AI Accelerates High-Velocity Cyber Attacks

Cyberattacks are shifting from “breaking in” to simply “logging in,” with AI now automating high-speed operations that overwhelm human defenders.

Cloudforce One describes MOE as a cold ratio of effort to operational outcome, and modern threat actors are optimizing every stage of their campaigns around it.

Instead of burning expensive zero-days, attackers prefer cheap, scalable techniques like session token theft, reputation-based infrastructure, and AI-generated tooling that can be reused across many victims.

AI lowers the technical barrier for would-be intruders, giving low-skill actors the ability to perform tasks that once required advanced expertise.

Cloudforce One, Cloudflare’s threat research team says the new metric that matters is the attacker’s Measure of Effectiveness (MOE) – how much damage they can cause for the least possible effort.

Cloudforce One notes one campaign where an AI-assisted operator identified high‑value data and then compromised hundreds of corporate SaaS tenants in a single supply-chain style attack.

This automation is supercharged by bots and leaked credentials. Cloudflare telemetry shows that 94% of login attempts on its network now come from bots, and 63% of logins involve credentials that have already been compromised elsewhere.

According to the report, large language models are being used for real-time network mapping, exploit development, and deepfake creation, turning complex intrusions into almost “push-button” operations.

That data highlights a world where AI and automation are continuously testing stolen passwords at scale, turning identity into the primary battlefield.

Weaponized SaaS and PaaS

The report warns that threat actors are increasingly “living off the XaaS,” abusing trusted cloud services to hide in plain sight.

Instead of standing up obvious malicious infrastructure, groups route command-and-control (C2) and phishing campaigns through platforms like Google Drive, Microsoft Teams, Amazon S3, and bulk email services such as Amazon SES and SendGrid.

Cloudforce One profiles several nation-state groups that have standardized this approach. Chinese-linked “FrumpyToad” uses Google Calendar as a logic-based C2 channel, encoding encrypted commands in event descriptions to create a cloud-to-cloud control loop that blends with normal calendar traffic.

Another Chinese group, “PunyToad,” relies on encrypted tunneling and cloud computing to build resilient architectures that mask origin IPs and prioritize long-term persistence inside victim environments.

Russian actor “NastyShrew” coordinates rotating C2 infrastructure using public paste sites such as Teletype.in and Rentry.co, which infected hosts poll to retrieve fresh endpoints.

North Korea–linked “PatheticSlug” has used Google Drive and Dropbox to host XenoRAT payloads and GitHub for covert C2, making their traffic nearly indistinguishable from developer workflows.

Iranian group “CrustyKrill” hosts phishing and C2 content on Azure Web Apps and document platforms like ONLYOFFICE, giving spoofed login pages the appearance of legitimate enterprise services.

Identity attacks are also evolving to maximize MOE. The report highlights infostealer families such as LummaC2, which harvest active session tokens from infected endpoints, allowing attackers to bypass multi-factor authentication and jump directly into post-authentication activity.

Cloudforce One participated in a global operation to disrupt LummaC2 infrastructure in 2025, but successor variants are already emerging that further compress the time from initial infection to ransomware deployment.

Telemetry showed a 31.4 Tbps baseline for recent campaigns, powered by massive botnets such as Aisuru that weaponize residential proxies and compromised devices worldwide.

At the same time, Cloudflare is measuring hyper‑volumetric DDoS attacks that set new records and shrink the window for human response.

These strikes are designed to exhaust infrastructure capacity while parallel identity and cloud-abuse operations quietly move toward data theft or disruption.

AI agents, new CVEs, and autonomous defense

Cloudforce One also turned AI against itself, tasking an AI coding agent to analyze its own security posture as part of “dogfooding” research.

That effort uncovered CVE‑2026‑22813, a critical markdown rendering flaw in the OpenCode AI agent that allowed unauthenticated remote code execution via unsanitized HTML injection in the web interface, earning a 9.4 CVSS score.

The case illustrates how AI agents and orchestration tools are becoming both targets and amplifiers of attacks, especially when connected to CI/CD or shell-access workflows.

To survive this new era of high-velocity, AI-enhanced operations, Cloudflare argues that human-centric, alert-driven security is no longer enough.

Instead, organizations must adopt autonomous defense models that fuse telemetry, real-time analytics, and automated response to drive an attacker’s MOE as close to zero as possible.

That means hardening SaaS integrations, closing relay and DMARC gaps, detecting token theft, and monitoring cloud tooling for “living off the land” behavior before it becomes the backbone of the next industrial-scale breach.

Related Articles

Back to top button