{"id":7464,"date":"2025-03-20T15:18:00","date_gmt":"2025-03-20T20:18:00","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=11220"},"modified":"2025-03-20T15:18:00","modified_gmt":"2025-03-20T20:18:00","slug":"as-actors-adopt-genai-threat-intel-needs-to-modernize","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/03\/20\/as-actors-adopt-genai-threat-intel-needs-to-modernize\/","title":{"rendered":"As actors adopt GenAI, threat intel needs to modernize"},"content":{"rendered":"<h3>Authors: Krupa Srivatsan and Bart Lenaerts<\/h3>\n<p>How adversaries evade detections and the case for predictive intelligence<\/p>\n<h3>INTRO<\/h3>\n<p>Generative AI, particularly Large Language Models (LLM), is transforming cybersecurity. Adversaries are attracted to GenAI as it lowers entry barriers to create deceiving content. Actors do this to enhance the efficacy of their malicious techniques like social engineering and detection evasion<\/p>\n<p>This blog provides examples of malicious GenAI usage like deepfakes, chatbot automation and obfuscation. More importantly, it also makes a case for new levels of telemetry and the case for predictive threat intelligence capable of disrupting actors before they execute their attacks.<\/p>\n<h3>Example 1: Deepfakes for Crypto Scams<\/h3>\n<p>At the end of 2024, the FBI warned<sup>1<\/sup> that criminals were using generative AI to commit fraud on a larger scale, making their schemes more believable. GenAI reduces the time and effort needed to deceive targets by creating new trustworthy content. These tools can correct human errors that might otherwise signal fraud, and while creating synthetic content isn\u2019t illegal, it can facilitate crimes, like fraud and extortion. Criminals use AI-generated text, images, audio and videos to enhance social engineering, phishing and financial fraud schemes. <\/p>\n<p>In September 2024, Infoblox Threat Intel discovered deep fake videos some with over 180,000 viewers as cybercriminals jumped at the opportunity to use the U.S. presidential debate as fodder for a new cryptocurrency scam. Victims were lured by deep fake videos claiming to show Elon Musk presenting the theme of cryptocurrency and telling viewers that they could win big by investing in cryptocurrency during the streamed event.<\/p>\n<p><img data-recalc-dims=\"1\" decoding=\"async\" class=\"blog-image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/03\/as-actors-adopt-genai-threat-intel-needs-to-modernize.png?w=640&#038;ssl=1\" alt=\"Picture 1: Example of a deepfake cryptocurrency scam video discovered by Infoblox (2)\"><\/p>\n<p class=\"image-caption\">Picture 1: Example of a deepfake cryptocurrency scam video discovered by Infoblox<sup>2<\/sup><\/p>\n<p>The videos contained QR codes linked to domains made to look like the candidates or cryptocurrency platforms, adding further deception. All of this demonstrates how criminals take advantage of high-profile current events, social media, and GenAI to make money. While YouTube took down account after account, some videos were available for over 12 hours, tricking an untold number of users. But by blocking access to suspicious domains, users can be protected from these clever scams.<\/p>\n<h3>Example 2: AI-Powered Chatboxes<\/h3>\n<p>Actors often pick their victims carefully by gathering insights on their interests. Their initial research is used to craft the smishing message and trigger the victim into a conversation with them. Personal notes like \u201cHow can we bring you a happy mood today?\u201d or \u201cI read your last social post and wanted to become friends\u201d are some examples our intel team discovered (step 1 in picture 2). While some of these messages may be extended with AI-modified pictures, what matters is that actors invite their victims to the next step, which is a conversation on Telegram or another actor controlled medium, far away from security controls (step 2 in picture 2).<\/p>\n<p><img data-recalc-dims=\"1\" decoding=\"async\" class=\"blog-image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/03\/as-actors-adopt-genai-threat-intel-needs-to-modernize-1.png?w=640&#038;ssl=1\" alt=\"Picture 2: Sample AI-driven conversation\"><\/p>\n<p class=\"image-caption\">Picture 2: Sample AI-driven conversation<\/p>\n<p>Once the victim is on the new medium, the actor uses several tactics to continue the conversation, such as invites to local golf tournaments, Instagram following or AI-generated images. These AI bot-driven conversations go on for weeks and include additional steps, like asking for a thumbs-up on YouTube or even a social media repost. At this moment, the actor is trying to assess their victims and see how they respond. Sooner or later, the actor will show some goodwill and create a fake account. Each time the victim reacts positively to the actor\u2019s request, the amount of currency on the fake account will increase. Later, the actor may even request small amounts of investment money, promising an ROI of more than 25 percent. When the victim asks to collect their gains (step 3 in picture 2), the actor starts the real play by requesting access to the victim\u2019s crypto account. At this moment, the pig butchering comes to an end and the actor steals all the crypto money in the account.