AI and cybersecurity: policy pressure, threat evolution, and market hype
Several items are not a single coherent incident but reflect a broader theme: the expanding role of AI in national security and cybersecurity. One report describes the US Department of Defense pressuring Anthropic to allow unrestricted military use of its Claude models, with reported threats to invoke the Defense Production Act or label the company a supply-chain risk if it does not remove safeguards; the same piece notes DoD interest in other models (including a reported deal involving xAI Grok) and frames the dispute around who sets rules for military AI use and what safety constraints should exist.
Other references are largely non-incident content: leadership/board governance opinion pieces and a podcast segment arguing security should be treated as a business enabler, plus a venture-capital market write-up claiming 2025 cybersecurity investment surged as startups positioned themselves as AI-native. Only one additional item is clearly threat-focused: a CSO Online report on Steaelite RAT, described as combining data theft with ransomware management capabilities in a single tool. A separate Hackread article is generic “data breaches in 2026” advice/trend commentary without a specific breach, victim, or actionable technical detail.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Dragos says Volt Typhoon remains active in US critical infrastructure
In its 2026 Year in Review reporting, Dragos said the China-linked Volt Typhoon group was still active in US utilities and OT environments despite earlier US government statements that the campaign had been blunted. This represented a continued threat assessment and ongoing targeting of critical infrastructure.
Dragos identifies Sylvanite as a new initial-access group
Dragos reported on a newly identified initial-access group called Sylvanite that allegedly enables follow-on intrusions by other threat actors, including Volt Typhoon, across multiple regions. The reporting added a new actor and support role to the broader critical-infrastructure intrusion picture.
Steaelite RAT reported as combining theft and ransomware management
A CSO Online item reported that a tool called Steaelite RAT combines data-theft functions with ransomware management capability in a single tool. No victim, exploitation, or technical details were provided in the visible reference text.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
AI-driven security discourse highlights bug-finding gains, identity risks, and largely generic guidance
Coverage this week emphasized how **AI is accelerating both offense and defense**, but most guidance remained high-level rather than tied to a single incident. The FBI warned that criminals and nation-states are using AI to increase the *speed* of intrusions while still following familiar kill-chain steps, urging organizations to double down on fundamentals such as MFA, hardening internet-facing/edge assets, and credential abuse detection; CISA leadership echoed the focus on removing unsupported edge devices. Separate reporting and commentary highlighted AI’s growing impact on software assurance: Microsoft Azure CTO Mark Russinovich described using Anthropic’s *Claude Opus 4.6* to analyze decades-old assembly code and surface subtle logic flaws, while open-source maintainers reported being inundated with low-quality, AI-generated vulnerability reports even as AI-assisted analysis can also increase discovery of high-severity bugs (e.g., Mozilla’s red-teaming claims). Several items were **notable but not part of a unified event**: CSO Online reported the **CVE program’s funding was secured**, reducing near-term continuity risk for vulnerability enumeration, and separately covered **post-quantum cryptography (PQC)** planning uncertainty as vendors compete for early advantage. Other pieces were primarily opinion, best-practice, or event content—e.g., “shadow AI” governance steps, SOC preparation for agentic AI, OT/IoT security commentary, cloud-security leadership takes, and a conference session roundup—providing general risk framing rather than actionable incident-specific intelligence. One concrete threat report described a **software supply-chain lure** in which developers searching for *OpenClaw* were redirected to a **GhostClaw RAT**, reinforcing ongoing risk from trojanized tooling and search-driven malware delivery, but it was not connected to the broader AI/governance narratives in the rest of the set.
Mar 21, 2026
AI-driven security and governance challenges across enterprises and government
Public- and private-sector security leaders are increasingly treating **AI adoption as inseparable from cybersecurity**, citing governance, workforce, and operational impacts. U.S. government-focused commentary argues agencies must build “cyber-AI” capability across education pipelines and critical infrastructure, as AI simultaneously improves detection/response and enables faster phishing, malware development, and adaptive attacks. Enterprise security coverage echoes the governance challenge: attempts to **ban AI-enabled browsers** are expected to drive “shadow AI” usage, with concerns including sensitive-data leakage to third parties and **prompt-injection** risks; separate reporting highlights friction between developers and security teams as AI-accelerated delivery increases firewall rule backlogs and delays, pressuring organizations to automate controls without weakening oversight. Threat and risk reporting also points to concrete shifts in attacker tradecraft and defensive tooling. Cloudflare’s *Cloudforce One* threat report describes **infostealers** (e.g., **LummaC2**) stealing live session tokens to bypass MFA, heavy automation in credential abuse (bots dominating login attempts), and a ransomware initial-access pipeline increasingly tied to infostealer activity; it also notes a coordinated disruption effort against LummaC2 infrastructure and expectations of successor variants that compress time-to-ransomware. In parallel, AppSec commentary describes Anthropic’s **Claude Code Security** as a reasoning-based code scanning and patch-suggestion capability that claims to identify large numbers of previously unknown high-severity issues, but still requires human approval and does not replace production AppSec programs; other items in the set are largely non-incident thought leadership (skills gap, secure-by-design, AI security “tactics,” and workforce resilience), plus unrelated content (awards, job listings, quantum-resistant data diode product coverage, and an AI nuclear wargame study).
Mar 21, 2026
AI Adoption and Misuse Expands Enterprise and Cybercrime Risk
No single incident ties the reporting together; the dominant theme is **AI’s expanding role in both enterprise operations and criminal tradecraft**, alongside broader, non-AI security trend commentary. A Docker-sponsored survey reported by *Help Net Security* says **60% of organizations run AI agents in production**, but **security/compliance is the top scaling barrier (40%)**, with recurring concerns including *prompt injection*, *tool poisoning*, runtime isolation/sandboxing, auditability, and credential/access control in distributed agent systems. Separately, forum-traffic research summarized by *Help Net Security* found cybercriminals increasingly using mainstream and local AI models to support phishing, code generation, and social engineering, with frequent discussion of jailbreaking and the use of stolen/resold premium AI accounts. Several other items are adjacent but not about the same specific story: an ESET article provides **generic guidance** on detecting **AI voice deepfakes** used for fraud; an Ars Technica piece covers **copyright/data memorization** risks in LLMs; and multiple outlets publish broader security trend or opinion content (quantum preparedness, ransomware targeting manufacturing, Romanian warnings about ransomware aligning with Russian hybrid aims, ATM jackpotting increases, and a Check Point retrospective). Some entries are primarily **commentary, historical analogy, newsletters, or how-to recon guidance** rather than new threat reporting, and should be treated as lower-signal for executive situational awareness unless your organization is actively deploying agentic AI or tracking AI-enabled fraud/social engineering.
Mar 21, 2026