Microsoft has observed threat actors operationalizing AI as tradecraft to accelerate recon, social engineering, & tool development. Against this backdrop, securing agentic AI is a defensive imperative as attackers and defenders adapt to the same technologies: msft.it/63320QiC86
By treating agents as identityβaware, auditable entities and extending Microsoft Defender, Entra, and Purview protections to agent behavior, organizations can better detect abuse, prevent data leakage, and defend against agentβbased attack chains as AI becomes embedded in everyday operations.
To confront these risks, Microsoft introduces Agent 365 and Microsoft 365 E7, bringing observability, identity governance, information protection, and threat detection to AI agents across the enterprise.
Addressing agent sprawl, identity misuse, data exposure, and emerging AIβspecific threats is becoming a foundational security challenge for organizations adopting AI at scale. msft.it/63323Qi7UT
While many techniques mirror existing tradecraft, AI increases speed, scale, and persistence. These trends also surface new detection opportunities and reinforce the importance securing AI systems. Get detection and mitigation guidance from this Microsoft Threat Intelligence blog post.
Observed activity includes largeβscale identity fabrication and longβterm access misuse by North Korean threat actors like Jasper Sleet & Coral Sleet, bypassing AI safety controls through jailbreaking techniques, and early experimentation with agentic AI and AIβenabled malware.
Microsoft has observed threat actors embedding generative AI into workflows for reconnaissance, social engineering, malware and infrastructure development, and postβcompromise activityβwhile retaining human control over objectives and targeting.
Threat actors are operationalizing AI across the cyberattack lifecycle to accelerate tradecraft, reduce technical friction, and sustain malicious operations at scale. msft.it/63323QgQKx
Microsoft Defender detects multiple threat components associated with this activity. For more information on defending against ClickFix activity: msft.it/6017QgTPB.
The script connects to Crypto Blockchain RPC endpoints, indicating etherhiding technique. It also performs QueueUserAPC()-based code injection into chrome.exe and msedge.exe processes to harvest Web Data and Login Data.
Screenshot of decoded ClickFix command
In the second attack path, when a user pastes a hex-encoded, XOR-compressed command into Windows Terminal, the command downloads a .bat file invoked through cmd.exe to write a VBScript. The batch script is executed via cmd.exe with the /launched argument, and then through MSBuild.exe.
The final-stage payload is a Lumma Stealer component that performs QueueUserAPC()-based code injection into chrome.exe and msedge.exe processes, targeting browser artifacts like Web Data and Login Data, harvesting stored credentials, and exfiltrating them.
Screenshot of decoded ClickFix command
The decoded PowerShell script downloads a legitimate but renamed 7-Zip binary that extracts and executes a multi-stage attack chain that includes additional payloads, scheduled tasks, Microsoft Defender exclusions, and exfiltration of stolen machine and network data.
The first attack path begins when a user pastes a hex-encoded, XOR-compressed command into a Windows Terminal session. This action spawns additional Windows Terminal/PowerShell instances, ultimately launching another powershell.exe process responsible for decoding the embedded hex commands.
The PowerShell commands are delivered through fake CAPTCHA pages, troubleshooting prompts, or verification-style lures designed to appear routine and benign. What makes this campaign notable are the post-compromise outcomes.
This approach bypasses detections specifically tuned to Run dialog abuse while exploiting the legitimacy and familiarity of Windows Terminal. Once the terminal is opened, targets are prompted to paste malicious PowerShell commands.
This campaign instructs targets to use the Windows + X β I shortcut to launch Windows Terminal (wt.exe) directly, guiding users into a privileged command execution environment that blends into legitimate administrative workflows and appears more trustworthy to users.
Screenshot of ClickFix lure using Windows Terminal
Microsoft Defender Experts identified a widespread ClickFix social engineering campaign in February 2026 leveraging Windows Terminal as the primary execution mechanism, rather than the traditional Win + R β paste β execute technique.
Tycoon2FA provided adversary-in-the-middle (AiTM) capabilities that allowed threat actors to bypass multifactor authentication (MFA). Read our blog to get comprehensive analysis of Tycoon2FA, plus protection recommendations, detection, hunting guidance, and other resources.
In collaboration with Europol and industry partners, Microsoftβs Digital Crimes Unit (DCU) facilitated a disruption of Tycoon2FAβs infrastructure and operations. msft.it/63329Q5rR5
The phishing-as-a-service platform Tycoon2FA enabled campaigns responsible for millions of phishing messages reaching >500K orgs monthly. Developed and advertised by Storm-1747, Tycoon2FA allowed threat actors to conduct account compromise at scale. msft.it/63324Q5rJq
Indicators of compromise (cont.):
- worldview.db-wal/StandardName.exe (SHA-256: 4442ba4c60a6fc24a2b2dfd041a86f601e03b38deab0300a6116fea68042003f)
- world.vbs (SHA-256: 65f003998af7dd8103607c8e18ef418b131ba7d9962bd580759d90f4ac51da36)
- powercat[.]dog:443; remote IP 79.110.49[.]15
Indicators of compromise:
- decompiler.exe (SHA-256: 48cd5d1ef968bf024fc6a1a119083893b4191565dba59592c541eb77358a8cbb)
- jd-gui.jar (SHA-256: a33a96cbd92eef15116c0c1dcaa8feb6eee28a818046ac9576054183e920eeb5)
- Hunt for the related processes and components.
- Audit Microsoft Defender exclusions and scheduled tasks for random names; remove malicious tasks and startup scripts.
- Isolate affected endpoints, collect EDR telemetry, and reset credentials for users active on compromised hosts.
Microsoft Defender detects the malware and malicious behavior observed across the attack chain. To defend against this threat:
- Block/monitor outbound connections to listed domains/IP addresses and alerts on downloads of java[.]zip or jd-gui.jar from non-corporate sources.
Finally, it deployed the final payload, a multi-purpose malware that acted as loader, runner, downloader, and RAT.
The RAT connected to the IP address 79.110.49[.]15 for command and control (C2), enabling threat actors to perform various actions like data theft and additional payload deployment.
Screenshot of startup script
It evaded detection by deleting the initial downloader and by adding Microsoft Defender exclusions for the RAT components. It also added persistence using a scheduled task and startup script named world.vbs.
A malicious downloader staged a portable Java runtime and executed a malicious Java archive (JAR) file named jd-gui.jar. This downloader used PowerShell and living-off-the-land binaries (LOLBins) like cmstp.exe for stealthy execution.
Microsoft Defender researchers uncovered a campaign that lured users into running trojanized gaming utilities (Xeno.exe or RobloxPlayerBeta.exe) distributed through browsers and chat platforms, leading to the deployment of a remote access trojan (RAT).
Learn more from Microsoft Security researchers Giorgio Severi and Noam Kochavi on this episode of Microsoft Threat Intelligence Podcast, hosted by Sherrod DeGrippo. Additionally, learn more about AI recommendation poisoning: msft.it/63326QwTNj