<\/p>\n<table class=\"calloutbox\">\n<tbody readability=\"4\">\n<tr readability=\"10.5\">\n<td readability=\"8\">\nObserved characteristics of GenAI usage in chatboxes<\/p>\n<ul class=\"list-spacing\">\n<li>Displaying AI grammar, like an extra space after a dot referencing foreign languages<\/li>\n<li>Using vocabulary that uses fraud-related terms<\/li>\n<li>Forgetting details from past conversations<\/li>\n<li>Repeating messages mechanically due to poorly trained AI chatbots (also known as parroting)<\/li>\n<li>Illogical requests, like asking if you want to withdraw your funds at non-rational moments<\/li>\n<li>Using false press releases posted on malicious sites<\/li>\n<li>Opening conversations with commonly used phrases to lure the victim<\/li>\n<li>Using cryptocurrency<\/li>\n<\/ul>\n<p>The combinations of these fingerprints allow threat intel researchers to observe emerging campaigns, track back the malicious infrastructure and even predict where the actor will execute its next attack.\n<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>Example 3: Code Obfuscation and Evasion<\/h3>\n<p>Threat actors are using GenAI not only for creating human readable content. Several news outlets explored how GenAI assists actors in obfuscating their malicious codes. Earlier this year <a href=\"https:\/\/www.infosecurity-magazine.com\/news\/hackers-image-malware-genai-evade\/\" target=\"_blank\"><strong>Infosecurity Magazine<\/strong><\/a> published details of how threat researchers discovered social engineering campaigns spreading VIP Keylogger and 0bj3ctivityStealer malware, both of which involved malicious code being embedded in image files. With a goal to improve the efficiency of their campaign, actors are repurposing and stitching together existing malware via GenAI to evade detection. This approach also assists them in gaining velocity in setting up threat campaigns and reducing the skills needed to construct infection chains. Industry threat research teams <a href=\"https:\/\/thehackernews.com\/2024\/12\/ai-could-generate-10000-malware.html\" target=\"_blank\"><strong>estimate<\/strong><\/a> evasion increments of 11% for email threats while other security vendors estimate that GenAI flipped their own malware classifier model\u2019s verdicts 88% of the time. Clearly actors are making progress in their lucrative initiatives.<\/p>\n<h3>Making the case for modernizing threat research<\/h3>\n<p>As AI driven attacks pose plenty of detection evasion challenges, defenders need to look beyond traditional tools like sandboxing, URL scanning or indicators derived from incident forensics. One of these opportunities can be found by tracking pre-attack activities instead of waiting for the last malicious payload. <\/p>\n<p>Just like your standard software development lifecycle, threat actors go through multiple stages before launching attacks. First, they develop or generate new variants for the malicious code using GenAI. Next, they set up the infrastructure like email delivery networks, attractive content or untraceable traffic distribution systems. Often this happens in combination with domain registrations or worse hijacking of domains. Finally, the attacks go into \u201cproduction\u201d meaning the domains become weaponized, ready to deliver malicious payload. <\/p>\n<p>This is the stage where traditional security tools attempt to detect and stop threats because it involves easily accessible endpoints or networks directly in the customer\u2019s environment. But because of GenAI, this detection moment is often not effective as the actor is continuously altering their payloads to bypass signature or known behavioral based detections.<\/p>\n<h3>Predictive Intelligence based on DNS Telemetry<\/h3>\n<p>At Infoblox, finding actors and their malicious infrastructure before they attack is at the core of our team\u2019s mission. Starting from a singular domain registration combined with worldwide DNS telemetry and decades of threat expertise, Infoblox Threat Intel leverages cutting-edge data science to identify even the stealthiest actors. Some of these \u2013 like Vextrio Viper<sup>3<\/sup> \u2013 are not even executing the attack but enable thousands of affiliates to deliver otherwise seemingly unrelated malicious payloads or content.