ARXON: When Your Adversary Has an AI Agent Too
We spend a lot of time thinking about how to protect AI agents from attacks. Prompt injection defenses. Memory integrity checks. Tool permission boundaries.
Meanwhile, a Russian-speaking threat actor just demonstrated what happens when the attacker builds their own AI agent first.
Between January 11 and February 18, 2026, Amazon Threat Intelligence tracked a campaign that compromised over 600 FortiGate devices across 55 countries. No zero-days. No sophisticated exploits. Just exposed management ports, weak credentials - and an AI-powered attack infrastructure that let a single operator work at the scale of a full red team.
The Exposed Infrastructure
The discovery came through routine threat intelligence operations - and the attacker’s own operational security failures.
A misconfigured server at 212.11.64[.]250 was found hosting over 1,400 files across 139 subdirectories: CVE exploit code, stolen FortiGate configurations, Nuclei scanning templates, Veeam credential extraction tools, BloodHound collection data, and - critically - the full source code and operational logs of a custom Model Context Protocol server named ARXON.
A historical review revealed a previous exposure in December 2025 containing similar tooling alongside victim data from a major Asian media company. Between December and February, the attacker evolved from using HexStrike (an open-source offensive AI framework) to a fully custom toolkit.
Eight weeks. From off-the-shelf to bespoke AI-augmented attack infrastructure.
The AI-Powered Kill Chain
What makes this campaign significant isn’t any single technique. Every tool observed - BloodHound, Nuclei, Impacket - is well-documented. What sets this activity apart is the integration of LLMs at every stage of the kill chain.
Inside ARXON: The Offensive MCP
The ARXON Model Context Protocol server is the backbone of this operation. It serves a dual role:
As an analysis platform: ARXON ingests per-target reconnaissance data, calls DeepSeek to generate attack plans, and stores results in a persistent knowledge base that grows with each target. Every compromised device makes the next attack more informed.
As a toolkit: ARXON contains scripts to directly modify victim infrastructure - batch SSH-based FortiGate VPN account creation, user provisioning, and automated Domain Admin credential validation.
Model Context Protocol server that bridges LLMs to the intrusion workflow. Processes scan results, invokes DeepSeek for attack planning, maintains growing knowledge base across targets, and hosts scripts for modifying victim infrastructure.
Docker-based orchestrator for parallel VPN scanning and target processing. Ingests stolen VPN configs, attempts connections, scans internal networks, and passes results to ARXON. Processed 2,516 targets across 106 countries in parallel batches.
The most revealing artifact was a Claude Code settings file from the December exposure. It pre-approved Claude to autonomously execute:
This isn’t Claude Code being jailbroken. This is an attacker configuring their own Claude Code instance for offensive operations. The settings file legitimately grants execution permissions - because the attacker controls the environment. No guardrails to bypass when you’re the administrator.
The Dual-Model Workflow
Amazon Threat Intelligence identified the attacker using multiple AI services in complementary roles:
In one observed instance, the attacker submitted the complete internal topology of an active victim - IP addresses, hostnames, confirmed credentials, and identified services - and requested a step-by-step plan to compromise additional systems they couldn’t access with existing tools.
The AI produced technically accurate command sequences. What the attacker couldn’t do was adapt when conditions differed from the plan.
The Skill Gap Pattern
This is where the campaign reveals something important about AI-augmented threats. Amazon’s assessment:
Skill level: Low-to-medium baseline technical capability, significantly augmented by AI. The actor can run standard offensive tools and automate routine tasks but struggles with exploit compilation, custom development, and creative problem-solving during live operations.
Key finding: The threat actor largely failed when attempting to exploit anything beyond the most straightforward, automated attack paths. Their documentation records repeated failures: targeted services were patched, required ports were closed, vulnerabilities didn’t apply.
Rather than persisting against hardened targets, the attacker moved on to softer victims. AI augmentation provided scale and efficiency - not deeper technical skill.
The attack plans reference academic research on offensive AI agents. The attacker is following emerging literature on AI-assisted penetration testing. But when the AI’s output doesn’t work, they can’t debug it.
This is the AI-augmented threat model: not supervillain hackers with AI superpowers, but average hackers with AI multipliers.
Geographic Impact
The campaign’s targeting was opportunistic rather than sector-specific - consistent with automated mass scanning for vulnerable appliances.
Confirmed compromises include an industrial gas company in Asia-Pacific, a telecom provider in Turkey, and a major media company. Additional reconnaissance targeted organizations in South Korea, Egypt, Vietnam, and Kenya, with code specifically developed for a medical equipment manufacturer.
What This Means for Defenders
The ARXON campaign validates several predictions we’ve been tracking:
1. Offensive MCP is here. We’ve written extensively about MCP security risks from a defensive perspective. ARXON demonstrates that attackers are building their own MCP infrastructure - not to compromise your agents, but to power their own.
2. The Promptware Kill Chain is operational. Bruce Schneier’s promptware framework described AI-augmented attack chains in theory. This campaign shows them in practice: reconnaissance feeding to LLMs, LLMs generating attack plans, attack plans executed automatically, results feeding back to LLMs.
3. AI democratizes offense faster than defense. A single operator achieved scale that “would have previously required a significantly larger and more skilled team.” The asymmetry favors attackers who can adopt new tools without procurement cycles, compliance reviews, or change management.
The Defense Paradox
Here’s the uncomfortable reality: the attacker succeeded not through AI sophistication but through fundamental security gaps.
- Exposed management interfaces
- Weak credentials
- Single-factor authentication
- Password reuse between VPN and domain accounts
AI didn’t enable novel attacks. AI enabled old attacks at new scale.
The attacker’s operational notes acknowledge that key infrastructure targets were “well-protected” with “no vulnerable exploitation vectors.” When they encountered hardened environments, they moved on.
Strong fundamentals still work. The organizations that weren’t compromised weren’t running next-generation AI defense systems. They were running basic hygiene: patched devices, strong credentials, MFA, network segmentation.
Immediate Actions
The Bigger Picture
The ARXON campaign is a preview of the threat landscape we’re entering. Not AI systems being attacked - AI systems doing the attacking.
The attacker didn’t need to jailbreak anyone’s AI. They configured their own. They didn’t need to bypass guardrails. They’re the administrator. They didn’t need sophisticated exploits. They had AI to parallelize basic ones.
Every conversation about “AI safety” has focused on preventing AI systems from being misused or manipulated. The ARXON campaign shows the simpler path: threat actors building their own AI systems designed for offense from the ground up. No jailbreak required. No guardrails to bypass. Just capable tools in adversarial hands.
The dual-model approach observed - using whichever model is most permissive or capable for a given task - is likely to become a recurring pattern. Attackers will comparison-shop across AI providers the same way they comparison-shop across bulletproof hosting providers.
Language models only assisted a low-to-average skilled actor in removing the constraint on how many targets one person can work at any given time. That’s not a minor efficiency gain. That’s a fundamental shift in the economics of cybercrime.
Matching the speed at which this workflow moved will be important in defending networks as AI continues to be integrated into offensive operations.
The question isn’t whether your adversaries will have AI agents. It’s whether your defenses assume they already do.
This analysis is based on public research from Amazon Threat Intelligence and Cyber and Ramen. Indicators of compromise and additional technical details are available in the original reports.
Rogue Security builds runtime behavioral security for agentic AI - detecting both defensive gaps that AI-augmented attackers exploit and offensive AI patterns in your environment. Learn more at rogue.security.