AI in Cyber Offence

How AI changes the Cyber Kill Chain

Offensive cyber operations are deliberate actions conducted in cyberspace to infiltrate, disrupt, or destroy adversary systems in pursuit of strategic objectives. They are commonly framed through the Cyber Kill Chain, a framework originally developed by Lockheed Martin. The framework breaks down an attack into a structured sequence of phases, tracing an adversary’s progression from initial reconnaissance to the final actions taken to reach the objectives (e.g., data exfiltration or data destruction).

1 Reconnaissance

Harvesting email addresses, conference information, etc.

1

2 Weaponisation

Coupling exploit with backdoor into deliverable payload

Delivery

Delivering weaponised bundle to the victim via email, web, USB, etc.

3

4 Exploitation

Exploiting a vulnerability to execute code on victim’s system

Installation

Installing malware on the asset

5

6 Command & Control (C2)

Command channel for remote manipulation of victim

Actions on Objectives

With ‘Hands on Keyboard’ access, intruders accomplish their original goals

7

In recent years, offensive cyber operations have intensified in both volume and complexity. Global cyberattacks are not only increasing sharply but also diversifying in type: in 2022, 27% of global cyberattacks were extortion-based, 21% involved backdoors, and 17% ransomware. Artificial intelligence (AI) is playing a major role in this escalation and diversification, enabling new forms of attack such as deepfakes or swarm malware, while strengthening traditional vectors like phishing or vulnerability exploitation. According to the CFO Global Survey, a striking 85% of cybersecurity professionals attribute the rise in attacks to the weaponisation of generative AI. In Bengaluru, India, a state report confirmed this trend: by early 2025, 80% of phishing emails were AI-generated.

AI is transforming the Cyber Kill Chain itself, and it has the potential to supercharge every stage of offensive cyber campaigns. The speed and scale at which AI reshapes this chain has become a pressing national security concern.

This toolkit focuses specifically on AI as an attack enabler, exploring how it transforms the different stages of the Cyber Kill Chain.

Reconnaissance

The attacker gathers information about the target, such as employee details, emails, or system data, to plan their attack.

How AI changes reconnaissance:

AI automates and speeds up open-source intelligence gathering by processing large volumes of public data (social media, corporate sites, leaked records) and by extracting structured artefacts such as subdomains, likely IP ranges and employee profiles. It also lowers the skill barrier for targeted social engineering by producing concise victim profiles suitable for spear-phishing.

Extent of impact: High. Automated OSINT substantially reduces time and expertise required.

Case highlighted: ChatGPT as a reconnaissance assistant

In 2024, cybersecurity researcher Sheetal Tamara published a paper demonstrating how large language models such as ChatGPT can greatly accelerate the reconnaissance phase of an attack. Rather than spending hours writing scripts and manually collecting open-source intelligence, the researcher used a short series of conversational prompts, for example: “List all subdomains you can find for examplecompany.com,” “Summarise the company’s network topology based on publicly available information,” and “Identify what operating systems and services are most likely running on these servers.”

Within minutes, the model produced useful reconnaissance material, including:

a list of domains and subdomains associated with the target company
likely IP address ranges
notes on SSL/TLS configurations, potential open ports and common services
public employee information (from LinkedIn and press releases) that could be used for spear-phishing.

Where OSINT collection would normally require hours or days of manual work, the experiment reduced the task to a conversational workflow that demanded far less technical expertise. The study therefore underscores how generative models can lower the barrier to automated reconnaissance, with clear implications for defensive practice and threat modelling.

Further readings

Automated scanning tools - "Weaponizing AI in Cyberattacks A Comparative Study of AI powered Tools for Offensive Security" (Annis & Hamoudeh 2025)
The comparative study shows how automated tools (e.g., WebCopilot, Sublist3r, RustScan+Nmap) speed up network scanning and subdomain enumeration. Results highlight how AI could further automate offensive tasks such as simulating attack scenarios and dynamically adapting to defenses, paving the way for fully automated offensive security operations.
AI tools for reconnaissance - "The Threat of Offensive AI to Organizations" (Mirsky et al. 2023)
The survey highlights 32 offensive AI tools using deep learning, reinforcement learning, and NLP to automate entry-point detection, persona building, and target selection. These tools enhance OSINT, enable realistic deepfakes for phishing, and let even inexperienced attackers plan and launch more impactful campaigns.
Information gathering and automatic exploitation - "Weaponized AI for cyber attacks" (Yamin et al. 2021)
The research investigates recent cyberattacks that used AI-based techniques and identifies relevant mitigation strategies. It highlights various AI tools (e.g., GyoiThon, Deep Exploit) that can help collect data on the system, possible targets, and defense measures.

