GTIG documents seven AI-augmented adversary patterns. None of them needs a new cluster. The AI-generated 2FA bypass is #2 → #4. PROMPTSPY is #9 → #7 with #1 inside the FEC loop. SANDCLOCK via LiteLLM is the canonical 2026 #10 Trust Acceptance Event. AI voice cloning is a higher-fidelity #9. The shift is not in the what — it is in the Δt. Every velocity transition that used to be VC-2 (hours, human-triage feasible) is migrating to VC-3 or VC-4 (minutes or seconds, automation-only). The cause-side taxonomy holds; the response budget does not.
01What GTIG actually describes
The Q2 2026 Threat Tracker organises field observations into seven AI-augmented adversary patterns. Stripped of vendor framing, they are:
- AI-augmented vulnerability discovery and exploit development. A first-observed AI-generated zero-day Python exploit targeting a 2FA bypass in an open-source administration tool; PRC-nexus UNC2814 using expert-persona prompts to audit TP-Link firmware and OFTP for pre-auth RCE; APT45 sending thousands of recursive prompts to validate PoCs at scale, plus the use of OpenClaw / OneClaw and the 85 000-case wooyun-legacy vulnerability dataset for in-context learning.
-
AI-augmented obfuscation and defense evasion.
PROMPTFLUX with just-in-time source modification;
HONESTCUE calling the Gemini API for VBScript obfuscation;
Russia-nexus CANFAIL and LONGSTREAM embedding
LLM-generated decoy logic (CANFAIL's developer comments self-describe blocks as
decoy; LONGSTREAM contains 32 redundant daylight-saving-time queries).
APT27 using Gemini to accelerate development of an ORB fleet
management tool with
maxHops=3and residential-IP routing. -
Autonomous malware operations.
PROMPTSPY, an Android backdoor that sends the device's
Accessibility-API UI tree to
gemini-2.5-flash-lite, parses returned JSON coordinates, and replays gestures (CLICK, SWIPE) to bypass authentication, pin itself to recent apps, and overlay the Uninstall button. Runtime-rotating C2, Gemini keys, and VNC relays. - AI-augmented reconnaissance and attack-lifecycle support. LLM-generated org charts for finance / internal-security / HR targeting; hardware/software environmental fingerprinting; visual identification of target staff with named devices; agentic workflows combining Hexstrike with the Graphiti temporal-graph memory system, and Strix multi-agent penetration testing — used by a PRC-nexus actor against a Japanese technology firm and an East Asian cybersecurity platform.
- AI-augmented information operations. Operation Overload (pro-Russia) using AI voice cloning to impersonate real journalists, spliced into authentic video. Multiple state-nexus actors (Russia, Iran, China, Saudi Arabia) using AI for content generation, localisation, and printed-poster physical media.
- Obfuscated and scalable LLM access. UNC6201 running an automated account registration / CAPTCHA / SMS-verification / cancellation pipeline; UNC5673 (TEMP.Hex overlap) using CLIProxyAPI, Claude Relay Service, Cherry Studio, Roxy Browser and similar middleware to pool trial-tier accounts behind OpenAI-compatible endpoints — premium-tier capability at marginal cost.
- Supply-chain attacks against AI components. OpenClaw skill weaponization reported by VirusTotal in early February 2026 — malicious packages masquerading as legitimate ClawHub skills. TeamPCP / UNC6780 in late March 2026 compromising PyPI packages and GitHub Actions for Trivy, Checkmarx, LiteLLM and BerriAI, deploying the SANDCLOCK credential stealer to extract AWS keys and GitHub tokens from build environments. LiteLLM compromise specifically exposes AI API secrets and enables pivot into internal models and tools.
A reader new to the field could be forgiven for inferring that AI has expanded the threat surface. The framing of the report — capability-organised, not cause-organised — invites that reading. The rest of this essay argues the opposite: none of these patterns introduces a new generic vulnerability. They are old causes operating at new speed against a shifted attack surface.
