.svg?width=185&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Home"){kind=logo}
.svg?width=13&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Top Navigation - Sign in - Icon")
Counter Threat Unit™ (CTU) researchers have observed artificial intelligence (AI) emerging into a prominent topic in underground communities, with threat actors discussing its potential, claiming its use for malware and tool development, and expressing concerns. Many claims have not been validated, but the posts reveal perceptions about generative AI and examples of how it may be used in cybercriminal activity. In some respect, threat actors are facing the same challenge as everyone else — seeking to preserve economic viability during a technological transition while trying to identify how and when to embrace AI.
Access and knowledge sharing
Defenders and threat actors test and experiment with AI-enabled capabilities, but from very different positions. Defenders typically benefit from greater access to commercial tooling, dedicated engineering support, and the financial freedom to trial emerging technologies at scale. In contrast, resource-constrained threat actors are looking for practical ways to gain access.
CTU™ researchers have observed API keys for generative AI tools being sold via shared accounts, brokered access, and alternative platforms. In one thread, the "CyberThreat" persona offered brokered API keys for tools such as ChatGPT, Claude, and Grok (see Figure 1). In another post, “VOLTIC” advertised access to multiple AI models as a cost-effective solution for buyers who need AI capabilities (see Figure 2). Although both personas were new to the underground marketplaces, the posts quickly attracted interest and other personas endorsed the services.
Figure 1: CyberThreat selling brokered API keys
Figure 2: VOLTIC advertising an unlimited AI tool
While API keys and associated generative AI chatbots are available for sale across underground forums, there appears to be a knowledge gap. Personas turn to each other for guidance ranging from basic setup and access through to practical tradecraft. New channels focused on AI and large language models (LLMs) and their use continually emerge on underground forums (see Figure 3). Threads include discussions about “jailbreaking” public AI models, including efforts to bypass censorship and other safeguards imposed by AI vendors. Personas frequently reference experimentation with prompt‑based techniques to circumvent content controls, including role‑play framing, multi‑stage prompting, contextual manipulation, and iterative refinement. CTU researchers have also observed self-described “experienced AI users” sharing examples and lessons learned, including prompt templates, workflows, examples of LLM experimentation, and purported best practices for operationalizing AI in malicious scripting and automation.
Figure 3: Sample of posts on a channel dedicated to AI and machine learning (ML) questions
Since January 1, 2026, CTU researchers have noted an increase in offers to hire, or partner with, specialists who can operationalize AI on others’ behalf. Multiple personas known for recruiting various roles (e.g., blockchain developers, coders, social engineers) advertised for AI prompt engineers (see Figure 4). The offering of specialized services is common within underground communities, enabling threat actors to monetize their skills and giving cybercriminals access to expertise and capabilities they lack.
Figure 4: Recruitment post for an OpenAI prompt engineer
Social engineering and deception
Threat actors are exploring AI to enhance social engineering and deception techniques, although only a limited number currently incorporate generative AI into their toolkits. Forum posts suggest that generative AI models can be integrated into common fraud and intrusion workflows to help threat actors overcome language barriers, maintain consistency, distribute content at scale, and rapidly iterate lures across email, SMS, messaging platforms, and voice channels. Notably, CTU researchers have observed advertisements for realistic voice bots for vishing and call-based fraud (see Figure 5). Threat actor claims and positive reviews suggest that these bots can be trained or prompted to emulate tone, cadence, and conversational patterns.
Figure 5: Advertisement for an AI Telegram voice bot
Some personas have expanded beyond voice bots to AI models. On multiple forums, the “HackingRealm” persona advertised an AI OnlyFans Models service to create credible, scalable personas for romance fraud and other social engineering campaigns. In addition to drafting and refining conversational messages, advertised services claim to generate synthetic profile imagery that mimics authentic individuals. HackingRealm’s Telegram channel also links to a website for model creation (see Figure 6) that includes a page listing positive feedback from users.
