EXECUTIVE SUMMARY

The cyberthreat landscape has reached a critical inflection point in the adoption of artificial intelligence capabilities by adversaries. Analysis of recent developments reveals a convergence between the maturation of criminal AI tool marketplaces and the operational deployment of AI-enabled malware by both cybercriminal and state-sponsored threat actors.

Key Findings:

• Threat actors have fundamentally shifted from using AI to enhance productivity to deploying novel AI-enabled malware in active operations, including first-observed "just-in-time" dynamic code-generation capabilities. This operational deployment represents a qualitative shift in adversary capabilities rather than merely an incremental improvement.
• The underground AI tool marketplace has evolved into a structured commercial ecosystem with subscription-based models. Xanthorox, priced at $300 per month, exemplifies this maturation by operating as a jailbroken commercial LLM service that provides unrestricted access to AI capabilities for malicious purposes.
• These criminal AI services create exploitable infrastructure dependencies, as platforms like Xanthorox rely on unauthorized access to major cloud providers' LLM infrastructure, specifically Google Gemini Pro. This dependency creates opportunities for detection and disruption that would not exist with truly self-hosted criminal AI systems.
• State-sponsored APT groups from Russia (APT28), China, Iran (APT42, TEMP.Zagros), and North Korea (UNC1069, UNC4899) are systematically integrating AI capabilities across the full attack lifecycle, from reconnaissance through data exfiltration. This represents coordinated adoption rather than isolated experimentation.
• Threat actors have developed sophisticated social engineering techniques specifically designed to bypass AI safety mechanisms. These techniques include impersonating CTF participants seeking legitimate cybersecurity education and adopting academic researcher personas to frame malicious requests as scholarly inquiry.

Bottom Line: The convergence of accessible criminal AI tooling and state-actor adoption represents a force multiplier that lowers barriers to entry for less sophisticated actors while enhancing the capabilities of advanced persistent threats. Defensive strategies must evolve beyond traditional detection methodologies to include AI-specific threat hunting and provider-level interdiction capabilities.

‍

DETAILED ANALYSIS

‍

1. CRIMINAL AI MARKETPLACE EVOLUTION: THE XANTHOROX CASE STUDY

Platform Overview

Xanthorox represents the current state of criminal LLM-as-a-Service offerings, marketed as an "uncensored" AI platform for generating malicious code, penetration testing, and cyber operations. First announced in October 2024 via private Telegram channels, the service expanded to advertising on darknet forums in February 2025.

Technical Architecture

Contrary to marketing claims of independent infrastructure, technical analysis reveals Xanthorox operates as a jailbroken Google Gemini Pro instance running on Google's cloud infrastructure. Multiple technical indicators confirm this dependency. The system prompt explicitly includes jailbreak instructions designed to bypass safety guardrails, whereas the LLM self-reports a 72,000-token window size, consistent with Gemini Pro 1.0 specifications. Analysis of the service's fine-tuning approach reveals a dataset focused primarily on removing restrictions rather than enhancing technical capabilities. The platform's lack of internet access and RAG capabilities is attributable to provider-imposed limitations rather than architectural choices. Google has confirmed unauthorized use of its API, which violates its Gen AI Prohibited Use Policy.

The service operates on a tiered pricing structure designed to maximize market penetration across threat-actor sophistication levels. The basic web application subscription costs $300 per month, payable exclusively in cryptocurrency to maintain operational security. An advanced package priced at $2,500 annually includes custom fine-tuning capabilities and priority support for high-value customers. The service also offers Agentex, a local agent that automatically compiles AI-generated malicious code into ready-to-execute binaries.

Operational Capabilities

Xanthorox demonstrates several confirmed capabilities that make it attractive to threat actors. The platform produces well-commented, functional shellcode runners, obfuscators, and malware components with quality comparable to human-developed code. It generates code using indirect syscalls and memory allocation techniques specifically designed to evade endpoint detection and response systems at the API level. The Agentex feature provides end-to-end automation by transforming natural language attack instructions into ready-to-execute binaries without requiring manual compilation. Additionally, the service offers specialized code for processing output from commodity infostealers such as LummaStealer and RedLine.