#2
(server-role implementation flaw) and credential use after bypass is
#4 — the AI authorship is a tooling observation, not a
cluster determinant (Axiom IV).
02Axiom I in 2026 — AI is not cluster #11
TLCTC's first axiom is non-negotiable: "No system-type differentiation — sector labels (SCADA, IoT, cloud, medical devices) do not create new threat classes; they only change specific vulnerabilities and controls at the operational level." AI is a system type. Adding it to the list of qualifying labels neither expands the ten clusters nor changes the generic vulnerabilities they enumerate.
The temptation to mint an #11 AI cluster is the same temptation that once produced "cloud threats" and "IoT threats" as separate categories. The cause-side taxonomy treats those as red herrings: the cluster classifies why compromise happens, not what kind of computer it happens on. The same discipline applies here.
The table below maps every distinct GTIG finding to its TLCTC cluster(s) with a one-line rationale. The right-hand column is the answer to TLCTC's single classification question — which generic vulnerability is being exploited at this step?
| GTIG finding | Cluster(s) | Why |
|---|---|---|
| AI-generated 2FA-bypass exploit (cyber crime) | #2 → #4 |
Implementation flaw in 2FA enforcement logic on a server-role admin tool (R-ROLE) — #2. Subsequent use of the bypass to authenticate is credential application — #4 (R-CRED). The exploit being AI-written changes nothing about either step (Axiom IV — actor identity / tooling never determines cluster). |
| UNC2814 persona-prompted firmware audit (TP-Link, OFTP) | pre-attack capability → #2 / #3 | LLM-aided vulnerability research is reconnaissance / weapon development. It produces capability; it is not itself an attack step. When the discovered RCE is exploited, the operational step is #2 (or #3 by R-ROLE if the component is in client role). |
| APT45 recursive PoC validation at scale (OpenClaw / OneClaw) | pre-attack capability → #2 / #3 | Same as above — a PoC factory. It compresses CVE→exploitable transition from weeks to hours but does not produce a new threat class. See section 03 on velocity. |
| PROMPTFLUX — just-in-time source modification | #7 | PROMPTFLUX is Foreign Executable Content. The fact that it rewrites itself with LLM assistance is an FEC capability (per the FEC features vs separate steps rule). It does not earn a discrete #1 step for the LLM call; the LLM call is part of #7's execution behaviour. |
| HONESTCUE — Gemini-aided VBScript obfuscation | #7 | Same — obfuscation is an FEC property. VBScript is interpreted by a designed execution capability (R-EXEC), so the script itself is #7. The Gemini API call from within the script is operational behaviour of #7, not a separate cluster. |
| CANFAIL / LONGSTREAM — decoy logic, redundant DST queries | #7 | LLM-generated benign-looking code embedded in malware. The decoy is a feature of the FEC, not a step. Defenders cannot signature it as effectively — but that is a detection-control degradation, not a new cluster. |
| APT27 ORB residential-IP fleet management | #1 | Routing through residential 4G/5G SIMs and mobile Wi-Fi is abuse of designed network functionality (Axiom Decision-Tree step 9). Multi-hop proxying maps to MITRE ATT&CK T1090 — the proxy itself does not exploit a flaw; it abuses the function of being an intermediary. |
| PROMPTSPY (Android backdoor with Gemini-driven UI agent) | #9 → #7 → #1 → #4 |
Installation is human-action-driven — sideload / app-store lure — #9. App launch and subsequent Gemini-piloted gesture replay is FEC execution — #7. The Accessibility API and overlay APIs are designed Android features being abused — #1. Captured biometric gestures replayed against the lock screen — #4. Full deep-dive in section 05. |