Figure 6: AI model creation website
Malware and tooling
Threat actors are advertising AI-enabled tools and malware on various underground communities. The following examples were posted on English-language cybercrime marketplaces. CTU researchers have not validated the claimed capabilities but selected these samples to demonstrate the breadth and depth of tools and malware marketed as “AI-led” or “AI-enabled.” Several of the tools are open source, and the threat actors encourage forum members to explore how legitimate AI tools can be used for malicious purposes.
Leak Bazaar
On March 25, 2026, the “Snow” persona announced SnowTeam’s launch of Leak Bazaar, a platform dedicated to the exchange of stolen corporate data (see Figure 7). Over more than four years, Snow has contributed over 400 posts and garnered more than 600 positive reactions, demonstrating consistent engagement and earning the trust of the community. The announcement mentions the platform’s machine learning-enabled analysis and reverse engineering capabilities, emphasizing its aim to help threat actors efficiently monetize large datasets while enabling buyers to purchase targeted segments rather than entire collections. Leak Bazaar purportedly leverages automation and machine learning (ML) to triage massive volumes of data, filter out “system junk,” and apply natural language processing (NLP) to extract and organize relevant content, further supporting the platform’s value proposition.
Figure 7: Announcement of Leak Bazaar launch
ApexAI
On April 12, “ApexDev” introduced the Apex AI tool intended for “carding, hacking, and malware creation” (see Figure 8). This malicious tool is unrelated to the legitimate ApexAI tool. ApexDev claimed that Apex AI utilizes advanced techniques, including log analysis for pattern recognition and adaptive network configuration to support the operation of malicious processes. Furthermore, the tool can purportedly generate a range of malware types, such as stealers and trojans, and it also includes code optimization, analysis, and debugging features.
Figure 8: Apex AI announcement by ApexDev
ApexDev is primarily associated with website and panel creation, as well as sniffers, and has received positive feedback. The persona has encouraged other forum users to engage with AI, running competitions and offering $50 for utilities that are created and shared. CTU researchers have identified ApexDev’s name in arbitration sections of forums following complaints about behavior. However, all complaints seem to have been resolved, and the persona continues operations.
Metatron
On April 5, the “Wikileaks” persona described an AI-powered penetration testing assistant known as Metatron that operates locally on a user’s system without reliance on cloud services, API keys, or subscriptions (see Figure 9). The tool can leverage a locally hosted AI model to analyze reconnaissance results, identify vulnerabilities, suggest potential exploits, and recommend fixes. Metatron is freely available via GitHub, and third-party reporting has highlighted its use of an agentic loop to support autonomous, iterative analysis. WikiLeaks posted the information to encourage forum members to explore how legitimate tools that leverage AI can be used for malicious activity.
Figure 9: Metatron description posted by WikiLeaks
PolyEngine
In an April 10 post on the ReadTheManual (RTM) forum, the “ADMIN” persona described a polymorphic PE packer named PolyEngine. This post used almost identical wording as an April 9 X (formerly Twitter) post by “Panos Gkatziroulis” that also included a link to a GitHub repository (see Figure 10). PolyEngine was allegedly designed to evade endpoint detection and response (EDR) heuristics and antivirus detection through layered execution methods and obfuscation techniques. ADMIN also claimed to have used AI (“Claude Code”) to refine and implement specific functionality, to improve code quality, and to optimize evasion techniques.
Figure 10: Nearly identical wording in posts about PolyEngine on the RTM forum (top) and X (bottom)
As administrator, ADMIN is responsible for maintaining order and trust within the RTM community by enforcing rules, resolving disputes, and overseeing moderation, as well as managing the forum’s technical and structural aspects. This position of authority adds credibility to the persona’s posts.
Cobalt Strike
On April 9, the “NightRaider” persona advertised an updated version of Cobalt Strike, highlighting user‑interface improvements and the beta introduction of a REST API (see Figure 11). The API’s features include scripting and task‑tracking capabilities, as well as an MCP server integration with the Claude LLM. NightRaider has predominantly advertised alleged EDR killers but also offers malware such as CobaltStrike and BruteRatel. The persona is active in the advice sections of multiple forums and describes themselves as “a man for everything” who focuses on virology and malware.
