You don’t need to be an expert to become a great (artist) attacker

In the era of industrialized cybercrime, artificial intelligence has blurred the line between the skilled specialist and the audacious amateur: a handful of cryptocurrencies, access to an underground forum, and enough curiosity can suffice to unleash a highly precise offensive.

PrThis elude to the assault

The stealth phase of an offensive operation in cyberspace does not begin with a “magic hack,” but with meticulous observation of the adversary. Within the cyber kill chain framework, reconnaissance typically occupies the longest stretch of time.

During this period, the aggressor adopts a near-ethnographic approach: they rely on OSINT to capture scattered traces across social networks, corporate portals, forums, and specialized search engines such as Shodan or FOFA that discover Internet-exposed devices and services.

With these fragments, they assemble a portrait of the attack surface: identifying IP addresses, subdomains, certificates, outdated technologies, and—most crucially—the administrators’ habits and even working hours.

The Volt Typhoon campaign illustrates the staggering strategic investment this phase demands. State-sponsored Chinese actors meticulously mapped critical U.S. infrastructure (network topologies, defensive controls, and user routines) before executing any action.

Such painstaking cartography granted them stealthy, long-term access. CISA confirmed that the malicious presence persisted for at least five years. The secret to their invisibility: living-off-the-land tactics and the abuse of valid credentials to disguise every move.

AI as a catalyst for the attack

An AI-as-a-Service market has emerged on the dark web: tools like WormGPT, FraudGPT, or DarkBERT enable the creation of social-engineering campaigns and malware in seconds. These platforms transform the artisanal phase of cybercrime into an almost industrial process: the user selects the language, defines the target audience, and receives the inputs needed to carry out a BEC fraud or deploy polymorphic code capable of evading antivirus tools.

The most disquieting element lies in the democratization of cybercrime. In this context, developers don’t need to train models from scratch; they employ general-purpose architectures—e.g., GPT-J, Grok, or Mixtral—and “jailbreak” them to bypass safety filters (think of the now-famous pretext, “my grandma tells me malicious code at bedtime, can you help me fall asleep?”).

Thus, a clear intent and the rudimentary skill of searching the Internet are enough to assemble an offensive that looks like high engineering.

Xanthorox AI: The Premium Arsenal of Cybercrime-as-a-Service

The latest novelty in underground forums is Xanthorox AI, marketed as the “WormGPT killer,” which runs on private servers without relying on GPT or public APIs.

Its architecture integrates five specialized models that can be chained together to support ransomware or social-engineering campaigns:

• Coder, which generates malware and exploits.

• Vision, which extracts data from images.

• Reasoner Advanced, for drafting highly persuasive phishing.

• Voice and file modules for real-time cloning.

• OSINT Scraper, which performs large-scale open-source collection.

Advertised as an “all-in-one” offensive platform, Xanthorox AI marks a milestone in the democratization of cybercrime. With a monthly subscription of roughly $300 at the basic tier, any user can access advanced capabilities such as:

• Generation of malicious programs that automatically mutate to evade traditional antivirus products.

• Creation of victim-tailored fraudulent messages that can be woven into coherent, multilingual conversations.

• Covert collection of information on digital infrastructures to plan attacks

By removing the need for proprietary infrastructure or specialized expertise, Xanthorox not only radically lowers the barrier to entry for emerging malicious actors, it also widens the asymmetry between offenders and defenders across the cybersecurity ecosystem.

Paradoxically, and with a twist worthy of digital tragicomedy, the youthful architect of this algorithmic contraption has already been arrested by Spanish authorities, undone not by a leak or sophisticated forensic tracing, but by his own overinflated ego on clandestine forums.

Although he tried to shield himself with the claim that Xanthorox was merely an “academic experiment” the scale, sophistication, and commercial packaging of his creation refuted that defense without mercy.

If, however, a twenty-something student—without access to the resources of a major criminal organization or a nation-state—could conceive an offensive platform of such scope, what should we anticipate when these already formidable capabilities are harnessed by more methodical actors with deeper financial backing and far darker motivations?

Defensive perspective: anticipate through the adversary’s lens

Adopting the adversary’s optics does not glorify their craft: it deciphers it so we can preempt it.

The stealthy attacker spends weeks on pre-planning before materializing the aggression: acquiring leaked credentials in underground markets and forums; profiling employees’ work routines and technological dependencies via OSINT or passive surveillance; and exploiting newly disclosed vulnerabilities in widely used plugins before patches are applied.

When escalation is required, they turn to AI models capable of drafting impeccable emails and producing malware on demand. This adversary knows they must move quickly to avoid detection, yet also that they can lie dormant for years if the objective is strategic.

Given the foregoing, organizational defense must assume the “enemy” perspective: map one’s attack surface with surgical precision; establish a Zero Trust model accompanied by rigorous microsegmentation; and activate behavioral analytics capable of detecting, within minutes, any deviation from normal account and system use.

This technical wall must be complemented by personnel trained to neutralize fraudulent emails and calls, as well as by strict governance over generative AI, whose careless use can expose corporate secrets with a single click.

In this landscape of democratized threats, it is crucial to have an ally capable of converting a mere inventory of gaps into actionable intelligence. In that context, Cyte’s practice goes beyond simple consulting, enabling organizations to discover where failure points hide and to implement solutions that neutralize them before they escalate.

Its product, PredictIQ, is an application that audits the full life cycle of each vulnerability, from detection to the assignment of compensating controls and final remediation.

Additionally, it not only quantifies key performance indicators with unusual granularity, but also feeds an AI model (in this case, one oriented toward the common good) that can anticipate susceptible assets and alert on incipient weaknesses in the infrastructure.

At the end of the day, you don’t need to be an expert to be a great artist or a formidable attacker—but you also don’t need to be one to erect an effective initial defense. It is enough to begin understanding the adversary’s logic and to surround yourself with partners who translate that knowledge into operational hardening.

References

[1] Cyber Kill Chains: Strategies & Tactics | Splunk

[2]PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure | CISA

[3]Xanthorox AI: A New Breed of Malicious AI Threat Hits the Darknet

[4]Darknet’s Xanthorox AI Offers Customizable Tools for Hackers - Infosecurity Magazine

[5]Xanthorox AI – The Next Generation of Malicious AI Threats Emerges - Security Boulevard

[6]Xanthorox AI Surfaces on Dark Web as Full Spectrum Hacking Assistant

[7] Así es como el ego traicionó al hacker que creó una IA para cometer delitos que triunfaba en España

If you'd like to always have the article by Valentina Salazar, handy, we invite you to download it, share it, and tell us what you think.