2025年第三季度IT威胁演变。非移动统计

Table of contents Executive summary Case studies Vibe hacking: how cybercriminals are using AI coding agents to scale dataextortion operations Remote worker fraud: how North Korean IT workers are scaling fraudulentemployment with AI Chinese threat actor leveraging Claude across nearly allMITRE ATT&CK tactics AI-enhanced fraud: AI’s growing footprint in the fraud ecosystem Carding store powered by AI Romance scam bot powered by AI models Executivesummary We have developed sophisticated safety and security measures to preventthe misuse of our AI models. While these measures are generally effective,cybercriminals and other malicious actors continually attempt to find This represents the work of Threat Intelligence: a dedicated team atAnthropic finds deeply investigated sophisticated real world cases of While specific to Claude, the case studies presented below likely reflectconsistent patterns of behaviour across all frontier AI models. Collectively,they show how threat actors are adapting their operations to exploit •Agentic AI systems are being weaponized: AI models are themselvesbeing used to perform sophisticated cyberattacks – not just advising on •AI lowers the barriers to sophisticated cybercrime.Actors withfew technical skills have used AI to conduct complex operations, like •Cybercriminals are embedding AI throughout their operations.This includes victim profiling, automated service delivery, and in •AI is being used for all stages of fraud operations.Fraudulentactors use AI for tasks like analyzing stolen data, stealing credit card We’re discussing these incidents publicly in order to contribute to thework of the broader AI safety and security community, and help thosein industry, government, and the wider research community strengthen Vibe hacking:how cybercriminalsare using AI coding Summary Today we are sharing insights about a sophisticated cybercriminaloperation (tracked as GTG-2002) we recently disrupted that representsa new evolution in how cyber threat actors leverage AI—using coding A cybercriminal used Claude Code to conduct a scaled data extortionoperation across multiple international targets in a short timeframe. Thisthreat actor leveraged Claude’s code execution environment to automate ABOUT CLAUDE CODE Anthropic’s agentic codingtool that lives in your terminal,understands your codebase, and The operation demonstrates a concerning evolution in AI-assistedcybercrime, where AI serves as both a technical consultant and activeoperator, enabling attacks that would be more difficult and time- Key findings Our investigation revealed that the cybercriminal operated acrossmultiple sectors, creating a systematic attack campaign that focusedon comprehensive data theft and extortion. The operation leveraged The actor provided Claude Code with their preferred operational TTPs(Tactics, Techniques, and Procedures) in their CLAUDE.md file that is usedas a guide for Claude Code to respond to prompts in a manner preferred bythe user. However, this was simply a preferential guide and the operation This configuration file included a cover story claimingnetwork security testing under official support contractswhile providing detailed attack methodologies and targetprioritization frameworks. This structured approach Rather than encrypting systems using traditionalransomware, this actor leveraged the sensitive dataClaude Code exfiltrated on their behalf, threatening itspublic exposure to extort victims into paying. Claude [Actor bypassedsafety measures and disabledconfirmations] Attack lifecycle and AI integration [Mandated responsesin non-English language][Sought financialgain through illicitmeans] Phase 1: Reconnaissance and target The actor leveraged Claude Code for automatedreconnaissance. For example, Claude Code scannedthousands of VPN endpoints, identifying vulnerable Summary: Primary Requestand Intent: #Work Context [Actorclaims to be authorized securitytesterfor companies with support contracts] [RequestsRussian language communication andcontextretention] [Networksecurity testing under officialagreements] - Transitionto the next victim oncecomplete [Specificpenetration testing OS mentioned] ##Important Technical sophistication [Instructionsfor maintaining logs andachievingfull access] The actor employed Claude Code on Kali Linux as acomprehensive attack platform, embedding operational [Emphasison persistence and using allavailabletechniques] [Referencesto tool locations and wordlists] Phase 2: Initial access and credential Claude Code provided real-time assistance duringlive network penetration operations. For example, itsystematically scanned networks, identified critical Claude Code assisted with credential attacks acrossmultiple domains, accessing Active Directory systems and AI role: Direct operational support during live intrusions,providing guidance for privilege escalation and lateral Phase 3: Malware development and evasion Claude Code was