AI-Operated Cyberattacks Are Here: What Security Teams Need to Learn from the Latest Claude AI Abuse Case
Artificial Intelligence is changing cybersecurity faster than many organizations expected. For defenders, AI is helping with faster alert triage, threat intelligence analysis, malware investigation, phishing detection, and security automation. But the same technology is now being adopted by attackers to increase speed, scale, and efficiency. A recent report highlighted that Chinese state-sponsored threat actors allegedly used Anthropic’s Claude AI to support a highly automated cyber-espionage campaign targeting around 30 global organizations, including technology companies, financial institutions, chemical manufacturers, and government agencies. The activity reportedly took place in mid-September 2025 and involved the misuse of Claude Code and related tooling to automate large parts of the attack lifecycle. This incident is important because it shows a shift from AI-assisted hacking to AI-operated hacking. From AI as an Assistant to AI as an Attack Operator: Until now, most AI misuse in cybercrime was seen in areas such as phishing email generation, basic script writing, social engineering content, or malware modification attempts. This case is different. According to the report, the attackers did not simply use AI to ask for advice. They allegedly used AI’s agentic capabilities to perform tactical cyber operations across multiple stages of the attack chain. The AI was reportedly used for: • Reconnaissance and attack surface mapping• Vulnerability discovery• Payload generation and validation• Exploitation support• Credential harvesting• Lateral movement assistance• Data analysis• Exfiltration-related decision support• Attack documentation This means AI was not just helping write commands. It was being used to break down complex cyber operations into smaller tasks and execute them at speed. Why This Matters for Security Leaders: The biggest concern here is scale. In a traditional cyberattack, multiple skilled operators may be needed to perform reconnaissance, identify vulnerabilities, write payloads, validate access, analyze stolen data, and document findings. With agentic AI, one operator may be able to manage a much larger volume of activity. That changes the economics of cyberattacks. Attackers can move faster.They can test more targets.They can automate repetitive tasks.They can reduce dependency on large technical teams.They can potentially scale campaigns that earlier required more time, skill, and manpower. For organizations, this means the window to detect and respond may become much shorter. The Human Role Has Not Disappeared: One important point is that the campaign was not fully independent. Human operators were still involved in key decisions, such as selecting targets, approving escalation from reconnaissance to exploitation, deciding when to use harvested credentials, and determining what data should be retained or exfiltrated. This tells us something important. AI is not replacing attackers completely. It is increasing their operational capacity The attacker still provides strategy.The AI accelerates execution. That combination is what makes this threat serious. AI Still Makes Mistakes: The report also highlighted a major limitation: AI hallucination. In some cases, the AI reportedly generated fake credentials or incorrectly treated publicly available information as sensitive findings. This shows that AI-operated attacks are not perfect. They still require human validation. But even with these limitations, the ability to automate 70–90% of tactical work can still create a major advantage for threat actors. For defenders, this is a warning. We should not underestimate AI-enabled attackers just because AI makes mistakes. Even imperfect automation can create pressure on security teams. Identity Security And Zero Trust: Identity security is a foundational part of Zero Trust. The Zero Trust model assumes that no user, device, or network should be trusted automatically. Every access request must be evaluated before it is approved. This is only possible when identity is at the center of the architecture. Identity provides the data and controls needed to verify users, enforce policy, and make access decisions based on real-time risk. In a Zero Trust model, identity is not a one-time login step. It is a continuous trust mechanism that supports secure access throughout the session. This is one reason why identity security is becoming more important than traditional perimeter controls. What This Means for SOC and Blue Teams: Security Operations Centers must prepare for a future where attackers operate faster and with more automation. Traditional alert monitoring will not be enough. SOC teams need stronger capability in: The focus should move from simply collecting alerts to understanding attacker behavior. If attackers are using AI to speed up reconnaissance and exploitation, defenders must improve visibility, response speed, and contextual analysis. Identity Security Becomes Even More Critical: A major part of modern attacks involves credential theft, privilege escalation, and lateral movement. When AI is used to automate post-exploitation tasks, weak identity controls become even more dangerous. Organizations should focus on: Identity is now one of the most important security control points. The New Skill Requirement: AI-Aware Cybersecurity Professionals: Cybersecurity professionals must now understand both sides of AI. They need to know how AI can help defenders, but also how attackers may abuse it. This includes understanding: The next generation of SOC analysts, threat hunters, incident responders, and security leaders must be trained for this new reality. Wiseman CyberSec Perspective: At Wiseman CyberSec, we believe this incident is a clear signal that cybersecurity training and security operations must evolve. The industry cannot rely only on traditional tool-based learning. Security professionals need hands-on exposure to real-world attack scenarios, practical detection logic, open-source security tools, adversary behavior, AI-assisted investigation, and modern incident response workflows. AI will not remove the need for cybersecurity professionals. But it will raise the standard. The professionals who understand AI-driven threats, attacker tradecraft, and defensive automation will be far better prepared for the future. Final Takeaway: AI-operated cyberattacks are no longer a future risk. They are already becoming part of the threat landscape. For organizations, the message is clear: The attackers are evolving. Security teams must evolve faster. – Wiseman CyberSec Stay Ahead of AI-Driven Threats- Cyberattacks are evolving faster than ever. Build practical cybersecurity skills in SOC operations, threat hunting, incident response, and modern defensive strategies.
