Good morning, security frontrunners.

In today’s Cyber AI breakdown:

  • Attackers are registering the domains LLMs hallucinate

  • First documented case of AI-Generated Browser Ransomware

  • U.S. lifts export controls on Fable 5

  • Chinese LLMs broaden the gap between attackers & defenders

  • Apple reverses age-old patch policy to keep up with AI

  • Anthropic's AI finds bugs. IBM bets $5B it can fi them.

Latest Developments

The Breakdown: The attack chain is simple: Probe models for invented domains that appear repeatedly, register the most useful names, place phishing or malicious content behind them, and wait for a person (or, increasingly, an autonomous agent) to follow the recommendation.

The details:

  • Palo Alto's Unit 42 queried two LLMs 685,339 times across 913 global brands and got roughly 250,000 hallucinated domains, alongside 13,220+ already-confirmed malicious URLs for those brands.

  • Unlike typosquatting, which waits for a user to mistype, phantom squatting waits for a model to invent a plausible domain. This is harder to catch because it falls outside monitored variations and starts with no reputation history.

  • Unit 42 have observed attackers registering flagged phantom domains 18–51 days after discovery. In one case, Unit 42 it flagged a "high-risk" postal e-commerce domain 23 days before an attacker registered it for a credential-theft phishing kit called "Montana Empire."

  • That attacker built the full kit with an AI coding assistant - scraping legitimate storefronts, coding a PHP backend, and setting up Telegram command-and-control.

Why it matters: Because the malicious link arrives through a trusted AI assistant rather than a phishing email, it inherits credibility and bypasses defences that rely on a domain first earning a bad reputation. As agents begin acting on recommendations autonomously, the failure point shifts from a human clicking a bad link to a system acting on one, making URL allowlists and tight limits on what agents can reach essential.

The Breakdown: Check Point found the first documented case of a frontier AI model (DeepSeek) independently turning a theoretical browser-only ransomware idea into a working technique that encrypts local files with no payload, browser exploit, or root access.

The details:

  • A Python Flask app uploaded to VirusTotal in Jan 2026, called InfernoGrabber v9.0, was rated by the service as a "fully functional information stealer and ransomware toolkit."

  • Its core technique abuses the browser's File System Access API. It uses a fake Discord avatar AI upscaler to trick the user into granting folder access. The page then reads, exfiltrates, encrypts, and overwrites local files before showing a Bitcoin extortion note.

  • The attack works across Chromium browsers on Windows, macOS, Linux, ChromeOS, Android, and Microsoft Edge.

  • Check Point Research claimed "DeepSeek models can turn high‑level malicious ideas into concrete, complete attacks with less expertise than competing platforms”

Why it matters: This is “the first time, we have evidence that an AI model can independently reason across legitimate platform features and surface a working attack technique that humans had only theorised about – without the attacker ever knowing the underlying API existed”. It highlights that the lesser regulated LLMs do not have the guardrails in place to restrict the production of clearly malicious exploit code.

The Breakdown: A jailbreak found by Amazon triggered emergency U.S. export controls that forced Anthropic to pull their Fable 5 model worldwide. Two and a half weeks later, Commerce lifted this control earlier this week in light of a new safety filter being implemented.

The details:

  • Fable 5 returned July 1, after the original June 12 export control order had forced a total shutdown as Anthropic couldn't verify every user's nationality in real time.

  • The trigger was an Amazon-discovered jailbreak that made Fable 5 flag software flaws and, in one case, write abuse code (which Anthropic downplayed, claiming that the same prompts work on Opus 4.8, GPT-5.5, and China's Kimi K2.7)

  • Anthropic's fix is a new classifier that blocks the exact technique in more than 99% of tries, routing blocked requests to the weaker Opus 4.8 at the cost of more false alarms on normal coding.

  • These false positives are generally created by systems-level coding in C, C++, Rust, Win32 API, memory tasks, and files containing words like "security," "vulnerable," "unsafe," or "hook" reportedly trigger a block or fallback.

  • Mythos 5 returned a little earlier on June 26 but has stayed restricted to roughly 100 U.S. companies and federal agencies defending critical infrastructure.

  • Fable 5 is included in Max, Pro, and Team plans but capped at up to 50% of weekly usage limits, and shifts entirely to pay-as-you-go usage credits after July 7.

Why it matters: The episode exposes that the U.S. still has no binding process for frontier-model risk. It reached for improvised export controls despite a June 2 executive order that set up only a voluntary review path. Labs are confronting the dual-use reality that a model good enough to help defenders patch bugs is equally capable of helping attackers find them.

The Breakdown: Two Chinese models released in a month now rival top US models at finding vulnerabilities for a fraction of the cost, underscoring that cheap, widely available AI can already outrun most defences.

The details:

  • Zhipu AI's open-weight GLM 5.2 (released Jun 13) beat Anthropic's Opus and OpenAI's GPT-5.5 on some bug-finding benchmarks at just $0.17 per vulnerability found.

  • In Semgrep's testing, GLM 5.2 was the best of all standard models at a 39% F1 score (a combined true-positive/true-negative measure).

  • GLM 5.2's open weights let it run on local hardware, an advantage for OT and critical-infrastructure data sovereignty, but also a way for attackers to strip its safety alignment for offensive use.

  • 360 Security Technology's "Tulongfeng" (Dragon Saber), pitched as China's version of Mythos, claims to have already found more than 3,400 vulnerabilities.

Why it matters: The specific model is now the least important variable, commodity AI can already find the known-but-unpatched and easily-discoverable bugs that make up most of any organisation's security debt, so defensive posture (visibility, patch speed, integration) matters far more than which lab or country leads the benchmarks.

The Breakdown: Apple is moving from its habit of bundling security fixes with big OS releases to shipping standalone updates to shrink the window attackers now close faster with AI.

The details:

  • On Jun 29 Apple released security updates for iPhones, iPads, MacBooks, and Safari untethered to any major OS version, saying it needed to cut the time between fixes going public and reaching users as AI speeds malicious tooling.

  • None of the new fixes addressed actively exploited flaws. The goal was a faster general cadence, not a response to a specific attack.

  • Mandiant's average time-to-exploit fell from about 63 days in 2018 to negative over the last two years, meaning attackers are now weaponising a flaw before its patch is public - hence the need for more regular release cadences.

  • Apple’s iOS is "the only widely used computing platform in the world that doesn't have a real security framework on it….the ecosystem is closed off from third-party cybersecurity tools. Apple's model is basically: Trust us, we'll protect the device."

Why it matters: AI-accelerated vulnerability discovery has broken the old bundled-patch model, however, faster patching alone won't close the gap while iOS remains a closed "trust us" platform that enterprises can't defend with their own tooling.

The Breakdown: IBM and Red Hat are pouring $5 billion and 20,000 engineers into Project Lightwell, a subscription service that backports open-source fixes for enterprises; a direct response to Anthropic's Mythos finding bugs far faster than maintainers can patch them.

The details:

  • The $5B commitment is the largest known commitment specifically targeted for open-source supply-chain security.

  • Lightwell delivers signed, backported patches with SLAs for the exact software version an enterprise runs (no upgrade or recert), launching with 11 banking design partners including JPMorgan, Goldman Sachs, Visa, and Mastercard.

  • IBM have not disclosed whether they will be leveraging watsonx, their enterprise AI layer, in this commitment.

Why it matters: The scramble confirms AI-driven discovery has broken the human-speed patching model for open source, and money alone may not close a bottleneck rooted in overloaded volunteer maintainers.

That’s it for this week!

See you next Sunday 🙂

Zac S from The Cyber Breakdown

Recommended for you