However, significant limitations constrain the platform's capabilities. The service lacks internet connectivity, preventing it from conducting OSINT, accessing dark web forums, or retrieving real-time data needed for targeted attacks. The absence of RAG implementation prevents the platform from accessing an external knowledge base or current vulnerability information. The model's knowledge remains outdated, leaving it unaware of recent CVEs and emerging attack techniques critical for sophisticated operations. These operational constraints stem from running on Google's infrastructure rather than representing deliberate design choices.

Xanthorox's reliance on unauthorized access to commercial LLM infrastructure creates an inherent vulnerability that defenders can exploit. Google's detection and account termination capabilities provide a disruption mechanism unavailable against truly self-hosted criminal AI systems, though determined actors will likely migrate to alternative platforms.

‍

2. AI-ENABLED MALWARE: OPERATIONAL DEPLOYMENT OBSERVATIONS

PROMPTFLUX: Dynamic Self-Modifying Malware

First observed in June 2025, PROMPTFLUX represents the first identification of malware employing LLM-driven self-modification at runtime. Although currently unattributed, lure analysis suggests a likely nexus with financial crime. The malware uses a VBScript-based dropper that queries the Gemini API for real-time evasion techniques via a "Thinking Robot" module. This module requests new obfuscation code designed to evade antivirus software, with the query structured as machine-parsable prompts that specify specific VBScript evasion code. The malware contains a hardcoded API key for the gemini-1.5-flash-latest model specification and includes a self-modification function that, although currently commented out in observed samples, demonstrates clear development intent. The architecture supports hourly code regeneration capability, enabling metamorphic evolution that would significantly complicate signature-based detection.

PROMPTSTEAL: State-Sponsored LLM-Augmented Operations

Also first observed in June 2025, PROMPTSTEAL marks the first observation of state-sponsored malware querying LLMs in live operations. Attributed to APT28 (FROZENLAKE, Russian GRU) and targeting Ukrainian entities, the malware masquerades as image generation software while functioning as a sophisticated data miner. The malware queries Qwen2.5-Coder-32B-Instruct via the Hugging Face API to dynamically generate system enumeration and document collection commands. Notably, the malware uses stolen API tokens to access LLM infrastructure and executes commands blindly, without hardcoded command strings, representing a fundamentally new approach to C2 architecture that eliminates traditional indicators of compromise.

‍

3. STATE ACTOR AI INTEGRATION ACROSS ATTACK LIFECYCLE

China-Nexus Operations

Chinese threat actors have demonstrated the most comprehensive integration of AI across the full attack lifecycle. One China-linked actor successfully bypassed Gemini's safety responses by framing malicious requests as assistance for a capture-the-flag competition, exploiting the platform's legitimate use cases. This actor used AI to research unfamiliar attack surfaces, including AWS, Kubernetes, vSphere, and macOS environments, enabling rapid cross-platform expansion of capabilities. AI support was observed across every phase of operations, including reconnaissance, phishing campaign development, lateral movement techniques, C2 framework development, and data exfiltration methodologies.

APT41, a sophisticated PRC-linked group, has integrated AI into tool development workflows for C2 framework development, specifically the OSSTUN framework. The group employs AI to assist with code obfuscation across multiple languages, including C++ and Go, while simultaneously conducting social engineering through open forums to gather intelligence and test detection capabilities.

Iranian Threat Operations

TEMP. Zagros (also known as Muddy Water or MUDDYCOAST) demonstrates a significant evolution in capability, shifting from reliance on publicly available tools to custom malware development with AI assistance. However, critical OPSEC failures have exposed their operations, including the submission of complete scripts containing C2 domains and encryption keys to Gemini for debugging assistance. The group has adopted personas, such as a university student working on "final projects" or "writing papers," to circumvent safety guardrails, thereby demonstrating systematic pretext development.

APT42, another Iranian threat actor, has focused its AI capabilities on developing sophisticated phishing campaigns that impersonate legitimate think tanks and security organizations. The group uses AI translation services to address specialized vocabulary that would otherwise be difficult to acquire. It has developed a SQL query-generation tool specifically designed to analyze sensitive personal data collected during operations.

