Kathy Gibson reports – As artificial intelligence (AI) becomes more accessible and sophisticated, we are going to see it playing a bigger role in cyberattacks.
Tony Anscombe, chief security evangelist at ESET, describes how AI malware has made an appearance and will undoubtedly expand its scope in the coming months.
ESET today presented the findings of its H2 2025 Threat Report.
“Without question cybercriminals have been using AI for some time, particularly to craft mails, get content right, and employ tooling to build malware. Cybercrime is being assisted by AI,” he says.
“What we haven’t seen until now is AI itself being used in or during an attack, or actually launching an attack.”
ESET recently spotted PromptLock in a public malware database and soon realised it was possibly the first AI-powered malware.
Anscombe describes how suspicious text initially raised red flag and closer examination revealed that the malware could use an open source LLM (large language model) to generate malicious scripts on the fly, which it could then execute.
As a cross-platform system, able to generate scripts on demand, the danger from PromptLock could be considerable.
“This kind of attack is very hard to detect,” Anscombe explains, “If the code is built dynamically by the LLM if is changing all the time – not obfuscating, but actually changing.”
Having found the malware in a public source, ESET published the details of what it had found in a public domain as well. It turned out the code was a project by a group of university students who had made it public to see if anyone picked up on it.
“We don’t recommend that you do this,” Anscombe adds. “Cybercriminals could take it one step further, and you are doing their work for them.”
Notwithstanding, the development of PromptLock has some long-term implications for the malware space.
“By leveraging AI, attackers can accelerate their operations,” Anscombe says. “This means the entry barrier is lowered and, if properly implemented, it would be harder to detect such cyber activities.”
He stresses that, while AI is real and has the potential to cause immense damage, there is still a tremendous amount of hype that is clouding the picture.
“The AI hype is real and we need to get away from the hype – AI is not doing everything.”
The cybersecurity picture in Africa
Africa is firmly on cyberattackers’ radar, with the number and severity of attacks having risen over the past year.
A growing menace is the increase in investment scams – or Nomani attacks.
Not only are these scams increasing in volume, they are becoming harder to spot. And, because they are often complemented by impressive web sites, more people are falling foul of them.
Allan Juma, cybersecurity engineering for ESET East and Southern Africa, points out that several popular Africa personalities have fallen victim to these scams, which has misled their followers.
For instance, a deepfake video of the Kenyan president announcing a cryptocurrency was so believable it actually featured on the news, as news.
A similar video ahead of the recent Ugandan elections was live for several hours.
Juma points out that the same threat actors behind these videos and scams, also took over the former Brazilian president’s account, demonstrating the international nature of today’s threats.
“There will be an increase in the use of AI in generating malware and scripts,” he warns. “And there will also be an increase deepfakes, as well as believable AI-drafted emails that allow low-skilled attackers to carry out large-scale attacks.”
Anscombe reiterates: “If something seems too good to be true, or out of context, it probably is.”
Going forward improved deepfake videos and AI’s ease of use means we will probably see more Nomani scams. “And if BEC (business email compromise) moves to video it might become even more believable and more prevalent,” says Juma.
The web site behind the scams will probably become more professional going forward, we can expect more AI-generated phishing sites, better use of PUA tactics, and the ongoing use of trending topics and personalities.
Ransomware on a roll
Meanwhile, ransomware continues strong and is even on something of a growth spurt.
South African and African organisations have been victims of ransomware attacks, most notably the Ingonyama Trust and the Uganda Electricity Transmission Company.
Manufacturing remains the most targeting industry, at 6% of attacks, followed by construction (3%), retail (3%), heathcare (2%), financial services (2%), transportation (2%) and agriculture (2%).