Hackers have found a new way to get AI tools to do their dirty work without paying for it. Instead of using their own resources, attackers are hijacking exposed AI model servers and plugging them into automated hacking pipelines.
The result is a self-directed attack tool that can scan targets, find weaknesses, write exploits, and attempt a break-in entirely on its own.
This threat builds on a pattern first identified in 2024, when attackers began stealing cloud credentials to abuse paid AI services, a method researchers called LLMjacking.
Worst-case financial damage was estimated at up to $46,000 per day in stolen compute charges. By 2025, the criminal ecosystem had grown into a black market with reverse-proxy networks brokering billions of stolen tokens worldwide.
Researchers at Sysdig said in a report shared with Cyber Security News (CSN) that on June 12, 2026, their Threat Research Team caught an attacker using a misconfigured Ollama model server as the brain for a multi-stage offensive tool.
Unlike earlier LLMjacking cases, the actor was not reselling access or chatting with the model. They had wired it into a software pipeline designed to automate the entire hacking process from start to finish.
The scale of the exposure problem is alarming. Researchers have catalogued roughly 175,000 publicly accessible Ollama instances across more than 130 countries.
Ollama listens on port 11434 with no authentication by default, so any internet-facing server becomes free AI compute for whoever finds it.
Since the attacker’s tool sent full instructions to the model with every request, Sysdig’s team captured the complete inner workings of the framework.
This gave researchers a rare early look at how threat actors are merging stolen AI infrastructure with autonomous hacking in one operation.
Two trends previously developing separately, compute theft and AI-powered offensive tooling, have converged in one captured attack.
The attacker’s tool, which researchers call VAPT based on embedded code markers, drives the AI model through a tightly defined sequence of steps.
Each step has one specific job, and the model must return structured output the surrounding software can consume automatically. This keeps the pipeline fast and reliable without human involvement at each stage.
The stages observed included identifying services on a target, matching those to known vulnerabilities, building proof-of-concept exploits, crafting blind SQL injection payloads to bypass input filters, and pulling credentials from looted files.
A privilege escalation stage also pushes deeper into a system once initial access is gained. Credential extraction alone was run well over a hundred times across the campaign.
What makes this framework especially capable is its autonomous orchestrator, a controller that drives the entire chain until it achieves command execution on the target.
To confirm a successful compromise, the tool runs a specific command and looks for unique code markers bracketing the output. Once those appear, the confirmed exploit is frozen into a reusable template for replaying with any follow-up command.
Across the campaign, the tool requested at least seven AI models, including commercial names like GPT-4o-mini, Claude-3-5-Sonnet, and Gemini-2.0-Flash-Exp alongside open-source local builds.
Their presence shows the tool was originally built for paid APIs and simply redirected at the stolen Ollama server as a free substitute.
Every target during the capture was on a private, non-routable network. The actor tested against fictitious apps named “MediaVault Asset Portal” and “Reverb Studio,” and later against a range linked to HackTheBox lab environments.
No real public hosts were targeted, suggesting the tool is still being refined before deployment against actual victims.
Security teams should never expose Ollama or similar model servers to the public internet, and authentication must be added at the proxy or network layer since none is built in.
Teams should monitor inference endpoints for unusual request volumes and audit internet-facing assets for open model servers.
Any exposed AI inference endpoint should be treated with the same urgency as an exposed database or admin panel.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| Source IP | 122.183.48.82 | Threat actor IP, Hyderabad, India — June 12 session |
| Source IP | 122.183.48.35 | Threat actor IP, Hyderabad, India — June 14 session |
| Source IP | 122.183.48.195 | Threat actor IP, Hyderabad, India — June 14 session (same /24) |
| Source IP | 47.15.69.15 | Threat actor IP, India — June 14 session, second residential ISP |
| String Marker | VAPTb3gin | Compromise-confirmation sentinel emitted by the VAPT framework (begin marker) |
| String Marker | VAPTfin | Compromise-confirmation sentinel emitted by the VAPT framework (end marker) |
| String Marker | __VAPTCMD__ | Placeholder left in a confirmed RCE recipe so commands can be swapped and replayed |
| Command | echo VAPTb3gin; id; echo VAPTfin | Exact remote code execution confirmation probe used by the framework |
| String | MediaVault Asset Portal | Fictitious target application name found in the framework’s payloads |
| String | Reverb Studio | Fictitious target application name found in the framework’s payloads |
| Network Range | 172.30.0.0/24 | Actor’s private benchmark target range present in attack payloads |
| Network Range | 10.129.0.0/16 | Additional private target range in June 14 payloads, consistent with HackTheBox lab VPN |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。