Weekly Cybersecurity News: August 17-24, 2025
Major Indian Cybersecurity Events 1. India Leads Global Malware Attacks with AI-Driven Surge India emerged as the most targeted nation globally for malware attacks, accounting for 12.4% of all monitored endpoints, according to Acronis’ biannual cyberthreat report released on August 22, 2025. The report, based on data from over one million unique endpoints worldwide, revealed that India’s rapidly expanding digital economy has created an enlarged attack surface, making it increasingly vulnerable to sophisticated threats such as AI-powered phishing and impersonation attacks.theweek+3 Key findings show that ransomware remains the primary threat for large and medium-sized businesses, with cybercriminal groups increasingly leveraging AI to automate their activities. Phishing incidents on collaboration platforms like Microsoft Teams and Slack surged dramatically from 9% to 30.5% in the first half of 2025. Advanced email threats, including payload-less and spoofed attacks, rose sharply from 9% to 24.5%, highlighting the urgent need for AI-informed security systems across Indian enterprises.ndtv+3 2. Intensified Cyber Threats Around Independence Day Celebrations Ahead of India’s 79th Independence Day on August 15, 2025, hacktivist groups and cybercriminals launched over 4,000 coordinated attacks targeting government, finance, and defense sectors. The threat escalated following the Pahalgam terror attack, with threat actors from Pakistan, China, and other nations executing sophisticated campaigns including phishing, fake websites, data breaches, and targeted scams.cloudsek Pakistan-nexus APT groups including APT36 (Transparent Tribe) and SideCopy actively targeted Indian government and military websites by registering new domain infrastructure that meticulously impersonated the Indian Army, DRDO, Ministry of Defence, and government email services. These groups deployed custom malware such as CapraRAT through spear-phishing emails, enabling persistent espionage against high-value defense and government targets. China-linked APT41 also expanded its targeting to sectors including telecom, manufacturing, technology, and finance in India, leveraging supply chain intrusions and credential theft campaigns.cloudsek Global Cybersecurity Developments 3. Microsoft Emergency Update for Broken Windows Recovery Systems Microsoft released emergency out-of-band updates on August 21, 2025, to fix a critical issue where the August security updates broke Windows reset and recovery operations. The problem affected millions of users on Windows 11 23H2/22H2 and Windows 10, causing the “Reset this PC” and “Fix problems using Windows Update” features to fail completely.windowslatest+3youtube The buggy updates included KB5063875 for Windows 11 and KB5063709 for Windows 10, which caused reset attempts to immediately roll back changes, leaving users unable to reinstall their systems. Microsoft’s emergency fixes were released as KB5066189 for Windows 11 and KB5066188 for Windows 10. The incident highlighted serious quality control issues with Microsoft’s patch management process, as the company should have pulled the faulty updates immediately upon discovery.youtubeforbes+3 4. Manpower Group Ransom Hub Ransomware Disclosure Global staffing firm Manpower disclosed on August 12, 2025, that a RansomHub ransomware attack had compromised the personal information of 144,189 individuals. The attack occurred between December 29, 2024, and January 12, 2025, at a Lansing, Michigan franchise, with the breach discovered during an IT outage investigation on January 20, 2025.bleepingcomputer+1 RansomHub claimed to have stolen approximately 500GB of highly sensitive data, including Social Security cards, passports, driver’s licenses, employee work hours, worksite details, customer lists, financial statements, HR analytics, and confidential contracts. The attackers posted screenshots of the stolen files as proof, demonstrating the extensive nature of the breach. This incident underscored the significant value of HR-related data to cybercriminals and highlighted vulnerabilities in staffing industry systems that manage sensitive employee and client information.theregister+2 5. Data I/O Corporation Ransomware Attack Electronics manufacturer Data I/O reported a ransomware attack to the SEC on August 21, 2025, that began on August 16 and severely impacted critical operational systems. The Redmond, Washington-based company, which produces electronics for automotive and consumer devices with clients including Tesla, Panasonic, Amazon, Google, and Microsoft, experienced outages affecting shipping, manufacturing, production, and support functions.therecord The company admitted that the expected costs related to the incident are “reasonably likely to have a material impact” on its financial condition, with the attack forcing systems offline across its global IT network. Data I/O reported $5.9 million in sales last quarter, making the financial impact particularly significant for the company. The incident reflects the broader trend of ransomware attacks targeting industrial entities, with cybersecurity firm Dragos tracking 657 such attacks globally between April and June 2025.therecord The week of August 17-24, 2025, demonstrated the evolving cybersecurity landscape with AI-enhanced threats, nation-state activities around significant dates, critical infrastructure vulnerabilities, and the continued effectiveness of ransomware attacks against both government and private sector targets.
