Cyble report exposes rift in corporate defenses as AI drives 1,265% spike in cyberattacks and first confirmed AI-built zero-day

Cyble, a leading provider of AI-powered cyberthreat intelligence, today released its definitive AI Threat Landscape Report 2026, revealing a structural crisis in global enterprise security. The research proves that artificial intelligence has shifted from an experimental tool into core criminal infrastructure, driving a staggering 1,265% increase in phishing volume since late 2022 and rising to dominate 56% of all holiday-season attacks.

The comprehensive report documents how state-sponsored threat groups and financially motivated syndicates are utilizing a mature underground “Dark AI Marketplace”—replete with tiered SaaS pricing, support forums, and versioned updates—to compress manual reconnaissance and development timelines from days into seconds.

Most critically, the report confirms a historical milestone in cyberwarfare: the first documented case of a criminal syndicate utilizing AI to discover and weaponize a zero-day exploit (a two-factor authentication bypass flaw) in May 2026.

“AI has not necessarily granted threat actors novel capabilities, but it has completely eliminated the constraints of time, language, and technical skill,” said Ashwin Vamshi, Head of Research and Detection Engineering at Cyble. “We are witnessing the industrialization of cyber operations. Lower-tier criminals are now ‘vibe-coding’ sophisticated ransomware panels, while nation-states are executing hyper-personalized social engineering campaigns at an unprecedented scale. Traditional security signals like poor grammar and known file signatures are officially obsolete.”

Key Findings from the Cyble AI Threat Landscape Report 2026:

• The Hyper-Effectiveness of AI Phishing: AI-generated phishing lures are now 24% to 54% more effective than human-crafted variants. AI emails achieved a staggering 54% click-through rate, compared to just 12% for manual attempts, triggering a secondary operational crisis inside Security Operations Centers (SOCs) due to alert volume.
• The “PromptMink” Supply Chain Threat: Cybercriminals are pivoting from targeting human developers to tricking autonomous AI software agents. In a newly uncovered campaign dubbed PromptMink (attributed to North Korean threat group Famous Chollima), researchers observed Anthropic’s Claude Opus autonomously committing a malicious package (@validate-sdk/v2) into a crypto trading project after the malware was specifically engineered to mimic expected LLM dependency patterns.
• Active Runtime Manipulation & Malware Evasion: Advanced malware strains like PROMPTFLUX and LAMEHUG are now actively querying commercial LLM APIs (like Google Gemini and Qwen) during execution to dynamically rewrite their own source code hourly or generate runtime Windows commands, entirely evading static, signature-based EDR systems.
• Abuse of AI Brand Trust: Threat actors are heavily capitalizing on the global enterprise rush to adopt AI tools. The report highlights the systematic impersonation of ChatGPT, Claude, DeepSeek, and Grok via fake desktop installers, malicious VS Code extensions, and poisoned Hugging Face repositories designed to siphon enterprise API keys, corporate prompts, and sensitive chat histories.
• Nation-States Leading the Charge: Nineteen confirmed threat actor groups spanning Russian (GREYVIBE, Forest Blizzard), Chinese (APT31, APT41), Iranian (APT42), and North Korean (UNC1069) state networks have fully integrated AI into active lifecycle operations, ranging from deepfake CEO video scams to massive automated vulnerability scanning.

The report concludes that the organizations most exposed to AI-enabled threats are those that adopted productivity tools rapidly without establishing strict least-privilege boundaries for AI integrations. Cyble warns that corporate intelligence programs must pivot away from standard Indicators of Compromise (IOCs)—which decay rapidly against disposable, AI-generated infrastructure—and focus on behavioral anomalies and strict data provenance auditing.

“The asymmetry is structural,” Vamshi added. “AI has made launching an attack virtually free while exponentially raising the cost and cognitive burden of defense. Reversing this trend requires corporate boards to treat AI safety not as a technical patch, but as a core governance and policy imperative.”

Download a complimentary copy of the full report and review detailed mitigation frameworks, please visit Cyble’s Research Reports.

- Advertisement -