The wrong response to AI-enabled threats is to treat them as a separate category and chase a moving set of "AI tells." Those tells will change quickly, particularly the surface signs as attackers refine prompts, swap tools, and clean up the obvious residue. The real issue isn't whether AI is present. It's whether defenders can still catch and contain attacks that now move faster, scale more easily, and look more convincing than before.
That's why the defensive approach should stay disciplined. Get the fundamentals right, then accelerate them. Organizations need defense in depth; strong visibility across the environment; and detections built on behavior, identity, and context rather than surface appearance. They also need AI and automation where those tools materially improve speed: correlating weak signals, reducing triage time, enriching investigations, and triggering coordinated response before a fast-moving intrusion turns into a larger compromise. That's the model that will hold up as adversarial AI use matures.
Three Developments to Watch
Most adversarial AI use we track today sits near the front end of the attack chain to craft lures, generate code, and build infrastructure. But technology is moving toward autonomous, multi-step execution, and adversaries are already starting to experiment with agentic workflows that chain tasks together rather than using AI for one-off prompts.2 Separately, in November 2025, the first AI-orchestrated cyber espionage campaign was reportedly disrupted, in which a Chinese state-sponsored operation saw the AI model execute 80–90% of tactical work autonomously, including reconnaissance, exploit adaptation, and lateral movement across roughly 30 targets.3 Those claims were later met with some skepticism, but even so, it shows that threat actors are actively testing these capabilities. That makes it unwise to dismiss the possibility that, over time, more of their activity — especially from well-funded nation-state groups — could shift into agentic systems.
Anthropic's Claude Mythos 5 and Fable 5 add another dimension. Reports suggest models with “Mythos-class” capabilities can autonomously find, chain, and weaponize vulnerabilities across major software platforms.4 In the wrong hands, that could shorten the gap between vulnerability discovery, exploit development, and operational use even further, allowing well-resourced actors to operationalize complex exploit chains faster than many security teams can validate, prioritize, and contain them manually.
That shift is also starting to shape policy. Within days of Anthropic introducing Fable 5 and Mythos 5, the US government ordered Anthropic to suspend access to those models for foreign nationals5, an indication that frontier cyber-capable LLMs are now being treated as strategically sensitive technology rather than ordinary software. This is a significant development, but it doesn’t reduce the broader risk. Local models, open-weight systems, and parallel development elsewhere will continue, and restrictions like these may simply push other states to build or back their own alternatives.
What This Means For You
When attackers can move autonomously across reconnaissance, exploit chaining, and lateral movement, the assumption that humans set the pace of an intrusion no longer holds. Defenders should be reviewing where their detection and response still depend on manual handoff, and where machine-speed correlation and automated containment can close the gap before agentic activity gets far.
DPRK-backed actors have been the most visible adopters of AI in this report, using deepfake identities, AI-polished resumes, and voice agents largely because the payoff is direct and immediate. Given the reports that China-linked threat actors have tried their hand at AI, other state-backed groups have strong incentive to follow, especially those with established tooling, operational maturity, and even cyber-espionage objectives.
The next shift among nation-state actors may be deeper investment, not just wider adoption. If frontier systems like Mythos show real value in reconnaissance, vulnerability research, exploit chaining, malware adaptation, or target analysis, well-resourced actors will have stronger reasons than financially motivated actors to push beyond public tools. That could mean more use of self-hosted models, privately tuned systems, or capability development through internal teams, contractors, or proxy ecosystems.
The point isn't that every nation-state actor will suddenly field bespoke offensive AI. Most won't need to. But the actors with the clearest mission payoff and the deepest resources are also the ones best positioned to test those capabilities seriously and operationalize them faster.
What This Means For You
Organizations in the path of nation-state intent — critical infrastructure, defense, technology, finance — should expect a wider range of actors using AI in live operations, and at least some of them moving beyond off-the-shelf tooling. Treat identity-verification, vendor onboarding, and high-value intrusion paths as priority surfaces for the next round of capability investment.
Every AI tool an organization adopts without a clearly communicated, verifiable installation path remains a potential lure candidate, as the Claude-themed campaigns in this report showed. But the next layer of risk is inside the enterprise stack itself. As organizations embed copilots, assistants, and agents into email, calendars, code, and workflow automation, those systems become new targets for prompt injection, data leakage, and workflow manipulation. Recent reporting has already shown major AI productivity tooling brands being manipulated into leaking sensitive information through indirect prompt-injection techniques.6,7 Over the next year, expect attackers to exploit both sides of the adoption curve: users eager to install AI tools, and organizations deploying AI systems that are deeply connected to sensitive data and business processes.
What This Means For You
Both sides of the enterprise AI curve need defensive ownership. On the user side, give people clear, verifiable installation paths and watchlist tooling for lookalike Claude-, Copilot-, and ChatGPT-themed lures. On the system side, treat internal AI tooling like any other piece of business-critical infrastructure: scope what it can read and act on, and build detections for prompt injection, data exfiltration via context windows, and unintended workflow manipulation.