCP for natural language penetration testing command execution, further lowering the offensive capability floor.

🏴‍☠️ Nation-State AI Activity 

Google disrupted UNC2814, a China-linked APT, which used the Google Sheets API as a C2 channel targeting 53 government and telecom organisations across four continents. Salt Typhoon was confirmed to have accessed UK Prime Minister aides' phones for three years by infiltrating telecom infrastructure.

💀 AI in Ransomware / Cybercrime 

North Korea's Lazarus Group was confirmed as a Medusa RaaS affiliate, targeting US healthcare providers; ransomware proceeds fund state espionage operations. The FBI seized RAMP, the primary remaining forum where ransomware was openly promoted, operated by indicted Russian national Mikhail Matveev (Wazawaka).

🔗 AI System Vulnerabilities 

Autonomous AI agents were used as a new supply chain attack vector via the Bob-P2P campaign, establishing the first documented playbook for social engineering autonomous agents rather than humans. OpenClaw AI automation platformcarries CVE-2026-25253 (one-click RCE), a poisoned skills marketplace, and active dark web interest — shadow deployments operating outside security team visibility.

📜 AI Policy & Regulation 

Anthropic disclosed the industrial-scale model distillation attacks by DeepSeek, Moonshot AI, and MiniMax involving 16 million Claude queries via 24,000 fraudulent accounts. Current regulatory frameworks have no mechanism to address systematic capability extraction that strips safety alignment.

🏢 Enterprise AI Risk 

Agentic AI blast radius analysis from Security Week — drawing on IBM X-Force data — shows 300,000 stolen ChatGPT credentials on dark web markets represent potential lateral movement vectors into enterprise AI environments. AI won't break M365 — your security backlog will: AI can now enumerate and exploit misconfigured E5 deployments at scale across thousands of tenants simultaneously.

🔬 Research & Detection 

RoguePilot flaw research additionally documents GRP-Obliteration — a reinforcement learning technique that removes safety features from 15 LLMs using a single unlabelled prompt — and Promptware, a new malware class exploiting LLMs as execution vectors, both with confirmed research validation.

One hundred editions ago, the question was whether AI would make phishing emails better. This week confirmed a different question: at what skill level does a single individual become capable of APT-scale operations? The answer, as of February 2026, is low-to-medium. That is not a trend line to watch. It is a fact to act on.

The AI threat landscape has a structural problem that most security programmes are not yet designed to address. The entire defensive architecture — detection, response, recovery — was built around human-speed attacks. Twenty-nine minutes to breakout, four minutes in the fastest confirmed case, does not fit within a human-analyst-dependent detection model. The question for Monday morning is not whether your SOC can detect this. It is whether your preventive controls are good enough that detection becomes secondary.

There is a Rosling instinct to apply to this week's noise. Model distillation attacks and the diplomatic fallout from Chinese AI firms stealing Claude queries are real, but they are not your immediate operational priority. The ARXON campaign and the MCP injection supply chain attacks are. One requires you to audit your AI vendor relationships over the next quarter. The other requires you to audit your developer environments this week.

The uncomfortable position I have held for 100 editions is that security programmes are built for the threat landscape of three years ago. This week's data confirms we are at least three years behind the curve. The 89% year-over-year increase in AI-enabled attacks is not a warning of what is coming. It is a description of what already happened in 2025. The trajectory for 2026 starts from that baseline.

Reference: AI Influence Level from Daniel Miessler

Till next time!

Project Overwatch is a cutting-edge newsletter at the intersection of cybersecurity, AI, technology, and resilience, designed to navigate the complexities of our rapidly evolving digital landscape. It delivers insightful analysis and actionable intelligence, empowering you to stay ahead in a world where staying informed is not just an option, but a necessity.