| LLM-generated org-charts, environmental fingerprinting, target photo ID | pre-attack capability → #9 | Reconnaissance output that improves a downstream lure. The reconnaissance itself sits before any TLCTC step. When the lure is delivered to a human target, that delivery is #9 (or #4 if it goes straight to a credential request). |
| Agentic Hexstrike + Graphiti memory; Strix multi-agent pentest | orchestration across #2 / #3 / #1 / #4 | Agentic frameworks chain classical clusters faster. They do not unify the chain into a single new cluster. Each tool call still gets classified by R-ROLE / R-ABUSE / R-EXEC at the step it performs. |
| Operation Overload — AI voice cloning of journalists | #9 | Higher-fidelity impersonation increases the success rate of psychological manipulation. The cluster is #9 regardless of the impersonation medium (text, voice, video, deepfake). R-HUMAN: technical realism never escalates the manipulation step out of #9. |
| UNC6201 account-cycling pipeline; UNC5673 proxy middleware | #1 | Trial-tier free-account exploitation, CAPTCHA bypass, SMS verification — abuse of designed onboarding functions and free-tier policy. No implementation flaw is required; the "Perfect Implementation" test fails — i.e. perfect policy enforcement still permits trial cycling. #1 by default (R-ABUSE residual). |
| OpenClaw skill weaponization (early Feb 2026) | #10 → #7 |
A malicious skill installed from a trusted skill registry crosses into the agent host's domain as authoritative at the moment ClawHub serves it. That is the Trust Acceptance Event — #10 by R-SUPPLY. Subsequent code execution inside the agent runtime is #7 by R-EXEC. Full path in section 04. |
| TeamPCP / UNC6780 — LiteLLM / BerriAI / Trivy / Checkmarx PyPI compromise; SANDCLOCK | #10 → #7 → #4 |
The compromised package becomes authoritative at pip install / CI build — TAE — #10. SANDCLOCK execution is #7. Extracted AWS / GitHub tokens being replayed downstream is credential application — #4. + [DRE: C] on the build environment. Full path in section 04. |
Five of the ten clusters carry most of the report: #1, #4, #7, #9, #10. #2 appears for the first generation of AI-discovered exploits. #3, #5, #6, #8 are essentially absent from the tracker — which matches what we would expect from an AI-centric capability report. Section 06 renders this as a radar.
Visual evidence — what AI changes inside the cluster
Three GTIG figures make the same point in three different operational settings: the cluster does not change, the quality of execution inside the cluster does. Below: CANFAIL and LONGSTREAM operate as #7 (Foreign Executable Content); their LLM-generated decoy logic is an FEC property — Russia-nexus operators get harder-to-signature malware without moving outside #7. Operation Overload operates as #9 (social engineering); AI voice cloning raises the floor on credibility without moving outside #9.
#7;
target: Ukrainian organisations.
#7); same Russia-nexus origin.
#9
(R-HUMAN); medium fidelity is irrelevant to classification.
#1 by R-ABUSE residual.
Do not classify "AI use" as a step. Calling Gemini from inside malware (HONESTCUE, PROMPTFLUX, PROMPTSPY) is operational behaviour of the FEC, not a new attack step. The same applies in reverse: an attacker using an LLM to write the malware does not earn a #10 against the LLM provider — the LLM is a tool, not a trust artefact accepted as authoritative inside the attacker's own domain. R-SUPPLY is about the target's trust acceptance, not the attacker's capability sourcing.
03Velocity collapse — where the Δt budget goes
Axiom IX makes velocity a first-class property of an attack path: "clusters chain into attack paths; Δt expresses the attack velocity." TLCTC v2.1 defines four velocity classes:
- VC-1 Strategic — days to months. Slow transitions. Defended by log retention and threat hunting.
- VC-2 Tactical — hours. Human-operated. Defended by SIEM alerting and analyst triage.
- VC-3 Operational — minutes. Automatable. Defended by SOAR / EDR automation.
- VC-4 Real-time — seconds to milliseconds. Machine-speed. Defended by architecture and circuit breakers.
