Threat actors are now using AI to build and run malicious campaigns, even if that means the quality of their malware isn’t as high, according to
HP security researchers. This includes using AI to generate infection scripts and automate the delivery of the malware, leveraging the “vibe-coding” technique that is growing in popularity in corporate development environments. It also means building their attacks with inexpensive and off-the-shelf components and reusing intermediate-stage scripts and installers to quickly and inexpensively launch and scale their campaigns.
The
growing use of AI and “flat-pack malware” were among the key findings in HP Wolf Security’s
Q4 2025 Threat Insights Report released this week, showing that cost and speed are trumping quality when it comes to malware development.
“Many attackers are prioritizing speed and lowering costs over quality because their campaigns are still reliably bypassing defenses,”
Alex Holland, principal threat researcher with HP Security Lab, told MSSP Alert. In the last three months of 2025, “we found that 14% of threats stopped by HP Sure Click had slipped past email scanners, showing that attackers are still finding ways to bypass tools that rely on detection.”
Holland noted that “when simple tactics are ‘good enough’ to successfully compromise a network, attackers don’t have much incentive to improve the quality of their malware.”
HP Wolf’s threat intelligence researchers come to their conclusions by examining threats that have slipped by detection tools on PCs but were stopped by Sure Click, the device maker’s hardware-enforced security measures on its systems.
Attackers Using AI
Bad actors have been leveraging AI in their nefarious operations since soon after OpenAI introduced ChatGPT, and their use has gotten more sophisticated. In a
report in November 2025,
Google Cloud’s Google Threat Intelligence Group (GTIG)
wrote that its analysts had “identified a shift that occurred within the last year: adversaries are no longer leveraging artificial intelligence (AI) just for productivity gains, they are deploying novel AI-enabled malware in active operations. This marks a new operational phase of AI abuse, involving tools that dynamically alter behavior mid-execution.”
HP Wolf Security has seen
similar changes over the past three years, Holland said.
“Previously, attackers mostly used AI for simple attack tasks like writing phishing emails and generating fake websites,” he said. “But recently, attackers have been adopting AI for more complex tasks, such as writing scripts that download and install payloads, and even helping to find vulnerabilities in code.”
'Mirroring Development Practices'
AI isn’t yet a full replacement for such difficult tasks, but “the capabilities of AI tools are rapidly improving over time, so we expect attackers to rely on them more heavily across the whole attack lifecycle in the future,” he said.
In the report, HP Wolf Security researchers detailed instances of PDF-based threats that used a “simple but effective technique” to redirect victims to a compromised website that delivered a malicious download, then immediately redirected to a legitimate site to convince the target that the trusted platform initiated the download. There were indications that the loader used in the attacks was developed with the help of AI tools, illustrating the trend of bad actors relying on AI coding assistants.
“Attackers seem to be increasingly mirroring legitimate development practices, such as AI-assisted scripting,” they wrote. “We’re seeing more activity that exhibits ‘vibe coding’ traits, such as template-like scripts and verbose comments, which are enabling attackers to develop quicker and reduce costs.”
Building-Block Approach to Malware
Several campaigns were assembled using a building-block approach. Most of the components were purchased on hacking forums, and only small changes were needed to make them usable, such as modifying where the payload URL was hosted or where the binary files were delivered.
“These building blocks are typically inexpensive and greatly reduce the effort required by attackers,” the researchers wrote. “Attackers used different initial infection file types, social engineering methods, and final payloads, but identical intermediate stages to install malware on endpoints. A recurring technique involved downloading images from archive.org and using them as containers for concealed code.”
MSSPs Need to Take Heed
There are lessons in what the report found that MSSPs should take to heart as they look to protect themselves as well as their clients, Holland said. While detection is an important part of security strategies, more is needed to protect against AI-assisted threats, which threat actors can iterate and scale more quickly and outpace what detection tools can do.
“With attackers investing to make detection harder and growing their ability to scale the volume of attacks through AI, there’s a greater need for prevention tools like threat containment that don’t rely on detection to stop intrusions,” he said.
Looking to the Q4 activity, the push toward speed, cost, and efficiency over quality will likely continue in 2026, with attackers focusing more on accelerating and automating their campaigns to reduce the associated time and cost. “At the same time, we expect attackers to invest in generating lures that are more tailored and targeted to maximize their click rates,” Holland said. “It will become even more important for MSSPs and organizations to reduce their attack surface as much as possible, for example, by isolating untrustworthy files and links.”
