Cyber-crooks have traded craftsmanship for copy-paste: AI now churns out cookie-cutter malware faster than your inbox can clear its spam folder—and it’s still waltzing past corporate sentries.
HP calls the method “vibe-hacking.” Attackers prompt a model to spit out rough-and-ready scripts, then blast them by the thousands. Quality control is optional; volume is the point.
One campaign slipped a payload into a fake invoice PDF; a single click downloaded the malware and redirected the mark to Booking.com so nothing looked amiss. Another pushed Oyster loader through poisoned search ads that promised a legitimate Microsoft Teams installer.
Alex Holland, Principal Threat Research at HP Security Lab, framed it as basic project management:
“It’s the classic project management triangle - speed, quality and cost. You often sacrifice one of them. What we’re seeing is many attackers are optimizing for speed and cost, not quality. They are not using AI to raise the bar; they’re using it to move faster and reduce effort. The campaigns themselves are basic but the uncomfortable reality is they still work.”
The numbers back him up. Between October and December 2025, 14 % of email threats that landed in user inboxes had already slipped past at least one gateway scanner, according to HP Sure Click telemetry.
Executables still dominate at 37 %, trailed by .zip at 11 % and .docx at 10 %. The lesson: quantity plus minor variation still beats detection logic that was tuned for handcrafted code.
Dr. Ian Pratt, Global Head of Security for Personal Systems at HP, argues the bottleneck isn’t malware sophistication—it’s defensive velocity:
“AI-assisted attacks are shining a spotlight on the limitations of detection-led security. When attackers can generate and repackage malware in minutes, detection-based defences can’t keep up.”
HP’s own customers dodged these bullets, not because an algorithm out-thought the criminals but because every downloaded file is spun up inside a micro-VM that self-destructs after use. Isolation, not AI magic, kept the intrusions off the balance sheet.
Look, the sky isn’t falling—attackers are just getting lazier, and our scanners haven’t caught up to the pace of mass-produced junk. Until the industry shifts from hoping to spot every variant to assuming some will slip through, cheap AI-generated lures will keep paying off.
Source: HP