Weaponisation

The attacker uses the information uncovered during reconnaissance to build or customise a malicious payload (e.g., malware or exploits) and exploit the target’s weaknesses.

How AI changes weaponisation:

AI streamlines the creation and tuning of malicious payloads by generating or modifying code and by testing variants against detection models. This can produce more discreet, adaptive and targeted payloads, including polymorphic variants that alter their appearance with each execution. Adversarial testing can be used to refine payloads prior to deployment.

Extent of impact: High. Automation accelerates and scales payload development.

Case highlighted: AI-generated malware dropper in the wild

In 2024, cybersecurity analysts identified a phishing campaign that initially appeared routine: a series of emails distributing a conventional malware payload. However, closer inspection of the dropper (i.e. the small programme responsible for installing and activating the primary malware) revealed an unusual feature.

The structure and syntax of the dropper indicated that it had been generated by a large language model rather than authored by a human programmer. Although it functioned as a simple wrapper, the AI-produced dropper was both polished and effective, demonstrating an ability to evade traditional detection methods. It successfully bypassed basic antivirus signatures and delivered the malware as intended.

This finding was notable as one of the first confirmed instances of AI-generated malicious code being deployed in the wild. While the underlying malware was not novel, the outsourcing of part of the weaponisation process to AI marked a significant development. It demonstrated how attackers could scale operations, reduce development costs, and adapt more quickly, while simultaneously complicating detection and response efforts.

Further readings

AI-enhanced polymorphic malware - "Polymorphic AI Malware: A Real-World POC and Detection Walkthrough" (Itkin 2025)
The article proposes a proof-of-concept of AI-powered polymorphic malware dynamically rewriting its code at runtime to evade detection, built as a keylogger that generates obfuscated payloads per execution.
Large language models for code generation - "Large Language Models for Code Generation: A Comprehensive Survey of Challenges, Techniques, Evaluation, and Applications" (Huynh & Lin 2025)
The survey shows how LLMs (e.g., CodeLlama, Copilot) can automatically generate executable code from natural language, lowering the barrier for malware creation, exploit development, and adaptation of payloads by attackers.
AI-generated novel obfuscation techniques - "ADVERSARIALuscator: An Adversarial-DRL Based Obfuscator and Metamorphic Malware SwarmGenerator" (Sewak et al. 2021)
The article presents ADVERSARIALuscator, an AI that can automatically rewrite malware code to create many versions and look different every time in order to avoid detection by security systems. In tests, about one-third of these variants were able to bypass advanced security systems.
AI-driven "vibe-coding" malware - "Hackers are using AI to dissect threat intelligence reports and 'vibe code' malware" (Kelly 2025)
In this news article, security researchers reported that hackers use generative AI to read and interpret threat intelligence reports, then automatically produce working malware. Dubbed "vibe-coding," this technique translates human-readable analyses into code, enabling adversaries to quickly weaponise public cybersecurity research into exploits.

Delivery

The attacker launches the attack by transmitting the malicious payload to the target, often via phishing emails, fake websites, or insecure networks.

How AI changes delivery:

AI tailors and times delivery mechanisms to maximise success. It automates the generation of convincing phishing content, real-time deepfakes, adaptive chat interactions and realistic fraudulent web pages, and it uses reconnaissance data to choose the optimal moment and channel for delivery. This reduces the need for human skill in executing campaigns.

Extent of impact: High. AI markedly increases the persuasiveness and automation of delivery.

Case highlighted: Deepfake CEO scam at Arup

In 2024, staff at the UK engineering firm Arup received what appeared to be a legitimate video call from their regional Chief Executive Officer. The executive urgently requested the transfer of funds in connection with a confidential transaction. The individual on screen replicated the CEO’s appearance, voice, and mannerisms with remarkable accuracy.

In reality, the caller was not the executive but a deepfake generated through AI, designed to imitate him in real time. Convinced of the authenticity of the interaction, staff authorised a sequence of transfers amounting to nearly 25 million US dollars.

This incident stands as one of the largest reported cases of AI-enabled social engineering during the delivery phase of a cyberattack. It illustrates that phishing need no longer depend on poorly crafted emails or dubious links. Instead, AI now enables the deployment of highly realistic audio and video impersonations that circumvent not only technical controls but also human judgement and trust.

