AI-Crafted Chaos: The Rise of Forbidden Hyena and the BlackReaperRAT

In the quiet hours of early March 2026, cybersecurity researchers at BI.ZONE detected a series of anomalies within the networks of several Russian retail and energy giants. What they discovered wasn't just a standard breach, but the evolution of a threat actor known as "Forbidden Hyena."

Previously known for politically motivated "ideological" defacements, Forbidden Hyena has pivoted. They are now utilizing a sophisticated combination of AI-generated weaponry and a custom-built Remote Access Trojan (RAT) dubbed BlackReaperRAT to move from mere activism into high-stakes corporate extortion.

Anthropic Threat Report: How Cybercriminals Exploit Claude for Advanced Cyber Operations

Anthropic has released a groundbreaking threat intelligence report revealing how cybercriminals are systematically exploiting their Claude AI model to conduct sophisticated cyber attacks, marking a dangerous new frontier in artificial intelligence misuse. The comprehensive August 2025 threat report exposes previously undocumented cases where threat actors transformed Claude from an AI

Security Land | Decoding the Cyber Threat LandscapeSC

The "Polite" Malware: AI-Generated Stealth

The most striking element of the Forbidden Hyena campaign is the code itself. Unlike typical hacker scripts, which are often messy or heavily obscured to hide their function, the scripts used in these attacks are remarkably "clean."

Analysts found PowerShell scripts featuring:

• Detailed Comments: Explanatory text within the code that looks like it was written for a tutorial.
• Human-Readable Variables: Variable names that follow logical naming conventions rather than random strings.
• AI "Debug" Strings: Traces of AI model output that suggest the attackers used LLMs (Large Language Models) to write the deployment scripts for them.

While this lack of obfuscation initially made the scripts easier to read, it allowed the attackers to iterate at lightning speed, creating custom payloads for different targets in a fraction of the time it would take a human coder.

Anatomy of the BlackReaperRAT

Once the AI-generated "loaders" bypass perimeter defenses, they drop the BlackReaperRAT. This malware is designed for two things: absolute stealth and total control.

1. System Hijacking: The RAT establishes a permanent backdoor, allowing the attackers to download further tools, such as the AnyDesk remote desktop application or the Sliver penetration testing framework.
2. Ransomware Pivot: Once the "Hyenas" have scouted the network, they deploy a modified variant of the Blackout Locker—now rebranded as Milkyway Ransomware—to encrypt sensitive data.
3. Ideology Meets Extortion: While the group still uses hacktivist rhetoric, their primary goal has shifted to financial gain, demanding massive ransoms in Monero to unlock corporate infrastructure.

AI-Assisted Cybercrime: Japanese High School Students Hack Rakuten Mobile with ChatGPT

Japanese authorities recently arrested three teenagers aged 14-16 for allegedly using ChatGPT to develop software that illegally accessed Rakuten Mobile’s systems. The students registered over 100 eSIM phone numbers which they later resold for profit, amassing approximately 7.5 million yen (about $50,000 USD) through their scheme. The

Security Land | Decoding the Cyber Threat LandscapeEditorial Team

A Growing Trend in 2026

The Forbidden Hyena case highlights a disturbing trend for the 2026 threat landscape. In the first half of 2025, purely ideological "hacktivist" attacks accounted for 20% of regional incidents. By March 2026, that number has dropped to 12%, as groups realize that their AI-boosted technical skills are a lucrative tool for traditional ransomware operations.

For security teams, the "BlackReaper" is a wake-up call: the next threat might not look like a virus—it might look like a perfectly written, commented, and "polite" piece of software created by an AI.