The Threat Tracker's central observation, read through TLCTC, is that AI is not adding clusters — it is shifting transitions one or two velocity classes faster. The same chain runs hotter. The table below pairs each AI-augmented transition with its pre-AI baseline.
| Transition | Before AI (typical) | With AI (GTIG observations) | VC shift |
|---|---|---|---|
| CVE published → working PoC | Δt = days to weeks | Δt = hours (APT45 recursive batches) | VC-1 → VC-2 |
| Target list → tailored phishing lure | Δt = hours per persona | Δt < 1 min per persona at scale | VC-2 → VC-3 |
| Phishing lure → high-fidelity impersonation | Δt = days (voice actor / studio) | Δt = minutes (Operation Overload voice clone) | VC-1 → VC-3 |
| Malware build → polymorphic variant | Δt = per release | Δt = per execution (PROMPTFLUX JIT modification) | VC-1 → VC-4 |
| UI observed → autonomous gesture (#7 + #1 loop) | N/A — required human attacker on the wire | Δt < 1 s (PROMPTSPY Gemini loop) | none → VC-4 |
| Recon kickoff → org-chart / dependency map | Δt = days of OSINT | Δt = minutes per target | VC-1 → VC-3 |
| Account exhausted → new pooled API key | Δt = hours (manual re-registration) | Δt = seconds (UNC6201 pipeline, CAPTCHA-bypass) | VC-2 → VC-4 |
| CI compromise → cloud-secret exfiltration (#10 → #7 → #4) | Δt = minutes to hours | Δt = instant at build-step (SANDCLOCK) | VC-3 → VC-4 |
The cause-side taxonomy is stable. The defence budget is not. TLCTC v2.1 spells out the structural implication: "If the critical transition is VC-3 or faster, purely human response is structurally insufficient." The Threat Tracker shows transitions that used to live comfortably in VC-2 — i.e. inside an analyst's triage window — now arriving in VC-3 or VC-4. Human SOC is not getting slower. The attacker is getting faster on the same chain.
Concretely: if your detection-and-response design assumes a 30-minute analyst review between credential exposure (#4 acquisition) and credential use (#4 application), you can no longer count on that window when both sides of the transition are AI-orchestrated. The architectural response is automated containment on credential-use anomalies — circuit breakers, not tickets.
#2 / #3
implementation-flaw findings — but the supply of exploitable cases
shifts, and the CVE → PoC velocity migrates from VC-1 to VC-2.
04The AI supply chain is a #10 hot zone
Two findings in the Threat Tracker deserve dedicated treatment because they are the most consequential examples in the 2026 record of where #10 Supply Chain Attack belongs in the AI era: the OpenClaw skill weaponization observed in early February, and the TeamPCP / UNC6780 operation that compromised Trivy, Checkmarx, LiteLLM and BerriAI in late March. Both attacks share the structural property that defines #10 — a third-party trust link is honoured as authoritative inside the target's domain at a specific Trust Acceptance Event (TAE).
4.1 OpenClaw skill weaponization
OpenClaw skills are user-installable extensions that run with the host agent's permissions. The VirusTotal advisory describes malicious packages masquerading as legitimate ClawHub skills, with hidden routines that execute unauthorised code, perform infostealer behaviour, or escalate the agent's file-system and credential reach via prompt-injection-susceptible patterns.
The relevant boundary is between @SkillRegistry (the ClawHub
publishing surface) and @AgentHost (the user's machine or
container running the agent). The TAE is the moment ClawHub's installation
flow imports the skill into the agent's runtime and the agent's executor
treats the skill's manifest and code as legitimate.
Walking it: the operator is socially nudged into installing a sketchy skill (#9 — typosquat, fake reviews, "looks helpful" UX). The TAE fires when the skill is registered (#10). The skill's code executes in the agent runtime (#7 by R-EXEC). From there, two parallel consequences: the skill abuses legitimate agent functions to reach files and tools (#1 — accessing the agent's designed capabilities), and any captured API keys or session tokens are replayed downstream (#4). The DRE on the host context is loss of confidentiality.
The VirusTotal Code Insight integration GTIG mentions is a mitigating control on the cause → SRE arrow — it raises the cost of getting through the #10 step, not the cost of the downstream #7 (which is structurally too late by then).
