AI to the Rescue as Attackers Exploit Software Bugs, Human Vulnerabilities, and Artificial Intelligence

AI is here to stay, just as much for the evolving defensive landscape as for offensive capabilities. The question is who will get faster at preventing attacks sooner. “Just as phishing defined the email era, prompt injection is defining the AI era.,” as aptly stated by Elia Zaitsev, CTO, CrowdStrike, adding that adversaries are already embedding hidden instructions to override safeguards, hijack agents, steal data, and manipulate models — turning the AI interaction layer into the new attack surface and prompts into the new malware. 

In 2026, AI Detection and Response (AIDR) will become as essential as EDR with organizations requiring real-time visibility into prompts, responses, agent actions, and tool calls to contain AI abuse before it spreads.

Zaitsev said that legacy SOCs can’t keep up with adversaries using AI that are moving faster than humanly possible. And in 2026, defenders will evolve from alert handlers to orchestrators of the agentic SOC.

They will be supported by intelligent agents operating at machine speed but under human command. The prerequisites for this shift is, “Providing both agents and analysts complete environmental context with the ability to immediately action any signal”. Identity security built for humans won’t survive this shift.

With that landscape defining the year ahead, here are the top cybersecurity developments of the week.

Shanya Packer-as-a-Service (VX Crypt) Fuels Akira, Qilin Ransomware 

A new and sophisticated Packer-as-a-Service has been identified, providing cybercriminals with advanced tools to conceal malicious payloads and evade security solutions. The Shanya service, also referred to as VX Crypt, offers several capabilities that make it a powerful addition to the growing market of cybercrime tools designed to facilitate complex attacks.

LockBit 5.0 Infrastructure Exposed by Researchers, Including IP Address and Domain

Security researchers exposed LockBit 5.0’s core infrastructure, a key IP address and domain tied to its ransomware operations. The server hosted on a network linked to illicit activity revealed open ports like RDP. Analysts found recycled victims on the new leak site, confirming operational inconsistencies within the group’s latest campaign.

Russia Disrupts Gang Using NFCGate Malware for Remote Bank-Card Theft

Russian police arrested members of a criminal group that stole over 200M rubles by using NFCGate-based malware to harvest bank card data and withdraw funds remotely. Attackers distributed fake mobile banking apps via WhatsApp and Telegram, tricking victims into tapping their cards and entering PINs during a staged “authorization.” 

Ukrainian Hackers Arrested in Warsaw for National Defense Threats

Three Ukrainian men were arrested in Warsaw after police found advanced hacking equipment in their vehicle. Authorities charged them with preparing for national defense crimes tied to potential cyberattacks on critical systems.

GrayBravo Expands CastleLoader Malware Operations

Threat actor 'GrayBravo' is expanding CastleLoader operations across four activity clusters that target logistics, hospitality, and victims reached through malvertising. The groups impersonate brands like Booking and DAT Freight, use ClickFix techniques, and deliver payloads through spoofed domains.

Google Gemini Enterprise and Vertex AI Search Flaw Allowed Gmail Data Access

A zero-click vulnerability in Google Gemini Enterprise and Vertex AI Search allowed attackers to steal Gmail, Docs and Calendar data through indirect prompt injection. The flaw, known as GeminiJack, exploited how the AI processed retrieved content and executed hidden instructions without triggering security tools.

DOJ Indicts Alleged NoName057(16) Member

The DOJ has indicted Ukrainian national Victoria Dubranova for allegedly supporting the pro-Russia hacktivist groups CARR and NoName057(16), which have been linked to attacks on U.S. critical infrastructure. Authorities say CARR operated with GRU backing while NoName057(16) functioned as a state-sanctioned project using its own DDoS tool.

Seoul Police Raid Coupang HQ After Massive 33.7M-Account Data Breach

Seoul police raided Coupang’s headquarters after the retailer confirmed a breach affecting 33.7M customer accounts. They seized devices and data to determine how an ex-employee allegedly obtained a private encryption key to forge customer tokens.

Telegram Crime Persists as Defenders Arrest and Intensify Crackdowns

SecureList reports that Telegram cybercrime channels continue to evolve and remain active, highlighting why coordinated enforcement efforts are increasingly critical. In the United States, prosecutors secured a RICO conspiracy guilty plea in the $263 million Social Engineering Enterprise case. 

California Man Admits Role in $263 Million Crypto Theft Scheme

A California man has pleaded guilty to RICO conspiracy charges for laundering money and securing luxury homes for the Social Engineering Enterprise, a cybercrime group accused of stealing over $263 million in cryptocurrency. A superseding indictment now charges three additional members, as recent arrests in Miami and Dubai expand the Justice Department’s investigation.

Ransomware Attack Analysis Leads FortiGuard to Hidden Windows Telemetry

FortiGuard IR, responding to a ransomware attack on a client organization, found that the threat actor had aggressively used anti-forensic techniques to wipe logs. The finding shows that this undocumented Windows ETW artefact can retain valuable process-creation evidence even after attackers attempt to remove every trace from the system.

EU Probes Google for AI Overview Content

Google faces an EU antitrust investigation over whether it used publisher content to power AI Overviews and AI Mode without fair terms or the ability to opt out. Regulators are examining whether Google gave itself privileged access to online material, disadvantaging rival AI developers and harming publishers whose traffic has sharply declined since AI summaries launched.

DroidLock: Malware Build for Extortion, Device Takeover, and Insider Risk in Spain 

DroidLock is a new Android threat taking full control of devices. It spreads through phishing and uses deceptive overlays to steal credentials. Attackers can lock users out, record screens, wipe phones, and manipulate everything remotely. This campaign targets Android users in Spain.

React2Shell Now Used for Persistent Server Compromise

React2Shell exploitation is shifting toward persistent access campaigns using advanced malware like EtherRAT. Security researchers warn the vulnerability is now being used beyond cryptomining. Government agencies, enterprises, and critical-infrastructure operators face elevated exposure. Patching remains essential, but post-exploitation detection is critical.

What This Week Tells Us About Evolving Tradecraft

Vulnerability exploitation remains constant in cybersecurity, whether through software flaws or human manipulation. As defenses improve, attackers adapt by shifting between technical exploits and social engineering.

Mike McGuire, Senior Security Solutions Manager at Black Duck, said, “Attackers will continue to pivot quickly to weaknesses deep in the web application stack.” Defenders need to assume these vulnerabilities will be targeted and ensure patching processes, software security and timely remediation.

Casey Ellis, Founder of Bugcrowd addressed vulnerability exploitation, “From an attacker perspective, react2shell is the kind of vulnerability that affords massive opportunity for crime, but that also has a relatively narrow window for exploitation.” He attributed it to public awareness leading to timely patching, underscoring the need for awareness as we head into 2026.

Bridging into industry-wide predictions, Adam Meyers, SVP of Counter Adversary Operations at CrowdStrike, noted the benefits of AI in vulnerability discovery, “As AI accelerates code generation and software development, it’s also becoming ideally suited to finding flaws in software.”

He further highlighted two primary ways to identify vulnerabilities: targeted analysis, which is resource-intensive and typically requires a human in the loop. The other which is commonly called fuzzing and involves automation to identify flaws. 

GenAI is a game-changer for the latter, Meyers said and defenders who succeed will be those using AI to detect, patch, and hunt for zero-days.