Further readings

LLMs for social engineering and phishing at scale - "Exploring LLMs for Malware Detection: Review, Framework Design, and Countermeasure Approaches" (Al-Karaki & Khan 2024)
The article describes how LLMs can be used to automate phishing content, generate polymorphic malware and craft adversarial inputs.
AI-powered social engineering - "The Shadow of Fraud: The Emerging Danger of AI-powered Social Engineering and its Possible Cure" (Yu et al. 2024)
The survey shows how diffusion models and LLMs make phishing and impersonation more personalised and convincing. It categorises AI-enabled social engineering into "3E phases" (Enlarging, Enriching, Emerging), highlighting how attackers can scale campaigns, introduce novel vectors, and exploit new threats, making the delivery of malicious payloads more effective.
AI-generated voice fraud / phishing - "I scammed my bank" (Hoover 2025)
A journalist experiment that exposes AI-generated deepfake voice used to scam bank accounts.

Exploitation

The attacker triggers the payload to exploit a vulnerability and gain unauthorised access to the target system. After infiltrating the organisation, the attacker uses this access to move laterally between systems to find relevant information (e.g., sensitive data, additional vulnerabilities, email servers etc) and harm the organisation.

How AI changes exploitation:

AI assists attackers in identifying, understanding and exploiting system weaknesses by automating vulnerability discovery (for example, intelligent fuzzing and guided scanning), constructing attack trees and proposing exploitation paths. It can also generate adversarial inputs that bypass security tools or exploit defences.

Extent of impact: Medium. AI improves discovery speed and effectiveness, especially against complex systems.

Case highlighted: The Morris II AI worm

In 2024, researchers demonstrated a novel form of self-propagating worm that did not rely on exploiting conventional software vulnerabilities. Instead, it targeted generative AI systems themselves.

Named Morris II in reference to the notorious 1988 Morris Worm, this proof-of-concept attack employed adversarial prompts to manipulate AI models into reproducing and distributing malicious instructions. Once a system was “infected”, the worm could autonomously generate further prompts that induced the AI to replicate the attack and transmit it to other models.

Unlike traditional worms, which typically exploit unpatched code, Morris II spread by exploiting the openness and unpredictability of generative AI behaviour. The demonstration underscored that as organisations increasingly embed generative AI into operational workflows, they may expose novel attack surfaces where the vulnerability lies not in source code but in training data and model responses.

Further readings

Adversarial and offensive AI - "Exploiting AI for Attacks: On the Interplay between Adversarial AI and Offensive AI" (Shröer & Pajola 2025)
The study outlines how attackers can exploit vulnerabilities in AI systems through adversarial inputs, or weaponise AI itself to launch more effective exploits against traditional targets, highlighting the dual role of AI as both a tool and a target in cyberattacks.
Adversarial malware binaries - "Adversarial Malware Binaries: Evading Deep Learning for Malware Detection in Executables" (Kolosnjarski et al. 2018)
The study showcases gradient-based attacks that modify less than 1% of bytes in executables while preserving functionality, successfully evading deep-learning malware detectors trained on raw bytes.

Installation

The attacker installs malware or backdoors to maintain (hidden) persistent access and control inside the target system.

How AI changes installation:

AI can produce adaptive persistence techniques and suggest the most effective installation vectors by analysing prior stages’ data, but full automation of the nuanced, decision-heavy installation phase remains limited. Where applied, AI enables malware to modify behaviour to avoid detection and to select optimal timing and entry points.

Extent of impact: Medium. AI improves persistence and stealth, but full automation remains limited because installation demands contextual decisions.

Case highlighted: Ransomware that learns to hide

In 2024, researchers introduced a system known as EGAN, an AI model developed to explore how ransomware might employ learning strategies to evade detection. Unlike traditional static malware, which is either identified or overlooked, EGAN operated through iterative experimentation.

The system repeatedly modified the ransomware code, testing successive variants until it produced one that could bypass antivirus defences while retaining full functionality. In effect, the malware “learned” how to circumvent anomaly-based detection mechanisms that are normally effective at identifying suspicious behaviour.

Although created within a research environment, EGAN demonstrated how AI-driven persistence mechanisms could render ransomware significantly more difficult to detect and eradicate once deployed. Rather than depending on predefined evasion techniques, the malware adapted dynamically, raising the prospect of near-“unkillable” malicious software.

Further readings

Command and control

After gaining control of multiple systems, the attacker creates a control center to exploit them remotely. The attacker establishes remote communication with the compromised system, via different channels (e.g., web, DNS, or email) to control operations and evade detection. The attacker uses different techniques such as obfuscation to cover their tracks and avoid detection, or denial-of-service (DoS) attacks to distract security professionals from their true objectives.

How AI changes command and control (C2):

AI enables more covert C2 communications by generating traffic that mimics legitimate activity, designing evasive domain-generation algorithms and orchestrating decentralised, adaptive botnets. It can also tune C2 behaviour to evade anomaly detectors.

Extent of impact: Medium. AI increases C2 sophistication and resilience, but operational constraints limit widespread adoption.