4.2 TeamPCP / UNC6780 — LiteLLM and the SANDCLOCK stealer
In late March 2026, TeamPCP / UNC6780 compromised the PyPI distributions and GitHub Actions of Trivy, Checkmarx, LiteLLM and BerriAI, embedding the SANDCLOCK credential stealer into build artefacts. SANDCLOCK extracted AWS keys and GitHub tokens from build environments and forwarded them for downstream monetisation by ransomware and data-extortion affiliates.
The structural reading is identical to a classical software supply-chain
attack, with one important addition: the LiteLLM compromise widens the
blast radius to AI API secrets, which give the attacker pivot
access to internal models, embedding stores, and the data flowing through
them. The TAE remains where it always was — at the pip install
or build-step that pulls the compromised package into the target's CI
environment.
The @Vendor sphere here is whatever upstream maintainer or
publishing identity TeamPCP compromised; that compromise inside the vendor
is classified with its own clusters (likely #9 → #4 or #2 — outside the
target's domain and therefore outside this path). The path begins,
for @Org, at the moment the build pulls and trusts the
artefact.
Once SANDCLOCK runs (#7), it harvests cloud secrets from the build
environment — credential acquisition, mapped to the enabling
cluster #7 per R-CRED. Re-use of those credentials against AWS, GitHub,
or the AI gateway's downstream API targets is a separate step — #4 by
R-CRED's application rule — and the DRE on the build environment is loss
of confidentiality. Subsequent ransomware deployment, if any affiliate
later operationalises the access, would add a further #7 with
[DRE: Ac]; that is not yet in the GTIG narrative.
4.3 Why the AI supply chain matters more, not differently
The cluster is still #10. The mechanism is still TAE. What has changed is the composition of the supply graph:
- Skill / plugin registries (OpenClaw, MCP servers, agent marketplaces) are a new class of trust artefact, installed at runtime, executing with broad permissions, and rarely covered by traditional SBOM tooling.
- AI gateways (LiteLLM and similar) hold the API keys for every backend model an organisation uses. Compromising the gateway compromises the entire model fleet, including internal proprietary ones.
- Model and dataset distribution (HuggingFace pulls, fine-tuning corpora, vector stores) all run through their own TAEs that older supply-chain tooling does not yet inspect.
Each of these is a new place where #10 applies. None of them is a new kind of cluster. The defender response, in TLCTC vocabulary, is to extend the inventory of trust-acceptance points — to ensure each one has a provenance check, a signature verification, and a fall-back behaviour for the "TAE fails" case. The G7's SBOM-for-AI work is the policy instrument here; the cause-side framing this essay sits next to (see the earlier Security Properties critique) is the missing axis.
05PROMPTSPY — when the LLM is the loop body
PROMPTSPY is the most architecturally novel finding in the report and the one that most tempts analysts to invent #11 AI Malware. It is also the cleanest illustration of why that temptation should be resisted: the cluster classification is unchanged, but the operational behaviour inside the cluster is genuinely new.
The summary from GTIG: PROMPTSPY is an Android backdoor (initially reported
by ESET) that hardcodes a benign-persona prompt to bypass Gemini safety
filters, serialises the device's visible UI tree from the Accessibility API
into XML-like text, sends it to gemini-2.5-flash-lite in JSON
mode, and parses the returned structured response — action types
(CLICK, SWIPE) and spatial coordinates — into
synthetic gestures replayed against the on-screen UI. It pins itself into
the recent-apps list for persistence, intercepts uninstall touches via an
invisible overlay, captures biometric gesture data to replay PINs and lock
patterns, and rotates its C2 and Gemini API keys at runtime.
The full TLCTC attack path is:
-
Sideload / install via lure
The user is socially manipulated into installing the malicious app. The app store (or third-party APK source) is a transit sphere per R-TRANSIT-3 — it forwards the package without itself processing the exploit content. GTIG records that no PROMPTSPY app was found on Google Play, so the typical relay is a third-party store. Velocity: VC-1 / VC-2 depending on the lure cycle. Generic vulnerability: human trust.
