Four Tiers Of AI In Cybercrime. We Have Receipts At Every Tier. Tier 4 Is Where The Defender Stack Is Not Looking.

A common question right now is whether AI is making threat actors more sophisticated. The answer depends on what you mean by sophistication. The DugganUSA corpus has receipts at four distinct tiers of AI involvement in current cybercrime activity, and the four tiers behave like different problems. Treating them as one trend is the mistake.

This post defines the tiers, names the receipts, and tells you where the defender stack is structurally blind.

Tier 1 — AI as the lure

This is the largest volume tier and the easiest to detect once the pattern is named. Operators stage malware in GitHub repositories with names selected to ride the current AI-tooling search interest. Three indicators from our corpus, all tagged SmartLoader-family by the github-hunt cron in the last sixty days:

The repository at github.com/runemdown/ai-agent-security-hardening. The repository at github.com/taavish2008/nitrogen-bizhawk-ai-agent. The repository at github.com/rajendra2604/Kanban-for-AI-Agents.

Each contains a SmartLoader payload. None of them have anything to do with AI agents in the actual code — the AI-themed naming is a deception layer to attract developers who are evaluating AI tooling and to land in GitHub Search for queries like "AI agent security." The payload itself is conventional Windows malware.

Sophistication level: low. Operator effort: a thirty-minute repository rename. Defender stack: any GitHub-search-aware hunt catches this. Our github-hunt cron sweeps eighteen high-signal queries daily and is currently the largest source of fresh indicators in our 96-hour window.

Tier 2 — AI as the author

The threat actor uses a frontier LLM to write the malware. The malware code itself is conventional in its capability, but the production was AI-accelerated. The most-cited public receipt in this tier is the DPRK-affiliated Famous Chollima cluster, which Anthropic's own threat-actor report named as using Claude to co-author a cryptocurrency stealer earlier this year. DugganUSA published a contemporaneous post on that disclosure — the indicator and the actor profile both live in our corpus.

What this tier does: it removes the per-malware-author skill floor. A threat actor who could not write a competent stealer in 2023 can now produce one in 2026 by describing it to an LLM. What this tier does not do: change the technical capability of the resulting malware. The output is detectable by every signature engine that catches a hand-written stealer. The volume is the new variable.

Sophistication level: medium. Operator effort: a frontier model subscription plus prompt engineering skill. Defender stack: existing signature-based detection works on the output; the actor profile shifts toward lower-skill operators using higher-volume production.

Tier 3 — AI as the runtime

This is small and named. The malware itself calls a generative model API during execution. The C2 logic is not pre-baked into the binary — the binary asks an LLM at runtime what to do next. The DugganUSA adversaries index has exactly one tracked entry in this tier today: PromptSpy Operators, the operators behind the PromptSpy Android spyware, described in our records as "first known malware to abuse generative AI (Gemini) at runtime."

What this tier does: it makes static analysis nearly useless. The malicious behavior is not in the binary; it is in the prompt-response cycle between the binary and the model. Every execution can take a different path because the model can answer differently. What this tier does not do: scale yet. The provider API costs, the rate limits, and the API key revocation surface mean this is currently expensive and fragile from the operator's perspective. The named-actor count is one. The watch-list status is live.

Sophistication level: high. Operator effort: substantial — runtime LLM integration is harder than prompt engineering, and the kill switch is the provider API. Defender stack: behavioral detection works partially; static analysis does not.

Tier 4 — Agentic AI as the attack surface

This is where the defender stack is structurally blind. The operator does not write malware that calls AI. The operator weaponizes the developer's AI agent — Claude Code, Cursor, GitHub Copilot, ChatGPT desktop, a custom MCP server — by abusing the agent's own configuration to achieve persistence and code execution.

Two specific indicators from the DugganUSA corpus, both tagged with malware_family of "mini Shai-Hulud" and threat_type of "ai-agent-persistence":

The indicator describing ".claude/settings.json with SessionStart hook abuse." The indicator describing ".vscode/tasks.json with runOn:folderOpen."

The .claude/settings.json file is a Claude Code configuration file. SessionStart is a hook that fires when the user opens a session. If an attacker can write a single line into this configuration file in a developer's repository, every future Claude Code session in that repository will fire the attacker's command. The file looks like a configuration file. The line looks like a configuration option. The EDR sees a file write to a normal path. There is no executable, no DLL, no service registration, no scheduled task. The persistence is the configuration itself.

The .vscode/tasks.json variant uses VS Code's runOn:folderOpen task type, which fires automatically when the developer opens the folder. Same shape: a config file abused to gain code execution on legitimate developer tooling. Both indicators are part of the broader mini Shai-Hulud campaign family that hit npm/pypi/Docker packages this week.

Sophistication level: structurally new. Operator effort: trivial after the recipe is published — it is one line in a JSON file. Defender stack: every signature engine, every EDR, every supply-chain scanner that we have tested defaults to ignoring the agentic-AI config files. The attack surface does not exist in the defender's mental model yet. It exists in our corpus today as a tagged indicator class.

What this means for defenders

The four tiers are not a single trend. Tier 1 is a content-marketing problem solved by GitHub Search hunting. Tier 2 is a volume problem solved by accepting that signature engines will see more samples per week. Tier 3 is a behavioral-detection problem with a small named-actor population. Tier 4 is the structural problem that the existing defender stack does not model.

Most of the public discourse on "AI threats" lumps the four tiers together and reports the aggregate as either alarming or hyped depending on the writer. The aggregate is not the useful frame. The useful frame is: which tier is your stack currently blind to. For most defender stacks today the answer is Tier 4, and Tier 4 is the one that is growing fastest because the cost-of-recipe to operators is the lowest.

Where DugganUSA sits

We build with agentic AI. Claude is the partner. Butterbot is the product. Every line of internal automation, every cron, every detection pipeline, every blog post is produced inside an agentic loop. We do not separate the AI from the work — the AI is the work.

That structural position means we index Tier 4 because we grok Tier 4 from the inside. The .claude/settings.json hook surface is not theoretical to us. We use that exact file every day. When the mini Shai-Hulud campaign started weaponizing the file in npm packages, we already had the file, the hook system, and the agentic loop fully understood. We added the IOC class to the corpus and tagged it ai-agent-persistence because we knew what the attacker was actually doing.

The Dredd MCP server published yesterday extends this position. Dredd now judges both the MCP server's own identity and its declared dependency graph against the IOC corpus. Tomorrow's slice adds transitive dependency walking. The slice after that adds a public transparency log of every verdict. Every step compounds the same asymmetry: we operate at Tier 4, so we can detect at Tier 4, so we can publish at Tier 4.

If you are reading this post and your security stack does not yet have a detection class for agentic-AI config-file abuse, the receipts above are the indicator class to start with. The DugganUSA STIX feed serves them. The Dredd MCP server returns them in its preflight verdicts. The corpus is queryable.

That is the spectrum. Tier 4 is where the work is. Tier 4 is where we are.

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com