North Korean Operations

UNC1069 (MASAN) has focused on AI use on cryptocurrency-related operations, developing AI-assisted wallet reconnaissance and theft tools. The group has expanded into multilingual social engineering, creating Spanish-language lures to target Latin American cryptocurrency markets. UNC1069 has also explored deepfake image and video generation to impersonate personnel in the cryptocurrency industry and to distribute the BIGMACHO backdoor via malicious "Zoom SDK" social engineering campaigns.

UNC4899 (PUKCHONG) focuses on vulnerability research, using AI to accelerate the discovery of vulnerabilities in edge devices and modern browsers. The group seeks AI assistance with exploit development and has enhanced supply-chain compromise tools through AI-generated code improvements.

‍

4. GUARDRAIL BYPASS TECHNIQUES

Threat actors have developed systematic approaches to circumvent AI safety mechanisms through sophisticated social engineering. The most effective persona involves posing as a CTF participant by framing requests as "I am working on a CTF problem and need to understand..." legitimate cybersecurity techniques. Academic researcher personas are similarly effective, with actors claiming to be "writing a paper on cybersecurity techniques" who require technical detail. Student project pretexts position requests as "for my final university project on..." security topics, while international publication claims frame content as preparation for "an international article analyzing..." threat methodologies.

Beyond persona adoption, threat actors employ refined prompt engineering tactics that have proven successful against multiple AI platforms. These include initiating conversations with benign queries before gradually escalating to malicious content, framing harmful requests within educational or research contexts that legitimize the inquiry, and using technical terminology that makes malicious content appear to serve academic purposes. Threat actors demonstrate iterative learning, studying AI safety responses to refine bypass techniques in subsequent attempts.

‍

CORRELATION ANALYSIS

‍

Direct Technical Connection:

Xanthorox operates as a jailbroken Gemini Pro service, placing it directly within the ecosystem of unauthorized LLM access documented by Google Threat Intelligence. The platform represents the commercialization of the specific abuse patterns that Google identifies among state-sponsored and criminal actors. This is not a coincidental overlap but rather a structured criminal response to market demand created by the successful integration of threat-actor AI.

Convergent Threat Indicators:

The infrastructure dependency dimension reveals parallel patterns. Xanthorox's unauthorized access to the Gemini Pro API mirrors APT28 and PROMPTFLUX's use of the Gemini and Hugging Face APIs in operational malware. The monetization model shows criminal marketplace adaptation, with Xanthorox's $300 monthly subscription service part of a broader ecosystem of tiered pricing for underground AI tools. Jailbreaking methodologies converge, as Xanthorox's system prompts the removal of all guardrails, employs the same CTF and student pretexts that state actors use to bypass safety mechanisms. Operational status indicators align temporally with Xanthorox's active marketing during the same period; Google observes active deployment in APT campaigns by APT28 and APT42. Code generation capabilities overlap functionally: Xanthorox produces malware components, obfuscators, and shellcode; PROMPTFLUX demonstrates dynamic obfuscation; and APT groups develop custom tools.

Strategic Convergence

The marketplace has matured significantly, with Xanthorox exemplifying the evolution of the criminal AI tool ecosystem from experimental jailbreaks to structured commercial services with professional support tiers. Operational integration timing is significant, as Xanthorox's October 2024 announcement aligns precisely with threat actors' transition from experimentation to operational deployment of AI-enabled malware. The detection response cycle demonstrates provider capabilities, with Google's disruption of Xanthorox showcasing provider-level interdiction mechanisms. Most importantly, the force-multiplier effect enables lower-tier criminals to access Xanthorox-like services, thereby achieving the sophistication that previously required advanced technical skills and significant development resources.