-
App launch — FEC execution
When the user runs the app, the Android runtime loads and executes attacker-controlled code through the designed application execution capability. That is #7 — Foreign Executable Content via an intended execution path. The Gemini-loop logic, the C2 client, the gesture controller — all of it sits inside this single #7 step. Subsequent Gemini API calls from within the FEC do not earn new steps; they are operational behaviour of #7 (the FEC-features-vs-steps rule).
-
Accessibility API abuse — UI tree extraction
The Accessibility Service is a designed Android capability for assistive technology. It exposes the on-screen view hierarchy precisely because legitimate assistive apps need that capability. PROMPTSPY uses the API exactly as documented — there is no implementation flaw to exploit. By R-ABUSE's "Perfect Implementation Test" the attack still works against a flawless Accessibility implementation; therefore #1. This is a separate cluster from the #7 above because the abuse is of the platform's function, not of the malware's execution capability.
-
Overlay-based uninstall blocking
SYSTEM_ALERT_WINDOWand overlay APIs are designed for accessibility, screen-reader, and floating-UI use cases. Drawing an invisible overlay on top of the Uninstall button intercepts touches via the designed input-routing rules — no flaw, no exploit. #1 again. The fact that there are several #1 steps reflects the attacker's pattern of stacking multiple legitimate-function abuses; each is its own atomic step (Axiom VI). -
Gemini API call — UI tree to coordinates
This is where the strongest temptation to mint a new cluster appears: the malware delegates spatial reasoning to a remote LLM. Architecturally novel. Cluster-wise irrelevant. The Gemini call is part of #7's execution — same as a classical malware's call to a C2 server for a next-stage command. R-EXEC asks one question: is FEC executing? The FEC is the Android app; it is executing; the cluster is #7. The remote LLM is a tool the FEC uses to decide what to do next, not a separate threat surface in the target's domain.
GTIG · Fig 6 The hardcoded PROMPTSPY prompt — benign persona to clear Gemini safety filters, spatial-geometry framing for the UI-tree task, and "Core Judgment Rules" as an anti-hallucination contract. The User Goal is concatenated separately at runtime, so the same prompt supports multiple objectives. From TLCTC's vantage this is operator tooling for a step that is still #7. -
Gesture replay — biometric capture and lock-screen bypass
When PROMPTSPY captures the user's PIN-entry or lock-pattern gestures and replays them, it is presenting an identity artefact (the biometric / knowledge factor) to the authentication surface in order to operate as the legitimate user. That is the textbook R-CRED application step — #4. The capture itself maps to the enabling cluster #7 (per R-CRED's acquisition column for "keylogger / accessibility capture"); the application is always #4.
The novelty is not at the cluster level. The novelty is that the
decision-loop body has been outsourced to a remote LLM. Classical
mobile malware required either pre-programmed decision trees or
hand-piloted operator sessions. PROMPTSPY replaces both with a stateless
UI → JSON → action round-trip per screen — generalising the
attacker's reach across arbitrary apps without per-app development.
In TLCTC terms, this collapses the #1 → #1 → #1 → #4 sub-loop
inside the #7 step from VC-2 (a human operator clicking through the
victim's session in real time) to VC-4 (a 100-300 ms LLM round-trip per
screen, machine-driven). The cluster IDs are unchanged. The
velocity profile of the in-FEC sub-loop is fundamentally
different — and that is what makes PROMPTSPY operationally dangerous,
not the LLM use per se.
Google's own defensive posture in the report — disabling actor assets, runtime safety filters on Gemini, the persona-prompt jailbreak detection — is correctly placed on the LLM provider's cause → SRE arrow for the in-FEC sub-loop. It does not (and cannot) prevent the #7 execution; it can only degrade the quality of the LLM-driven sub-loop decisions. Endpoint-side defences (Play Protect, Accessibility-API consent friction, overlay-API friction) sit on the SRE → DRE arrow for the device. Both arrows need controls; neither alone is sufficient.
06Threat radar — what GTIG actually saw
Aggregating the section-02 mapping into a frequency view across the 14 distinct GTIG findings produces the radar below. It is a capability profile of AI-augmented adversary activity in Q2 2026, not a global threat-frequency claim.
