Threat Analysis: AI-Generated Exploits, Cloud-Native Phishing, and TrickMo's Blockchain Pivot, What UK SMBs Need to Know
Hello, Mauven here.
This is your Daily Threat Analysis for 11th May 2026.
Three items today. Each one represents a structural shift in how attacks are built and delivered. None of them require a sophisticated nation-state adversary to exploit. That is the point.
Item One: AI Has Written Its First Confirmed Zero-Day Exploit
Googleβs Threat Intelligence Group has confirmed that a zero-day exploit targeting a widely-used open-source web administration tool was, in their assessment, likely developed using AI assistance. This is not a proof-of-concept in a research paper. It was used in an active attack.
The specific tool has not been named in full public reporting at time of writing, but the significance is not in the target, it is in the method. GTIGβs assessment is that the exploit code shows characteristics consistent with AI-assisted generation: structurally coherent, relatively clean, and produced without the trial-and-error artefacts you typically see in human-written exploit code.
What the reporting does not say explicitly, but what the operational implication plainly is: the skill floor for writing working exploits just dropped. Significantly.
The NCSC published a blog today, also the 11th of May, asking ten questions organisations should consider when using AI models to find vulnerabilities. The timing is either coincidental or it is not. Either way, the question the NCSC blog does not quite ask directly is the one that matters operationally: if defenders are asking whether AI can help them find vulnerabilities, attackers have already answered it.
What this means for UK SMBs. If you operate any internet-facing web administration tools, cPanel, Webmin, custom admin panels, or anything similar, and they are publicly accessible, the window between a vulnerability being identified and a working exploit being available is contracting. Patching cycles that assume weeks of lead time are no longer calibrated to reality.
Immediate action: Audit every internet-facing admin interface in your environment. If it does not need to be publicly accessible, put it behind a VPN or restrict access by IP. Review your patch deployment timelines and ask your IT provider what their process is when a critical vulnerability is disclosed.
Item Two: Phishing Campaigns Are Now Running Inside Your Trusted Cloud Infrastructure
A Cyfirma investigation published today documents something that security researchers have been tracking for some time but which has now matured into a systematic operational pattern: threat actors are conducting entire phishing campaigns through legitimate, enterprise-trusted cloud infrastructure, not attacker-controlled servers.
The mechanics are straightforward once you see them. Attackers create accounts or abuse existing compromised accounts on platforms your staff already use: Google Drive, Microsoft SharePoint, OneDrive, legitimate OAuth endpoints. They send links that originate from these platforms. The domain is genuine. The TLS certificate is valid. The sender, in many cases, is a real address from a real platform.
A parallel investigation by Push Security, who gained access to a criminal phishing panel called Dokoβs Panel used by ShinyHunters and BlackFile groups, confirms the operational sophistication of this approach. These are not opportunistic actors. The panel coordinates real-time adversary-in-the-middle attacks targeting enterprise identity providers including Okta and Microsoft Entra. The attacks combine voice phishing with automated credential interception, meaning by the time a target has spoken to what they believe is a support agent and clicked a link, the session token has already been harvested.
What the Cyfirma report does not say, but what the operational picture suggests, is that this methodology is being used at scale against targets of all sizes. The tooling is accessible. The infrastructure is free or low-cost. The returns are high.
What the standard advice misses. Telling staff to check whether a link comes from a legitimate domain no longer provides meaningful protection when the links genuinely do come from legitimate domains. The trust signal that email security training has conditioned people to look for, is this a real Google link?, is now the attack vector.
The NCSC published guidance on MFA bypass via adversary-in-the-middle techniques. The fact that criminal groups are now operating commercial panels that industrialise this approach tells you everything about how that guidance has been absorbed across the UK SMB market.
Immediate action: Review your conditional access policies if you use Microsoft 365 or Google Workspace. Specifically: are you enforcing device compliance checks, not just MFA prompts? A device-bound authentication requirement significantly raises the cost of this attack. Ensure staff understand that a link originating from a genuine Google or Microsoft URL is not evidence of legitimacy.
Item Three: TrickMo Banking Trojan Moves to Blockchain Command-and-Control
A new variant of TrickMo, an Android banking trojan with known European targeting, has been identified by ThreatFabric. The significant change in this variant is not a new capability. It is an infrastructure decision: the malware has migrated its command-and-control communications entirely to The Open Network (TON) blockchain, using .adnl endpoints.
This matters because conventional network-based detection relies on identifying malicious infrastructure. Domain blocklists, IP reputation feeds, DNS sinkholes, these all depend on being able to identify and block the C2 channel. When that channel runs over a decentralised blockchain network, those detection methods fail. There is no domain to block. There is no IP to sinkhole. The C2 traffic blends with legitimate blockchain activity.
Active campaigns have targeted banking and fintech applications, authentication apps, and cryptocurrency wallets. The delivery vector remains sideloaded applications, Android apps installed from outside the official Play Store. The malware requests accessibility service permissions, which it uses to overlay fake login screens on top of legitimate banking applications.
The European targeting is directly relevant to UK users. The banking and fintech applications being targeted include institutions with significant UK customer bases. This is not a threat contained to a specific geography.
What to watch for. The primary delivery vector, sideloaded apps, is one your acceptable use policy can address. If staff are using personal Android devices to access corporate email, banking platforms, or authentication apps, and those devices do not have MDM controls preventing sideloading, you have exposure.
Immediate action: If you do not have a mobile device management policy that addresses sideloaded applications, implement one. At minimum, communicate to staff that any banking or authentication application should only ever be installed from the official Play Store, and that requests to install apps from other sources, regardless of how the request arrives, should be treated as a social engineering attempt.
The Thread Running Through All Three
These three items are not coincidental. They represent a consistent direction of travel: attack tooling is becoming more accessible, detection is becoming harder, and the trust signals that defenders and end users have been trained to rely on are being systematically undermined.
AI-written exploits compress the time between vulnerability and weaponisation. Cloud-native phishing eliminates the domain-based trust signals that detection depends on. Blockchain C2 removes the network infrastructure that detection tools monitor.
None of this requires a nation-state budget. That is what makes it relevant to businesses who assume they are not a target.