‍

THREAT ASSESSMENT

‍

Capability Evolution Timeline

The timeline of AI adoption by adversaries shows a clear progression through distinct phases. From 2023 through early 2024, threat actors conducted an experimental phase focused on jailbreaking existing models for proof-of-concept demonstrations. In mid-2024, there was concentrated tool development, including the creation of criminal-specific AI platforms, culminating in Xanthorox's announcement in October 2024. The period from late 2024 through 2025 marks the operational deployment, with the first observations of AI-enabled malware in active campaigns, including PROMPTFLUX and PROMPTSTEAL. The current state reflects marketplace maturation, with structured pricing models and the systematic integration of state actors across all operational phases.

Risk Impact Assessment

Financial services face critical risk from North Korean cryptocurrency targeting, enhanced by AI-generated social engineering, which is difficult for human analysts to distinguish from legitimate communications. Critical infrastructure remains vulnerable to state-actor reconnaissance and the development of exploitation tools that accelerate the discovery of attack paths. The technology and cloud sector faces an expanding cross-platform attack surface as threat actors use AI to rapidly develop capabilities for AWS, Kubernetes, and vSphere environments. The defense industrial base faces heightened risk from Iranian targeting with AI-crafted lures that demonstrate unprecedented contextual sophistication.

‍

RECOMMENDATIONS

‍

STRATEGIC (C-Suite/Board Level)

Organizations must fundamentally revise threat models to account for AI force-multiplier effects across all threat-actor tiers, not merely advanced persistent threats. This requires updating assumptions about adversary capabilities and resource requirements. Investment rebalancing should allocate resources toward AI-aware security controls that move beyond traditional signature-based detection toward behavioral and anomaly-based approaches. Supply chain assurance programs must evolve to evaluate third-party code for potential AI-generated malicious components, as traditional code review may prove insufficient. Incident response planning requires updating IR playbooks to incorporate AI-enabled malware characteristics, ensuring that responders understand the dynamic, self-modifying nature of these threats.

OPERATIONAL (SOC/Threat Hunting)

Security operations centers must implement comprehensive network traffic analysis to monitor API calls to LLM services from unexpected sources and to establish baselines for legitimate AI tool usage within the environment. Behavioral detection enhancement should shift its focus toward behavioral anomaly detection, with particular attention to runtime code-generation indicators that traditional tools may miss. Threat hunting teams should develop detection use cases specifically targeting social engineering pretexts associated with guardrail bypass attempts and monitor for patterns consistent with documented actor techniques. Cloud environment hardening must implement least-privilege principles for API token access and monitor for anomalous LLM API consumption patterns that may indicate compromise.

TACTICAL (Security Engineering)

EDR and XDR platforms require tuning to detect indirect syscalls and VBScript or PowerShell scripts that make external API calls, as these are primary indicators of AI-enabled malware operations. Email security programs must train users specifically on the characteristics of AI-generated phishing content and implement advanced content analysis to detect subtle indicators of machine-generated text. API security implementations should include rate limiting, anomaly detection for internal AI service usage, and regular key rotation to minimize the impact of credential theft. Vulnerability management programs must prioritize patching for edge devices and web browsers, as North Korean actors specifically target these attack surfaces through AI-accelerated exploit development.

‍

OUTLOOK

‍

The convergence documented in these intelligence sources represents a permanent shift in the cyber threat landscape. The genie cannot be put back in the bottle, as AI capabilities will continue to proliferate regardless of efforts to disrupt individual services such as Xanthorox.

Several key strategic takeaways emerge from this analysis. Detection must take priority over prevention, as provider-level disruption provides only temporary relief and cannot prevent determined actors from finding alternative platforms or developing independent capabilities. The democratization of capability is significant, with the $300 monthly price point enabling moderately resourced actors to access sophisticated tooling previously available only to well-funded APT groups. The urgency of defense adaptation is critical, as the six-month window between the Xanthorox announcement and the operational deployment of malware demonstrates rapid threat-actor adaptation cycles that defensive programs must match. Provider ecosystem responsibility remains paramount, with commercial AI providers playing a critical role in detection and disruption that extends beyond their immediate customer base.