Case highlighted: AI-coordinated botnets, swarms with a mind of their own

In 2023, researchers demonstrated a novel form of botnet powered by AI. Conventional botnets typically rely on a central command-and-control (C2) server through which a single hub issues instructions that compromised machines, or “bots”, then execute. This architecture, however, can often be disrupted once defenders identify and disable the central server.

The AI-enabled botnet adopted a different model. Each node in the network employed reinforcement learning to autonomously determine when to initiate attacks, which targets to pursue, and how to adapt tactics in response to defensive measures. Rather than awaiting centralised instructions, the bots collaborated in a decentralised manner, functioning as a form of self-organising hive.

This design rendered the botnet more resilient and more difficult to detect. Even if some nodes were neutralised, the remainder could adapt and continue operating. For defenders, the task was no longer limited to disrupting a single server but instead required countering a distributed, adaptive swarm of compromised machines.

Further readings

AI-based log tampering and trace hiding - "5 anti-forensics techniques to trick investigators (+ examples & detection tips)" (CyberJunkie 2023)
Reports in 2024-2025 described how AI could be used to erase or alter digital logs to hide attacks from investigators, though full real-world examples are still rare.
Bypassing GAN-based network intrusion detection systems - "NAttack! Adversarial Attacks to bypass a GAN based classifier trained to detect Network intrusion" (Piplai et al. 2020)
The study shows how adversarial attacks can successfully evade GAN-trained intrusion detection systems, allowing attackers to disguise C2 traffic as normal network activity.

Action on objectives

The attacker executes their ultimate goal, such as data exfiltration, data encryption or data destruction.

How AI changes action on objectives:

AI accelerates and refines the final tasks of an attack: automated data exfiltration, prioritisation of high-value assets, tailored extortion messaging and large-scale content generation for disinformation or disruption. Final strategic decisions often still require human judgement, but AI shortens the path to those decisions.

Extent of impact: Medium. AI expedites and scales objective-oriented activity but does not wholly replace human intent.

Case highlighted: PromptLocker, an AI-driven ransomware orchestration

In 2024, researchers at New York University introduced PromptLocker, a proof-of-concept ransomware system controlled by a large language model. Unlike conventional ransomware, which follows predefined behaviours, PromptLocker made decisions in real time and automated multiple stages of the attack lifecycle. In the demonstration the model autonomously:

selected the most valuable targets within a compromised system,
exfiltrated sensitive data prior to encryption, increasing leverage over victims,
encrypted volumes and files to deny access
generated tailored ransom notes, adjusting tone and demands to the victim’s profile (for example, financial capacity and sector).

Although the work was carried out in a controlled research environment, PromptLocker illustrated how generative AI can automate and scale tasks that previously required human planning, thereby accelerating attackers’ ability to achieve their objectives and adapt to changing circumstances.

Further readings

AI-generated misinformation at scale - "A Pro-Russia Disinformation Campaign Is Using Free AI Tools to Fuel a 'Content Explosion'" (Gilbert 2025)
The article explains how the Russia-linked Operation Overload campaign (2023-2025) uses AI tools to mass-produce fake images, videos and voice-cloned clips of public figures. This material spreads widely via bot networks on social media to push divisive narratives.
AI-crafted fake social profiles for amplification - "Characteristics and prevalence of fake social media profiles with AI-generated faces" (Yang et al. 2024)
The investigation found over 1400 Twitter accounts using AI-generated profile pictures, organised into networks to boost scams and politically charged messages, with thousands of such accounts active daily.
AI-created fake documents and news outlets (psyops) - "The Lies Russia Tells Itself The Country's Propagandists Target the West—but Mislead the Kremlin, Too" (Rid 2024)
The article explains how an ongoing Doppelgänger campaign has been creating convincing counterfeit versions of legitimate news websites and publishing AI-generated articles to promote pro-Russian narratives across the West.

Discussion Questions

Which step of the Cyber Kill Chain is likely to be most transformed by AI in the future, and why? And at present, at which stage does AI deliver the most promising results for attackers? At which stage does implementing AI seem less effective and promising?
Does AI tilt the advantage in cyberspace more toward attackers or defenders?
Will widespread access to AI level the playing field for amateurs, or mostly empower well-resourced adversaries?
How does AI’s ability to automate and accelerate the cyber kill chain change the nature of cyberattacks?
Could AI make attacks so fast and adaptive that traditional defense frameworks become obsolete?
Who bears responsibility when AI models are misused for cyberattacks: developers, deployers, or attackers?
How can policymakers regulate offensive AI without stifling innovation in defensive or civilian applications?
Will AI push cyber conflict toward more autonomous, “machine-on-machine” warfare?
Could AI fundamentally change the cyber kill chain model into something nonlinear and continuously adaptive?