Five observations the defender should take from this:
- #7 dominates. Every malware family in the report — PROMPTFLUX, HONESTCUE, CANFAIL, LONGSTREAM, PROMPTSPY, SANDCLOCK — runs as FEC. AI is mostly used to make the FEC more evasive, more adaptive, or more autonomous; it is rarely the FEC itself. Execution control (allow-listing, code signing, sandboxing) remains the highest-leverage preventive control.
- #1 is the second pillar. Function abuse — Accessibility APIs, overlay APIs, free-tier registration flows, multi-hop proxy fleets — is the connective tissue. AI scales the abuse of legitimate features without requiring any flaw. Defenders need to inventory their organisation's legitimate-function attack surface as carefully as they inventory their CVEs.
- #10 is the new growth area. Skills, gateways, model registries, dataset feeds — each is a new TAE. The 50% appearance rate is mostly TeamPCP and OpenClaw, but the structural pattern will recur.
- #9 keeps its place. Voice cloning, persona-prompted lures and synthetic journalists raise the floor for what a credible #9 looks like, but the cluster classification of the manipulation step is unchanged. Defence-in-depth at the human-decision surface is unchanged in shape (friction, secondary verification, clear UX), but the bar moves.
- #2, #3, #5, #6, #8 are quiet in this report. That is a sampling-bias artefact (the report is AI-centric), not evidence that these clusters are receding. Production exploitation of server-side flaws (#2) and DDoS (#6) continue at their usual cadence; they simply sit outside the AI-augmentation story.
What this means for controls (concise version)
- #7 — application allow-listing, code-signing enforcement, EDR with behavioural detection that survives just-in-time obfuscation (PROMPTFLUX, HONESTCUE). Memory-resident execution monitoring matters here.
- #1 — least-privilege on platform APIs (Accessibility, overlays, broadcast intents), rate-limits on agent action loops, rate-limits on account onboarding.
- #10 — provenance verification at every TAE:
pip install, skill registration, model pull, gateway upgrade. Signature attestation (SLSA, Sigstore) and post-install behavioural sandboxing (the VirusTotal Code Insight model) on the cause-side arrow. - #9 — secondary-channel verification for AI-vivified lures (voice clones, deepfakes). Out-of-band confirmation for any high-impact action triggered by a human-trust event.
- #4 — anomaly-driven session containment, automated revocation on credential-use anomalies, hardware-backed credentials where feasible (resilient against PROMPTSPY-class capture).
What does not change
A taxonomy that needed an #11 every time the technology shifted would have died at the smartphone, the cloud, the API gateway, the container, the agent. TLCTC has held across each because it classifies the cause — the generic vulnerability being exploited — not the surface it happens on.
The 2026 GTIG AI Threat Tracker is the first report-length test of the framework against a technology shift that pervades all ten clusters at once. The result, after fourteen distinct findings: zero new clusters required, every finding placed, every R-* rule held. AI is a tool of the attacker; it is not a generic vulnerability of the defender's system.
What does change is operational: Δt collapses, transitions migrate one or two velocity classes faster, the supply graph grows new TAEs (skills, gateways, model registries), and the FEC inside #7 gains a remote decision-loop that does not blink. Each of those is a measurable shift inside an unchanged framework — and each implies a specific control move that the cause-side reading makes explicit. A new threat list would have been a distraction. A faster response budget is the actual ask.
Source & abbreviations
Document analysed: "GTIG AI Threat Tracker: Adversaries Leverage AI for Vulnerability Exploitation, Augmented Operations, and Initial Access", Google Threat Intelligence Group, 11 May 2026. Source.
Framework: TLCTC v2.1 — Top Level Cyber Threat Clusters (tlctc.net) · Licensed CC BY 4.0.
Abbreviations: SRE = System Risk Event (Loss of Control) · DRE = Data Risk Event (C / I / Av / Ac) · TAE = Trust Acceptance Event (where #10 is placed) · FEC = Foreign Executable Content (defines #7) · VC = Velocity Class (Δt scale).