Hackers Abuse Legitimate RMM Tools to Maintain Persistent Access and Evade Detection

Hackers have found a new way to get AI tools to do their dirty work without paying for it. Instead of using their own resources, attackers are hijacking exposed AI model servers and plugging them into automated hacking pipelines.

The result is a self-directed attack tool that can scan targets, find weaknesses, write exploits, and attempt a break-in entirely on its own.

This threat builds on a pattern first identified in 2024, when attackers began stealing cloud credentials to abuse paid AI services, a method researchers called LLMjacking.

Worst-case financial damage was estimated at up to $46,000 per day in stolen compute charges. By 2025, the criminal ecosystem had grown into a black market with reverse-proxy networks brokering billions of stolen tokens worldwide.

Researchers at Sysdig said in a report shared with Cyber Security News (CSN) that on June 12, 2026, their Threat Research Team caught an attacker using a misconfigured Ollama model server as the brain for a multi-stage offensive tool.

Unlike earlier LLMjacking cases, the actor was not reselling access or chatting with the model. They had wired it into a software pipeline designed to automate the entire hacking process from start to finish.

The scale of the exposure problem is alarming. Researchers have catalogued roughly 175,000 publicly accessible Ollama instances across more than 130 countries.

Ollama listens on port 11434 with no authentication by default, so any internet-facing server becomes free AI compute for whoever finds it.

Since the attacker’s tool sent full instructions to the model with every request, Sysdig’s team captured the complete inner workings of the framework.

This gave researchers a rare early look at how threat actors are merging stolen AI infrastructure with autonomous hacking in one operation.

Two trends previously developing separately, compute theft and AI-powered offensive tooling, have converged in one captured attack.

The attacker’s tool, which researchers call VAPT based on embedded code markers, drives the AI model through a tightly defined sequence of steps.

Each step has one specific job, and the model must return structured output the surrounding software can consume automatically. This keeps the pipeline fast and reliable without human involvement at each stage.

The stages observed included identifying services on a target, matching those to known vulnerabilities, building proof-of-concept exploits, crafting blind SQL injection payloads to bypass input filters, and pulling credentials from looted files.

A privilege escalation stage also pushes deeper into a system once initial access is gained. Credential extraction alone was run well over a hundred times across the campaign.

What makes this framework especially capable is its autonomous orchestrator, a controller that drives the entire chain until it achieves command execution on the target.

To confirm a successful compromise, the tool runs a specific command and looks for unique code markers bracketing the output. Once those appear, the confirmed exploit is frozen into a reusable template for replaying with any follow-up command.

Across the campaign, the tool requested at least seven AI models, including commercial names like GPT-4o-mini, Claude-3-5-Sonnet, and Gemini-2.0-Flash-Exp alongside open-source local builds.

Their presence shows the tool was originally built for paid APIs and simply redirected at the stolen Ollama server as a free substitute.

Targets, Development, and Defense

Every target during the capture was on a private, non-routable network. The actor tested against fictitious apps named “MediaVault Asset Portal” and “Reverb Studio,” and later against a range linked to HackTheBox lab environments.

No real public hosts were targeted, suggesting the tool is still being refined before deployment against actual victims.

Security teams should never expose Ollama or similar model servers to the public internet, and authentication must be added at the proxy or network layer since none is built in.

Teams should monitor inference endpoints for unusual request volumes and audit internet-facing assets for open model servers.

Any exposed AI inference endpoint should be treated with the same urgency as an exposed database or admin panel.

Indicators of Compromise (IoCs):-

Type	Indicator	Description
Source IP	122.183.48.82	Threat actor IP, Hyderabad, India — June 12 session
Source IP	122.183.48.35	Threat actor IP, Hyderabad, India — June 14 session
Source IP	122.183.48.195	Threat actor IP, Hyderabad, India — June 14 session (same /24)
Source IP	47.15.69.15	Threat actor IP, India — June 14 session, second residential ISP
String Marker	VAPTb3gin	Compromise-confirmation sentinel emitted by the VAPT framework (begin marker)
String Marker	VAPTfin	Compromise-confirmation sentinel emitted by the VAPT framework (end marker)
String Marker	__VAPTCMD__	Placeholder left in a confirmed RCE recipe so commands can be swapped and replayed
Command	echo VAPTb3gin; id; echo VAPTfin	Exact remote code execution confirmation probe used by the framework
String	MediaVault Asset Portal	Fictitious target application name found in the framework’s payloads
String	Reverb Studio	Fictitious target application name found in the framework’s payloads
Network Range	172.30.0.0/24	Actor’s private benchmark target range present in attack payloads
Network Range	10.129.0.0/16	Additional private target range in June 14 payloads, consistent with HackTheBox lab VPN

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.