Gayfemboy: the next-gen Mirai variant disrupting routers, miners and supply-edge devices
TL;DR: Gayfemboy is a resurfaced, Mirai-family botnet (first seen in 2024) that re-emerged in mid-2025 with expanded exploitation of router and network gear vulnerabilities, multi-architecture payloads, stealthy anti-analysis tricks, and dual motives (DDoS botnet + opportunistic cryptomining). The campaign has impacted organisations across multiple industries and countries and uses flamboyantly named C2 domains and artefacts that make it easy to talk about — but hard to remove. 1) Executive summary FortiGuard Labs and other intel teams observed a July–August 2025 resurgence of Gayfemboy. The operators exploit a range of known vendor flaws (DrayTek, TP-Link, Raisecom, Cisco and others) to drop downloader scripts that fetch architecture-specific payloads and XMRig miners, then enrol devices into DDoS and backdoor fleets. The malware compiles for ARM, MIPS, PowerPC and x86 families, uses sandbox evasions and file-renaming tricks, and maintains C2 reachability via public resolvers and rapidly rotating domains. Targeting has included manufacturing, telco/tech, construction and media across Brazil, Germany, France, Israel, Mexico, Switzerland, the U.S., and Vietnam. 2) Anatomy of the malware (technical breakdown) Multi-stage infection Capabilities 3) TTPs (Tactics, Techniques & Procedures) 4) Observed impact and victims Actors have hit a mix of small and medium enterprise perimeter devices and some larger organisations where edge devices were unpatched. Impact modes include: 5) IOCs (selection for detection/blocklists) Note: infrastructure changes fast. Treat domain/IP lists as immediate but short-lived indicators and combine with behavioral detections. Domains (examples observed in intel reporting): i-kiss-boys[.]com, furry-femboys[.]top, twinkfinder[.]nl, cross-compiling[.]org, 3gipcam[.]com. IPs / observed sources (examples from active scans): 87.121.84.34, 220.158.234.135. Behavioural indicators: 6) Vulnerabilities & CVEs (what to patch first) FortiGuard and other vendors list multiple exploited product flaws across DrayTek, TP-Link, Raisecom, Cisco and more. Vendor and vendor-specific CVEs change as researchers find new issues; as an immediate step, apply available vendor firmware updates and consult Fortinet/Broadcom advisories for a precise CVE list and IPS signatures. (If you want, I can extract the exact CVE numbers from Fortinet’s advisory and format a prioritised patch matrix for your device inventory.) 7) Practical detections & SIEM rules (quick starters) Here are high-value rules you can drop into your logging stack immediately: I can convert these into Sigma rules or Snort/Suricata signatures if you want ready-to-deploy files. 8) Recommended containment & remediation playbook 9) Attribution & operator profile (what we can infer) 10) Why Gayfemboy matters — strategic outlook Gayfemboy is a reminder that: Appendix A — Key public advisories & analysis (read next)
Weekly Cybersecurity Recap: WhatsApp Zero-Day, Chrome Exploit, AI-Powered Ransomware & More
The cybersecurity landscape continues to evolve at an alarming pace. This week brought a mix of zero-day vulnerabilities, AI-driven attacks, and data breaches impacting millions worldwide. Here’s a breakdown of the biggest stories security leaders need to know. WhatsApp Flaw Exposes Accounts to Takeover Risks A newly discovered zero-day in WhatsApp could allow attackers to hijack accounts simply by sending a malicious video file. Once the file is played, the attacker gains full control over the app, including chats and personal data. Users should update their apps immediately to stay protected. Chrome Under Siege: Critical Zero-Day Exploit Google rushed an emergency update after researchers identified a severe vulnerability in Chrome’s V8 engine. The flaw is already being exploited in the wild, making immediate patching essential for both personal and enterprise environments. AI-Powered Ransomware: A New Era of Threats Cybercriminals are now weaponising artificial intelligence to make ransomware smarter and more adaptive. These AI-driven strains personalise phishing attacks, evade defences, and even adjust payloads in real time. This signals a paradigm shift in how quickly ransomware can spread and how difficult it is to stop. Other Key Cybersecurity Incidents This Week Expanding Threat Landscape: Malware, Supply Chain & State-Sponsored Attacks Critical Vulnerabilities to Watch ∙ Chrome Proof-of-Concept Exploit Released: Raising risk of mass exploitation. ∙ Zip Slip Vulnerability: Malicious ZIP files may overwrite critical files when extracted. ∙ FreePBX Zero-Day: Exploited to create unauthorised admin accounts. ∙ Cisco Nexus Switch Flaw: Remote code execution vulnerability threatens enterprise infrastructure. ∙ ICS Vulnerabilities: Twelve new advisories highlight risks in industrial control systems. AI-Centered Attacks Major Data Breaches This Week Why This Matters for Security Leaders
