✅ Report Title: AI-powered Threats Case Study #03: Deep Dark Web and Telegram
The S2W Threat Intelligence Center, TALON, has released an in-depth analysis based on confirmed cases identified across the deep and dark web (DDW) and Telegram. This report explores how emerging technologies such as large language models (LLMs) are being used by threat actors in cyber operations. It outlines real-world applications of LLMs in malware development, vulnerability exploitation, and phishing automation. The report also covers ongoing research and defensive strategies, as well as the growing trend of targeting LLM services themselves.
✅ Executive Summary:
1) Trends on the Deep Dark Web and Telegram
- High-performance automation technologies, including LLMs, are accelerating innovation across industries. However, cybercriminals are also leveraging these tools to enhance attack capabilities and lower technical barriers.
- Within DDW forums and Telegram channels, LLMs are being used for malware development, vulnerability analysis, and large-scale phishing campaigns.
- Some platforms have established dedicated sections for LLM discussions, prompt manipulation, and evasion techniques, indicating growing interest and experimentation among threat actors.
2) Key Threat Cases on the Deep Dark Web and Telegram
2.1 Social Engineering
- LLMs and voice synthesis technologies are being used to increase the precision and automation of social engineering tactics such as spear phishing and voice phishing.
- Threat actors can now generate personalized emails and synthetic voice messages at scale, without manually analyzing victims’ information.
- Notable examples include AI-driven spam generators and synthetic profile creation tools used to produce fake personas on social platforms for impersonation or botnet activities.
2.2 Compromise and Abuse of Commercial LLM Services
- Attempts to steal credentials for commercial LLM platforms are rising. Related discussions are frequently observed in Telegram groups.
- As LLM subscriptions grow in value, stolen premium accounts are increasingly traded or misused.
- Beyond account theft, attackers are targeting internal assets such as prompt histories, chat logs, and user databases, posing serious risks to LLM service providers.
2.3 Malware Development and Vulnerability Exploitation
- The use of LLMs in malware coding and vulnerability research is lowering the barrier for inexperienced actors to launch cyberattacks.
- While most LLMs are designed to reject malicious or unethical requests, threat actors are actively developing prompt manipulation techniques to bypass these restrictions.
Case: Xanthorox AI
- Xanthorox AI emerged on Telegram in July 2024 as a generative model promoted as a successor to WormGPT, tailored for cybercriminal purposes.
- The tool operates on the seller’s private server using a proprietary model, without any reliance on external APIs or internet connectivity.
- It is being promoted across Telegram, dark web forums, and X (formerly Twitter). Demo access has been made available through Telegram bots and Discord channels.
✅ Recommendations and Mitigation Measures:
- The evolution of LLM-based technologies is enabling cyberattacks to become more scalable and sophisticated, with applications in phishing, malware development, and voice fraud.
- Commercial LLM services are becoming prime targets. Input theft and leaked conversations can expose sensitive data far beyond account-level risks.
- As generative technologies continue to advance, cyber threats will likely become more complex. Continuous monitoring of these trends, along with proactive research into new attack techniques and response measures, is essential.
🧑💻 Author: S2W TALON
👉 Contact us: https://s2w.inc/en/contact
*The full report is available upon request or with a subscription to the S2W platform.