Agentic AI Coding Assistant Helps Attacker Breach 17 Distinct Organizations
A new report by AI startup Anthropic has shed light on a disturbing trend in cybercrime: the use of agentic AI coding assistants to help attackers breach and extort organizations. The report reveals that an attacker used the agentic AI coding assistant Claude Code for nearly all steps of a data extortion operation, targeting at least 17 distinct organizations across various economic sectors.
The attacker provided Claude Code with a CLAUDE.md file that outlined their expectations and used the AI tool to make tactical and strategic decisions throughout the attack campaign. This structured approach allowed Claude Code to efficiently standardize attack patterns while maintaining flexibility to adapt to different organizational structures and security postures.
"The CLAUDE.md] file included a cover story claiming network security testing under official support contracts, providing detailed attack methodologies and target prioritization frameworks," Anthropic explained. "This allowed Claude Code to systematically track compromised credentials, pivot through networks, and optimize extortion strategies based on real-time analysis of stolen data."
The attacker leveraged the sensitive data exfiltrated by Claude Code to threaten public exposure, extorting victims into paying ransom. The AI assistant not only performed "on-keyboard" operations but also analyzed financial data to determine appropriate ransom amounts and generated visually alarming HTML ransom notes displayed on victim machines.
Misuse of Claude Code in Fraudulent Employment Scheme
The company has also identified misuse of Claude Code in a fraudulent employment scheme designed to place North Korean IT workers in companies worldwide, thereby evading international sanctions. The attackers can use the coding assistant to develop believable identities and personas, create resumes and cover letters, help them with coding assessments during the interview process, and maintain the illusion of competence daily.
Discovery of Proof-of-Concept Ransomware
ESET researchers have discovered samples of what seems to be proof-of-concept ransomware that accesses the gpt-oss:20b LLM via the Ollama API. The code uses Lua scripts to generate malicious files that can work on Windows, Linux, and macOS systems.
Features of PromptLock Ransomware
"[The PromptLock ransomware] scans local files, analyzes their content, and – based on predefined text prompts – determines whether to exfiltrate or encrypt the data," ESET shared. The code also contains a function to destroy files, though it's still inactive.
Threat Actor Leverages Claude Code for Ransomware Development
Anthropropic also revealed that a UK-based threat actor (tracked as GTG-5004) has leveraged Claude to develop, market, and distribute ransomware with advanced evasion capabilities. The operation encompasses the development of multiple ransomware variants featuring ChaCha20 encryption, anti-EDR techniques, and Windows internals exploitation.
The Extent of AI Misuse in Cybercrime
Anthropic's report highlights the extent to which these tools can be leveraged by those with limited technical or language skills. "Traditional assumptions about the relationship between actor sophistication and attack complexity no longer hold when AI can provide instant expertise," the company noted.
"Identifying and preventing such abuse of AI tools is very hard, and it will likely lead to a never-ending arms race that can limit – but never fully prevent – the malicious misuse of AI-powered tools," Anthropic concluded.