Even Cybersecurity Giants Aren’t Immune: Zscaler Confirms Data Breach
When a global cybersecurity leader experiences a breach, it sends a loud and clear message: no organisation is untouchable in today’s digital landscape. Recently, Zscaler confirmed it was impacted by a supply-chain cyberattack. The breach originated from a third-party sales engagement platform integrated with Salesforce. This gave attackers unauthorised access to Salesforce data—without even needing to bypass multi-factor authentication. What Was Affected? The good news? Attachments, files, and Zscaler’s core security infrastructure remained untouched. Their products and services were not compromised. Why This Matters: This breach highlights a truth many leaders overlook: your security is only as strong as your weakest third-party integration. In this case, the entry point wasn’t Zscaler’s fortress—it was a connected app. Key Takeaways for Business Leaders: The Bigger Lesson: Even the best in cybersecurity can face breaches. What separates strong organisations from the rest is how quickly they respond, how well they contain the damage, and how transparently they communicate with their customers. This incident is not just a warning—it’s a playbook for resilience. What’s your take? Do you think companies are doing enough to secure their third-party integrations, or is this the next big cybersecurity blind spot?
Governing AI Agents in the Enterprise: Building Trust, Compliance, and Value
Introduction AI agents are no longer a futuristic concept. From autonomous chatbots to workflow assistants, they are becoming an integral part of how enterprises operate. But with great autonomy comes great responsibility. Without strong governance, AI agents can misinterpret data, expose sensitive information, or introduce bias into critical decisions. This is why governing AI agents is not just a compliance requirement—it’s a business enabler. Done right, governance builds trust, strengthens compliance, and accelerates innovation. Why AI Agent Governance Matters AI agents act like digital employees: they access systems, process sensitive data, and make decisions at scale. Unlike humans, they operate 24/7, without fatigue, and often with greater access privileges. Without oversight, the risks multiply: Recent surveys show that 80% of enterprises using AI agents have experienced unintended behaviors, from privacy violations to security gaps. Governance is how we stay ahead of these risks. Technical Governance: Monitoring the Machines Case in Point: Thomson Reuters built a governance platform that continuously monitors every model for drift and bias, ensuring lawyers and businesses receive fair, reliable insights. Organizational & Policy Governance: Embedding Responsibility Case in Point: Salesforce established an Office of Ethical & Humane Use with policies around accuracy, transparency, and bias, embedding trust in their AI products. Case Studies: Lessons from the Field Best Practices for Enterprises Conclusion AI governance isn’t a burden—it’s a competitive advantage. Enterprises that invest in governing AI agents build stronger trust, reduce risks, and extract more business value. The message is clear: treat AI agents as responsible digital citizens of the enterprise. With thoughtful governance, they can drive innovation, efficiency, and growth—without compromising ethics, security, or compliance.
How Deepfakes and AI Phishing Will Trick Millions in 2025—and What You Can Do About It
Artificial intelligence is rapidly changing the cybercrime landscape in 2025. Deepfake scams—where AI tools manipulate video, audio, or images to impersonate real people—have exploded worldwide, with attacks costing organisations and individuals billions in losses every year. What’s Happening Now? How Do AI Scammers Operate? How to Spot and Stop AI Scams Real-World Defensive Actions Final Takeaway AI-driven fraud is now the most urgent cybersecurity challenge. By understanding how these scams work and practising everyday caution—verifying unexpected communications and securing accounts—everyone can significantly lower the risk.