<\/p>\n<p>Infoblox threat analysts intercept actor activities at the early stages of the attack as new malicious infrastructure is configured. By using data like new domain registrations, DNS record details and query resolutions, Infoblox leverages data that is prone to GenAI alteration. Why? Because DNS Data is transparent to multiple stakeholders (Domain Owner, Registrar, Domain Server, Client, Destination) and needs to be 100% correct to make the connection work. Simply said, DNS protocol is an essential component of the internet that is hard to fool.<\/p>\n<p>DNS has another advantage; Domains and the DNS infrastructure need to be configured well in advance. At Infoblox we track creation or transfer of domains on a continuous basis. This highly reliable data proceeds any adversarial usage of GenAI used at the delivery stage when altering the content. For that reason, DNS can provide true predictive intelligence with high reliability.<\/p>\n<h3>Conclusion<\/h3>\n<p>The evolving landscape of AI and the impact on security is significant. With the right approaches and strategies, such as use of DNS-focused threat intelligence, companies can get ahead of these risks and ensure that they don\u2019t become patient zero.<\/p>\n<h3>Footnotes<\/h3>\n<ol>\n<li><a href=\"https:\/\/www.ic3.gov\/PSA\/2024\/PSA241203\" target=\"_blank\"><strong>Criminals Use Generative Artificial Intelligence to Facilitate Financial Fraud<\/strong><\/a><\/li>\n<li><a href=\"https:\/\/blogs.infoblox.com\/threat-intelligence\/no-elon-musk-was-not-in-the-us-presidential-debate\/\" target=\"_blank\"><strong>No, Elon Musk was not in the U.S. presidential debate<\/strong><\/a><\/li>\n<li><a href=\"https:\/\/www.infoblox.com\/threat-intel\/threat-actors\/vextrio\/\" target=\"_blank\"><strong>Infoblox Threat Intel Actor Profile Vextrio Viper<\/strong><\/a><\/li>\n<\/ol>\n<style>\n.code-format { font-family: 'Courier New';\n}\n.image-caption { font-size: 12px;\n}\n.list-spacing li{margin-bottom:20px}\nol.list-spacing > li::marker { font-weight: 700;\n}\n<\/style>\n<p> <a href=\"https:\/\/blogs.infoblox.com\/threat-intelligence\/as-actors-adopt-genai-threat-intel-needs-to-modernize\/\">Infoblox Original<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Authors: Krupa Srivatsan and Bart Lenaerts How adversaries evade detections<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[3947,3950,3948,1945,3951,3949,42],"tags":[3952,3955,3953,1950,3956,3954,50],"class_list":["post-7464","post","type-post","status-publish","format-standard","hentry","category-ai-in-cybersecurity","category-ai-driven-threats","category-generative-ai-risks","category-infoblox-threat-intel","category-predictive-threat-intelligence","category-preemptive-cyber-defense","category-security","tag-ai-in-cybersecurity","tag-ai-driven-threats","tag-generative-ai-risks","tag-infoblox-threat-intel","tag-predictive-threat-intelligence","tag-preemptive-cyber-defense","tag-security"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Infoblox","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/infoblox\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/ai-in-cybersecurity\/\" rel=\"category tag\">AI in Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/ai-driven-threats\/\" rel=\"category tag\">AI-driven Threats<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/generative-ai-risks\/\" rel=\"category tag\">Generative AI Risks<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/infoblox-threat-intel\/\" rel=\"category tag\">Infoblox Threat Intel<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/predictive-threat-intelligence\/\" rel=\"category tag\">Predictive Threat Intelligence<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/preemptive-cyber-defense\/\" rel=\"category tag\">Preemptive Cyber Defense<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/security\/\" rel=\"category tag\">Security<\/a>","tag_info":"Security","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7464","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=7464"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7464\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=7464"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=7464"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=7464"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}