Inside the Repository Tracking How Threat Actors Actually Use AI (Spoiler: It’s Mostly Phishing)
Hook
In August 2025, a low-skill threat actor used GenAI to write functional ransomware for the first time. Before that watershed moment, nearly every ‘criminal LLM’ marketed on dark web forums was a scam, and the most sophisticated threat actors were using AI for… email phishing.
Context
The cybersecurity industry has spent the past two years in a state of controlled panic about AI-enabled threats. Vendors warn of autonomous AI hackers, sophisticated deepfake social engineering, and code-generating malware factories. Gartner predicts, Microsoft issues advisories, and CISOs allocate budget accordingly. But here’s the problem: most of this threat intelligence conflates what’s theoretically possible with what threat actors are actually doing in the wild.
The cybershujin/Threat-Actors-use-of-Artifical-Intelligence repository exists to close this intelligence gap. Unlike vendor reports that might highlight every potential AI threat vector to sell products, or academic papers exploring theoretical attacks, this repository documents only confirmed instances where real threat actors have provably used AI tools for malicious purposes. The bar for inclusion is high: evidence must come from either AI providers detecting abuse (like OpenAI’s threat reports), or defenders finding AI tools on compromised endpoints. The result is a sobering reality check that reveals criminal AI adoption lags far behind the hype cycle, with most activity concentrated in the least sophisticated attack vector—social engineering and phishing content generation.
Technical Insight
The repository’s core architecture is a structured knowledge base that maps each confirmed AI usage incident to MITRE ATT&CK Tactics, Techniques, and Procedures (TTPs). This mapping approach is crucial because it translates abstract threats into the tactical language security teams already use for threat modeling and detection engineering. However, the maintainer quickly hit a fundamental limitation: traditional ATT&CK TTPs weren’t designed for AI-facilitated attacks.
Consider how you’d classify a threat actor using ChatGPT to generate phishing emails. Under standard MITRE ATT&CK, this falls under T1566 (Phishing), but that TTP doesn’t capture the AI generation aspect that changes detection strategies. You can’t hunt for AI-generated phishing emails the same way you hunt for templates reused from phishing kits. To address this gap, the repository proposes custom LLM-themed TTPs as extensions to the framework:
# Custom TTP: LLM-Generated Social Engineering Content
Tactic: Initial Access
Technique ID: T1566.LLM (proposed)
Description: Adversary uses Large Language Models to generate
phishing content at scale with contextual personalization
Detection:
- Linguistic analysis for AI generation artifacts (repetitive
phrasing patterns, specific politeness markers)
- Volume analysis (unusual campaign velocity)
- Content diversity analysis (high lexical variation within
campaign suggesting dynamic generation)
Mitigation:
- User awareness training on AI-generated content markers
- Email gateway solutions with LLM-detection capabilities
- Reduced reliance on content-based email filtering aloneThis TTP extension methodology reveals a critical insight about threat intelligence repositories: they’re not just passive documentation—they’re taxonomic frameworks that shape how security teams think about and respond to threats. By proposing new TTPs, the repository is essentially arguing that AI-facilitated attacks represent qualitatively different threat patterns requiring new detection and mitigation strategies.
The repository also maintains a fascinating supplementary section on ‘Dark LLMs’—AI models marketed on criminal forums as jailbroken or uncensored alternatives to commercial models. Here’s where the repository’s evidence-based approach delivers real value. Rather than breathlessly reporting on every Telegram channel selling “CrimeGPT” or “WormGPT,” the maintainer documents which of these are legitimate (very few) versus scams (almost all). The analysis reveals that most “criminal LLMs” are either:
- Rebranded commercial APIs with jailbreak prompts
- Locally-run open-source models (Llama derivatives) with modified system prompts
- Complete scams with no functional model at all
The GTG-200 case from August 2025 represents the repository’s most significant documented evolution. This marked the first confirmed instance of a low-skill actor using GenAI to develop functional ransomware code—not just generating phishing emails, but writing actual malware. The repository structures this case study with technical specificity:
Case: GTG-200 Ransomware Development
Date: August 2025
Actor: Low-sophistication financially-motivated actor
AI Tool: [Redacted commercial LLM]
TTPs:
- T1587.001: Develop Capabilities - Malware
- T1486: Data Encrypted for Impact
Evidence Source: AI provider threat report + endpoint forensics
Technical Details:
- Actor used iterative prompting over 47 sessions
- Generated Python-based encryption routine
- Implemented basic C2 communications
- Code quality: Functional but not sophisticated
Significance: First documented case of GenAI enabling
code development by demonstrably low-skill actorThis level of documentation matters because it provides the evidentiary foundation for threat modeling. Security teams can now point to a confirmed case where AI lowered the barrier to ransomware development, rather than speculating about theoretical capabilities. The repository essentially functions as a legal brief for security investment decisions—hard evidence instead of vendor fear-mongering.
The most valuable analytical contribution is how the repository contextualizes correlation versus causation. Multiple vendor reports noted phishing volume increases of 1,265% following ChatGPT’s release. The repository documents this correlation but explicitly questions the causal attribution: Was this increase due to AI generation, or simply because ChatGPT’s launch coincided with other threat landscape changes? The maintainer notes that without evidence of AI tool usage on threat actor infrastructure, such statistics represent correlation that vendors may be incentivized to misattribute.
Gotcha
The repository’s greatest limitation is inherent to its evidence-based methodology: it’s necessarily incomplete. Defenders rarely can confirm whether threat actors used AI unless actors are careless enough to leave AI tools on compromised systems or unless AI providers proactively report abuse. This creates massive visibility gaps. A sophisticated threat actor using Claude or GPT-4 to refine malware code, then carefully removing all traces before deployment, would never appear in this dataset. The repository documents what we can confirm, not what’s actually happening.
Another significant limitation is scope definition. The repository explicitly excludes attacks against AI systems (adversarial ML, model poisoning), misinformation campaigns using AI-generated content, and theoretical researcher demonstrations. While these scope boundaries maintain focus, they fragment the AI threat landscape across multiple resources. If you’re building a comprehensive AI security program, you’ll need this repository plus MITRE ATLAS (for attacks on ML systems) plus separate misinformation tracking plus academic literature on emerging threats. There’s no single source of truth, and this repository doesn’t attempt to be one. It’s also worth noting that as a markdown-based documentation project rather than code or tooling, you can’t integrate it into automated threat hunting workflows or SIEM platforms without manual translation of the documented TTPs into detection rules.
Verdict
Use if: You’re a threat intelligence analyst tired of vendor hype and need evidence-based documentation of real-world AI usage by threat actors for risk assessment, board presentations, or threat modeling. The TTP mappings provide actionable frameworks for detection engineering teams to develop AI-specific hunting queries. It’s particularly valuable for security leaders who need to distinguish between genuine AI threats requiring immediate investment versus theoretical concerns that can wait. Skip if: You need executable security tools, automated threat detection code, or comprehensive coverage of AI security beyond threat actor usage. This is a research repository, not a security product. Also skip if you’re looking for cutting-edge zero-day AI threats—the evidence-based approach means there’s inherent lag between attacks happening and appearing here. For proactive AI security research covering theoretical attacks and emerging techniques, academic conferences and red team blogs will be more current, if less grounded in confirmed threat actor behavior.
