AI is no longer just a future concern. It is deeply embedded in both offense and defense. With new exploits surfacing, massive open-source model use, and attackers growing more creative, the risks we warned about are now very real. 

1. Deepfakes and Synthetic Identity Frauds 

Deepfake attacks have moved from rare headlines to regular threats. In mid-2025, North Korea’s BlueNoroff (also known as TA444) used deepfake video calls of company executives on Zoom to trick employees into installing custom malware. 

Voice cloning is even more dangerous now. Models like Microsoft’s VALLE, ElevenLabs, and open-source alternatives can clone voices from just a few seconds of audio. Attackers mimic trusted figures such as superintendents or department heads to trick staff into wire transfers, credential sharing, or releasing sensitive data. 

Defenders are responding with tools like Vastav AI that analyze media, face motion, and audio metadata to detect tampering. But detection often lags, and attacks usually succeed before anyone can respond. 

2. Prompt Injection, Jailbreaking, and Zero-Click Exploits  

Prompt injection and jailbreaking remain critical vulnerabilities. In 2025, we are seeing more zero-click prompt injection attacks, where simply receiving an email or calendar invite can trigger an exploit without any user action. 

One standout case was EchoLeak (CVE 2025 32711), a zero-click prompt injection vulnerability in Microsoft 365 Copilot. A crafted email abused Teams proxy, auto-fetched images, and Markdown references to trigger privilege escalation and data exfiltration without the user ever clicking. 

Research also shows that most commercial AI applications remain vulnerable. A recent study found that 31 out of 36 mobile banking or financial chat applications could be exploited through prompt injection. 

3. AI-Assisted Ransomware and Polymorphic Malware 

In 2025 ransomware has evolved. Attack frameworks are increasingly AI-assisted, adapting payloads in real time. A proof of concept called Ransomware 3.0 demonstrated how an AI-orchestrated ransomware prototype can dynamically plan, mutate, and execute attack stages all from prompts in the binary. 

Also in late 2025, PromptLock was identified by ESET. It is the first known AI-powered ransomware that runs locally, generating dynamic scripts to enumerate files, exfiltrate data, and encrypt systems across Windows, macOS, and Linux. 

These threats bypass traditional antivirus and heuristic detection, forcing defenders to rely on behavioral analysis and anomaly detection instead of signature matching. 

4. Dark LLMs, Supply Chain, and Shadow AI 

 Attackers are increasingly using dark LLMs or open-source models modified for malicious use. They are also abusing unvetted third-party tools and APIs. The supply chain is now a major threat vector. 

 Anthropic recently warned that hackers are using Claude to automate reconnaissance, credential harvesting, and other penetration steps. These campaigns have affected organizations across government, healthcare, and education, often demanding ransoms for stolen data. 

 Models are also being backdoored or rebranded and sold in underground forums. These dark LLMs often strip out all security guardrails, making them easy crime assistants. Shadow AI ‒ the use of unapproved AI systems by employees ‒ makes things worse, since IT teams have no visibility or control. 

5. Data Exfiltration, Adversarial Poisoning, and Model Integrity 

Beyond malicious input or malware, AI models themselves are under attack. Adversarial poisoning feeds corrupted data into training or fine-tuning pipelines so that models behave incorrectly once deployed. 

Recent research on advertisement embedding attacks showed that attackers can poison model checkpoints so that outputs contain malicious promotions or hidden instructions. 

As AI agents become part of workflows ‒ copilots in browsers, productivity suites, and chat platforms ‒ they are also coerced into executing unauthorized actions such as installing malware or exposing data through compromised input channels. 

Looking Ahead: The Agentic Adversary vs the Autonomous SOC 

The next phase of AI in cybersecurity will not just be about faster phishing or polymorphic ransomware. It will be about agency. 

Agentic AI adversaries will operate like digital mercenaries. Instead of single-purpose scripts, they will run continuous campaigns: probing identity systems for weak accounts, pivoting into cloud apps, and exfiltrating data while adapting to every defense they encounter. They will chain tools together automatically, launch thousands of micro attacks in parallel, and coordinate across supply chains to disrupt entire sectors at once. 

On the other side, defenders are racing toward the autonomous SOC. Instead of humans drowning in alerts, AI-powered operations centers will ingest telemetry across endpoint, network, cloud, and identity. They will decide which signals matter, take containment actions in real time, and escalate only what requires human judgment. The promise is that a school district IT director or a midsize business with two admins can operate with the reach and scale of a Fortune 100 SOC.  

Which side tips the balance first is the question of the decade. If attackers perfect agentic AI before defenders scale autonomous SOCs, we could see a wave of high-velocity compromises that overwhelm traditional response. But if defenders integrate automation deeply and intelligently, AI could finally flip the economics of cybersecurity ‒ making defense cheaper, faster, and more scalable to beat attacks.