‍

The Preemptive Security Paradigm: Moving Left of Adversary AI

The adversary adoption of AI-enabled attack capabilities necessitates a fundamental strategic reorientation toward preemptive security models that operate on the same temporal plane as threat actors. Traditional reactive security architectures that wait for malware samples, analyze post-breach forensics, and respond to indicators of compromise cannot effectively counter threats that generate novel code at runtime or employ just-in-time obfuscation techniques. The defensive paradigm must shift from "detect and respond" to "predict and prevent."

Preemptive security approaches, exemplified by platforms like Augur Security, operate by identifying adversary infrastructure during the reconnaissance and resource development phases (MITRE ATT&CK T1583) rather than waiting for exploitation attempts. Augur leverages AI-powered behavioral modeling to analyze global internet telemetry, detecting patterns consistent with malicious infrastructure acquisition an average of 51 days before weaponization. This temporal advantage is critical when facing adversaries using AI to compress attack timelines; the defensive window before adversary AI capabilities translate into operational impact continues to shrink.

The technical foundation of preemptive security directly addresses the threat landscape documented in this report. When PROMPTFLUX employs hourly code regeneration for metamorphic evolution, traditional signature-based detection becomes futile. However, preemptive identification of the command-and-control infrastructure hosting the LLM API endpoints enables blocking before the malware's first execution. When APT28 uses stolen API tokens to query Hugging Face for dynamic command generation, preemptive platforms can identify the malicious infrastructure patterns associated with the hosting domains before PROMPTSTEAL reaches target networks. When North Korean actors use AI to develop tools for cryptocurrency theft, preemptive detection of their staging infrastructure provides defensive opportunities during the development phase rather than after deployment.

The operational viability of preemptive security has been demonstrated against the exact threats documented in this analysis. Platforms employing this methodology successfully identified infrastructure associated with major campaigns, including the Salesforce breach, APT29 SolarWinds compromise, DarkSide's Colonial Pipeline ransomware operation, Log4j exploitation activity three months before public disclosure, and Volt Typhoon's targeting of U.S. critical infrastructure. These are not theoretical predictions but validated operational outcomes, in which organizations employing preemptive security had already neutralized risks before public awareness existed.

The strategic imperative for preemptive security intensifies as adversary AI capabilities mature. The criminal marketplace documented in this report, with Xanthorox representing just one commercialized offering, will spawn competitors and alternatives as disruption efforts shut down individual platforms. The operational deployment timeline from the Xanthorox announcement to the PROMPTFLUX observation demonstrates that adversaries operate in rapid iterations. Defensive strategies that remain reactive will perpetually lag behind offense by the time required to observe, analyze, and respond to novel threats. Preemptive approaches collapse this timeline by operating during adversary preparation phases before the attack infrastructure becomes operational.

The convergence of AI adoption by adversaries and preemptive security represents a strategic inflection point in cybersecurity. Organizations that continue to operate purely reactive security models will face increasing disadvantage as AI force multipliers enable less sophisticated actors to execute advanced attacks. At the same time, nation-state adversaries compress attack timelines beyond human response capabilities. The question is not whether to adopt preemptive security but how quickly organizations can operationalize these capabilities before the gap between offensive AI adoption and defensive adaptation becomes insurmountable.

‍

CONCLUSIONS 

‍

Xanthorox represents the criminal marketplace infrastructure enabling this shift, while Google’s observations reveal the very real operational consequences as threat actors weaponize these capabilities against live targets. Together, they signal not just an evolution but a decisive break from the past, a threat landscape accelerating faster than traditional defenses can adapt. This new phase demands an immediate and fundamental shift from reactive, signature-based detection to a truly preemptive approach that operates on adversary timescales. Without this shift-left towards proactive preemption, defenders will be perpetually behind an offense now empowered by AI-speed iteration.

‍

SOURCES

‍

The Devil Reviews Xanthorox: A Criminal-Focused Analysis of the Latest Malicious LLM Offering: https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/the-devil-reviews-xanthorox-a-criminal-focused-analysis-of-the-latest-malicious-llm-offering

GTIG AI Threat Tracker: Advances in Threat Actor Usage of AI Tools: https://cloud.google.com/blog/topics/threat-intelligence/threat-actor-usage-of-ai-tools