Evolution of AI Misuse by Threats Actors

Introduction

The Q1-Q2 2025 cyber threat landscape reveals a fundamental transformation that demands immediate attention. We're witnessing the industrialization of social engineering and the commoditization of influence operations—all powered by AI integration that's accelerating faster than most organizations can adapt.

The below analysis is based on the public reports published by OpenAI (here and here), Anthropic (here) and Google (here). I have limited the analysis to 2025 with an aim to cover quarter by quarter evolution. This is obviously not a complete picture of the threat landscape, however focusing the big AI models provider should give a pretty accurate view of how the threat landscape is moving. The analysis was obviously supported by some AI prompting in Gemini and Claude - see at the end for the prompt.

Threat Actor Evolution: Six-Month Transformation

What Changed?

North Korea's Employment Scheme Evolution In Q1, North Korean actors were experimenting with AI to generate basic resumes for fraudulent job applications. By Q2, they'd built a fully automated global recruitment infrastructure. They're now recruiting proxy operators in Africa and North America, researching VPN technologies to bypass corporate security, and using AI to answer real-time interview questions.

The Influence-as-a-Service Economy Perhaps more concerning is the emergence of "influence-as-a-service" providers using AI to orchestrate dozens of social media personas simultaneously. These operators serve multiple geopolitical clients, making tactical engagement decisions through AI systems that determine when personas should like, share, or comment on specific content.

We're seeing the professionalization of information warfare, where a single operator can simultaneously advance Chinese, Iranian, and European interests through AI-managed campaigns.

Critical Warning Indicators

The Indirect Approach While AI safety measures successfully block direct malicious requests, threat actors are succeeding through indirect approaches. They're using legitimate-seeming prompts to generate content that serves malicious purposes—essentially social engineering the AI systems themselves.

Process Integration Dependency Threat actors aren't just using AI as a tool; they're building AI dependencies into core operational processes. Chinese actors are now using AI to generate internal policy documents and performance reviews for their operations. This creates both capabilities and vulnerabilities that traditional cybersecurity approaches can't address.

SPONSORED BY

Learn how to make AI work for you

AI won’t take your job, but a person using AI might. That’s why 1,000,000+ professionals read The Rundown AI – the free newsletter that keeps you updated on the latest AI news and teaches you how to use it in just 5 minutes a day.

Sign up to start learning.

Real-World Implications

For HR and Recruitment Teams Every resume you receive could be AI-generated. North Korean schemes have automated this process with detailed prompts and instruction loops. Traditional background verification processes are becoming insufficient when facing AI-generated identities supported by AI-coached interview responses.

For Information Authenticity When influence operations can generate hundreds of AI-driven comments to simulate organic engagement, distinguishing authentic discourse from manufactured consensus becomes nearly impossible. We're entering an era where the default assumption should be that social media engagement is artificial until proven otherwise.

The Strategic Response Framework

Immediate Actions

1. Redefine verification processes - Move beyond document-based verification to behavior-based authentication

2. Implement AI-powered defensive systems - Traditional signature-based detection is becoming obsolete

3. Establish AI-enabled social engineering awareness - Train teams to recognize AI-generated content patterns

Medium-term Adaptations

• Deploy AI systems that can identify AI-generated content in real-time

• Develop response protocols for AI-vs-AI conflict scenarios

• Create cross-industry intelligence sharing mechanisms specifically for AI-enabled threats

The Uncomfortable Truth

The gap between leading threat actors' AI capabilities and traditional defense mechanisms is widening rapidly. Organizations clinging to legacy security approaches are essentially bringing conventional weapons to a cyber-AI battlefield.

Looking Forward

We're approaching a threshold where AI-powered threat actors will achieve strategic advantage over traditional defenses. Critically, this advantage isn't coming from superior malware or novel hacking techniques—it's an information warfare edge. AI is enabling threat actors to operate at unprecedented scale in social engineering, influence operations, and deceptive communications.

The real threat multiplier is AI's ability to generate convincing personas, craft targeted phishing content, and automate social manipulation at industrial scale. While traditional cybersecurity focuses on protecting systems, the new battleground is protecting human decision-making from AI-generated deception.

The window for reactive adaptation is closing. Organizations must immediately prioritize AI-powered detection and response capabilities, not as a future enhancement but as an operational necessity.

Key Metrics to Track:

• Time between AI technique emergence and defensive response

• Percentage of security incidents involving AI-generated social engineering components

• Effectiveness of AI-powered versus traditional detection methods for influence operations

• Volume of AI-generated content targeting your organization's stakeholders

The question isn't whether AI will transform cyber threats—it already has. The question is whether your organization will adapt fast enough to defend against AI-powered information warfare, not just traditional technical attacks.

Prompts

# Input: Extracted articles (see at the top), split by Quarter (so run twice)
# Model: Gemini 2.5 Flash

You are a cyber threat intelligence analyst. Analyze the following text, corresponding to August 2024 to now cyber threat reports.

Please extract:

1. Key threat actors and their activity
2. TTPs used — new or evolving behaviors
3. Evidence of AI-driven malicious activities
4. Changes in targets / collaboration
5. Emerging trends vs. previous quarters

Format output as structured bullet points. Clearly tag NEW behaviors and AI-driven activities.
Focus on signal extraction, not simple summarization.

# Input: Output of first prompt
# Model: Claude Sonnet 4

You are a cyber threat intelligence strategist. You will analyze trends across multiple quarters of cyber threat reports. I will provide you with extracted summaries for several quarters. Your goal: 
1. Identify how threat actor behavior evolved over time 
2. Detect emerging AI-driven malicious techniques — and when they first appeared 
3. Highlight any patterns of change in targeting, tactics, or group collaboration 
4. Assess whether AI usage is increasing, stagnating, or declining 
5. Forecast potential future trends based on these patterns Please provide:
* Structured bullet point comparison
* Timeline of “first seen” AI-driven behaviors
* Executive-level summary of the evolving threat landscape
Ready? the summary are attached