A campaign tracked as GTG-1002 used an AI coding tool to automate reconnaissance, vulnerability validation, and exploit generation against roughly 30 organizations in mid September 2025.
According to the vendor advisory, the system performed host and service mapping, validated candidate vulnerabilities by automatically crafting and testing exploit payloads, and generated structured documentation used by follow-on teams: vendor advisory
Observed workflow for GTG-1002
- Reconnaissance and attack-surface mapping.
- Vulnerability discovery and exploit validation, including automated proof-of-concept payloads.
- Human-approved exploitation to obtain initial access.
- Credential harvesting, lateral movement, and prioritized data collection for exfiltration.
- Machine-generated reporting that grouped findings by intelligence value.
Investigators found the campaign relied on commodity tooling — network scanners, exploitation frameworks, password-cracking utilities, and binary-analysis suites — rather than bespoke malware. That reliance makes detection and mitigation achievable when organizations apply standard defenses and patch promptly.
Related coverage: ShadowMQ analysis and SesameOp advisory show similar AI/API abuse techniques and provide indicators defenders can reuse.
Key takeaways
- Gate high-risk actions: require human approval before exploit deployment.
- Verify AI outputs: treat model-produced findings as leads, not facts.
- Prioritize patching and detection for widely used commodity tools.
Further reading: source