When Cybersecurity Becomes a Power Play: Hackers Threaten Google with Data Leak Unless Two Employees Are Fired
In a dramatic escalation of cyber threats, a hacker group identifying itself as “Scattered LapSus Hunters” has delivered a chilling ultimatum to Google: fire two of its top threat intelligence professionals—or face a significant data leak. While the hackers have not provided any evidence of a breach, the very nature of the demand marks a dangerous evolution in cybercrime. It’s no longer just about stealing data—it’s about influencing corporate decisions. The Attackers: A Dangerous Alliance The name “Scattered LapSus Hunters” appears to be a mash-up of some of the most notorious hacking groups in recent memory—Scattered Spider, Lapsus$, and ShinyHunters. Each has made headlines for data breaches, social engineering attacks, and cyber-extortion targeting some of the world’s largest companies. This latest move suggests a shift in tactics. The goal isn’t just disruption—it’s coercion. A Salesforce Breach in the Background Although Google has denied any breach of its core systems, the backdrop to this threat appears to involve a third-party incident. Hackers reportedly accessed data through Salesforce, which Google uses for managing client relationships. The compromised data includes business contact information—enough to power large-scale phishing and social engineering campaigns. In response, Google urged users to reset passwords and enable two-factor authentication, though the company emphasized that sensitive data like Gmail login credentials were not compromised. What Makes This Incident Different? Here’s why this case is raising eyebrows across the tech and security communities: What It Means for Business Leaders and Security Teams Final Thoughts This is a clear signal that cybercriminals are evolving—not just in their tools, but in their tactics. As influence becomes the new weapon, organizations must adopt a holistic, proactive approach to cybersecurity. What’s your take on this shift in the threat landscape? Are we prepared for a future where cyberattacks come with personnel ultimatums? Let’s talk about it.
When Even Cybersecurity Giants Get Breached: Tenable Confirms Supply-Chain Attack
In today’s interconnected world, no organisation is truly isolated from cyber threats. This week, Tenable, one of the most trusted names in vulnerability management, confirmed that it had been impacted by a supply-chain attack targeting Salesforce integrations. While the breach was contained quickly and did not affect Tenable’s core products, it shines a spotlight on a growing blind spot: third-party risk. What Happened Between August 8 and August 18, attackers exploited a compromised third-party integration between Salesforce and Salesloft Drift. Using stolen OAuth tokens, they accessed parts of Tenable’s Salesforce environment. The information exposed was limited but sensitive in context: Crucially, Tenable confirmed that its core infrastructure, products, and customer environments remain unaffected. Tenable’s Response Tenable’s security team moved swiftly: So far, there is no evidence that the stolen data has been misused. Why This Matters This incident is not about one company—it’s about an industry-wide reality. Even the best-resourced security providers can be breached not through their own defences, but through the weak points in their digital supply chains. Four lessons stand out: The Bigger Picture The Tenable breach is part of a larger campaign impacting multiple enterprises across industries. It underscores a hard truth: your security is only as strong as your weakest integration. In a landscape where supply chains are deeply interconnected, organisations must expand their cybersecurity lens beyond the perimeter and secure the entire ecosystem of tools, partners, and platforms they depend on. Cybersecurity resilience isn’t about preventing every attack—it’s about detecting, containing, and communicating quickly when incidents occur. Tenable’s response shows that while breaches may be inevitable, trust can still be preserved through speed and transparency. 💬 What’s your perspective? Are organizations giving enough strategic attention to supply-chain risks, or is this still the biggest blind spot in enterprise cybersecurity?
HackerOne Confirms Data Breach: Salesforce Records Accessed via Third-Party Compromise
On August 22, 2025, HackerOne—one of the world’s most trusted bug bounty and vulnerability disclosure platforms—was alerted to suspicious activity within its Salesforce environment. The root cause was quickly traced back to a compromise of Drift, a third-party application owned by Salesloft, which had been integrated with Salesforce. By August 23, Salesloft confirmed the incident, and HackerOne’s security team immediately launched its incident response protocols, prioritising containment, investigation, and transparency. What Was Impacted What Was Not Impacted Why This Matters This breach is part of a wider supply-chain attack targeting SaaS integrations. It highlights a critical reality: Key Takeaways for Organisations From Wiseman Cybersec