Figure 11: NightRaider advertising a Cobalt Strike update
This post illustrates how threat actors are reframing established offensive tooling as “AI‑enabled” by adding mainstream LLM integrations and automation interfaces to existing workflows. The advertised REST API and MCP support may appeal to buyers looking to script tasking and add lightweight task tracking around post‑exploitation. The post also reflects a broader trend of using “agentic” and LLM‑integrated branding as a differentiator, even when it primarily enables convenience and automation rather than new tradecraft.
AI-assisted cyberattacks
Personas have discussed the use of public AI assistants for intrusion activity. Figure 12 shows a post by the Rehub forum administrator about a threat actor’s use of Claude to support a cyberattack against Mexican government networks and steal data, and the attacker’s attempted use of ChatGPT to gather additional information. The poster’s position as forum administrator lent credibility and visibility to the story and prompted other members to discuss and exchange instances of stolen Claude code, further fueling dialogue around the use of AI in cyberattacks.
Figure 12: Post describing the use of AI in an attack on Mexican government networks
In another example, the “GhostVibe” persona claimed to be seeing an increase in AI-assisted malware within their own sample analysis, citing “better phishing generation,” improved coding, and “faster adaptation” against defensive controls (see Figure 13). The threat actor also framed AI as a way to improve payload and scripting quality and invited others to share similar observations. The post gained interest from fellow forum members.
Figure 13: GhostVibe discussing AI-assisted malware
Additionally, CTU researchers have observed claims that AI prompts and generated data may be captured as collateral in cyberattacks. As more organizations deploy AI across their environments, the potential exposure of this type of data is likely to increase, reinforcing the importance of secure implementation and continuous monitoring.
Skepticism and speculation
CTU researchers have observed uncertainty across underground forums and Telegram channels about how AI may reshape roles, pricing, and competitive advantage within the cybercrime economy. Personas express concern that AI will reduce work opportunities, particularly for manual services such as malware development and scripting (see Figure 14). Some also discredit the use of AI, encouraging others to rely on their own capabilities and human skillsets.
Figure 14: Sample posts discussing concerns around AI’s impact on jobs
On April 7, 2026, Anthropic announced a cybersecurity initiative named Project Glasswing that was prompted by capabilities observed in its unreleased frontier AI model, Claude Mythos Preview. Anthropic assessed that the model could autonomously identify and chain software vulnerabilities at a level comparable to highly skilled human researchers and therefore chose not to release it publicly. This claim sparked discussions involving established members of underground forums. Some threat actors remained skeptical (see Figure 15); however, many personas speculated on the use and potential of generative AI (see Figure 16). The posts align with the diverse attitudes toward AI that CTU researchers have observed across forums.
Figure 15: Skepticism about Mythos
Figure 16: Reactions to AI in a thread discussing Mythos
Conclusion
AI is an ongoing and evolving topic of discussion across underground forums. Threat actors have expressed uncertainty and curiosity about its potential impact, and posts reflect skepticism and doubt as well as active experimentation.
The sample posts in this analysis not only demonstrate how threat actors imply AI-driven capabilities but also highlight a broader trend of leveraging these narratives for marketing. Personas often seek to legitimize their technical prowess and attract attention, which may inspire others to emulate or innovate upon their approaches. Many posts reference manipulation of legitimate AI tools and services for malicious purposes. Some threat actors may not participate in forum discussions, opting instead to quietly explore the technology’s practical limits and tradecraft implications.
As AI tooling and capabilities evolve, organizations should continue to prioritize strong cyber hygiene such as timely patching, multi-factor authentication (MFA), and passkey use to reduce exposure to established tradecraft and future AI-assisted acceleration. Defenders should also maintain visibility across their environment to identify and mitigate anomalous activity before attacks escalate.