Hackers Exploit RMM Tools for Persistent Access Abuse Legitimate

A concerning new trend has emerged: hackers are exploiting artificial intelligence tools for their malicious operations, all without incurring costs. Rather than expending their own resources, threat actors are now hijacking exposed AI model servers and integrating them directly into automated hacking pipelines.

The result is a self-directed attack tool that can scan targets, find weaknesses, write exploits, and attempt a break-in entirely on its own.

This threat builds on a pattern first identified in 2024, when attackers began stealing cloud credentials to abuse paid AI services, a method researchers called LLMjacking.

Worst-case financial damage was estimated at up to $46,000 per day in stolen compute charges. By 2025, the criminal ecosystem had grown into a black market with reverse-proxy networks brokering billions of stolen tokens worldwide.

Researchers at Sysdig said in a report shared with Cyber Security News (CSN) that on June 12, 2026, their Threat Research Team caught an attacker using a misconfigured Ollama model server as the brain for a multi-stage offensive tool.

Unlike earlier LLMjacking cases, the actor was not reselling access or chatting with the model. They had wired it into a software pipeline designed to automate the entire hacking process from start to finish.

The scale of the exposure problem is alarming. Researchers have catalogued roughly 175,000 publicly accessible Ollama instances across more than 130 countries.

Ollama listens on port 11434 with no authentication by default, so any internet-facing server becomes free AI compute for whoever finds it.

Since the attacker’s tool sent full instructions to the model with every request, Sysdig’s team captured the complete inner workings of the framework.

This gave researchers a rare early look at how threat actors are merging stolen AI infrastructure with autonomous hacking in one operation.

Two trends previously developing separately, compute theft and AI-powered offensive tooling, have converged in one captured attack.

Hackers Abuse Legitimate RMM Tools

The attacker’s tool, which researchers call VAPT based on embedded code markers, drives the AI model through a tightly defined sequence of steps.

Each step has one specific job, and the model must return structured output the surrounding software can consume automatically. This keeps the pipeline fast and reliable without human involvement at each stage.

The stages observed included identifying services on a target, matching those to known vulnerabilities, building proof-of-concept exploits, crafting blind SQL injection payloads to bypass input filters, and pulling credentials from looted files.

A privilege escalation stage also pushes deeper into a system once initial access is gained. Credential extraction alone was run well over a hundred times across the campaign.

What makes this framework especially capable is its autonomous orchestrator, a controller that drives the entire chain until it achieves command execution on the target.

To confirm a successful compromise, the tool runs a specific command and looks for unique code markers bracketing the output. Once those appear, the confirmed exploit is frozen into a reusable template for replaying with any follow-up command.

Across the campaign, the tool requested at least seven AI models, including commercial names like GPT-4o-mini, Claude-3-5-Sonnet, and Gemini-2.0-Flash-Exp alongside open-source local builds.

Their presence shows the tool was originally built for paid APIs and simply redirected at the stolen Ollama server as a free substitute.

Targets, Development, and Defense

Every target during the capture was on a private, non-routable network. The actor tested against fictitious apps named “MediaVault Asset Portal” and “Reverb Studio,” and later against a range linked to HackTheBox lab environments.

No real public hosts were targeted, suggesting the tool is still being refined before deployment against actual victims.

Security teams should never expose Ollama or similar model servers to the public internet, and authentication must be added at the proxy or network layer since none is built in.

Teams should monitor inference endpoints for unusual request volumes and audit internet-facing assets for open model servers.

Any exposed AI inference endpoint should be treated with the same urgency as an exposed database or admin panel.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.