Attackers Hijacked Exposed Ollama Servers to Power Autonomous Exploitation Tool
Sysdig researchers observed a threat actor abusing a publicly exposed, unauthenticated Ollama server as the reasoning backend for an automated offensive framework dubbed VAPT. The tool chained AI-driven stages to fingerprint services, map vulnerabilities, generate proof-of-concept exploits, craft blind SQL injection payloads, extract credentials, plan file reads, and choose privilege-escalation paths until remote command execution was achieved. Researchers said the activity marks an evolution of LLMjacking, shifting from theft of paid inference APIs to theft of self-hosted model capacity for autonomous offensive operations.
The observed sessions originated from residential IP addresses in India and targeted only private lab-style ranges and fictitious applications, indicating the actor was likely developing and tuning the framework rather than attacking public victims during the observation window. Sysdig said many Ollama deployments remain exposed because the service listens on port 11434 without authentication by default, with roughly 175,000 instances reportedly reachable across more than 130 countries. The company urged defenders to block internet exposure, add authentication through proxies or network controls, and monitor model endpoints for offensive-tooling markers such as the strings VAPTb3gin, VAPTfin, and the command:
echo VAPTb3gin; id; echo VAPTfin
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Sysdig publishes research on evolved LLMjacking via stolen Ollama compute
Sysdig published research describing the June 12 activity as an evolution of LLMjacking from theft of paid AI inference capacity to abuse of self-hosted model capacity for autonomous offensive operations. The report also highlighted detection anchors including the strings VAPTb3gin, VAPTfin, and __VAPTCMD__, and warned about widespread exposure of Ollama on port 11434 without authentication.
Sysdig observes VAPT abusing an exposed Ollama server
On June 12, 2026, Sysdig Threat Research Team observed a threat actor using a publicly exposed, unauthenticated Ollama server as the reasoning backend for an automated offensive framework it calls VAPT. The framework used the model to fingerprint services, identify vulnerabilities, generate exploits, craft blind SQL injection payloads, extract credentials, plan privilege escalation, and orchestrate exploitation through confirmed command execution.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
Hackers Abuse Legitimate RMM Tools to Maintain Persistent Access and Evade Detection
cybersecuritynews.com
Open sourceLLMjacking evolved: Attackers are using stolen AI compute to build offensive agentic tools | Sysdig
webflow.sysdig.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Attackers Abuse AI Services and Exposed LLM Infrastructure for Intrusions and Compute Theft
Researchers and vendors reported a sharp rise in attacks targeting AI infrastructure, from exposed self-hosted LLM servers to commercial coding assistants used in real intrusions. A Kaspersky honeypot posing as a private AI server with services including **Ollama**, **LM Studio**, **LangServe**, **text-generation-webui**, OpenAI-compatible APIs, RAG databases, and an MCP server was indexed by Shodan within hours and drew more than **113,000 requests** in a month from thousands of IP addresses. Nearly a quarter of the traffic focused on discovering and exploiting AI capabilities, with attackers attempting to consume inference resources, analyze documents, generate content, process vulnerability data, proxy requests to external models, and steal secrets from exposed `.env` files using tooling such as **LLM-Scanner**. The broader threat has moved beyond opportunistic abuse into targeted operations. Anthropic said suspected Chinese state-linked operators misused **Claude Code** against **30 high-value organizations** across technology, finance, chemicals, and government, using the AI assistant to test systems, generate attack code, harvest credentials, identify privileged accounts and backdoors, and support deeper intrusion activity; the company said the tool performed **80% to 90%** of the work in some cases. Separately, defenders were urged to rapidly patch internet-exposed management infrastructure after **CVE-2026-41940** in **cPanel/WHM** was exploited in the wild, allowing pre-authentication root access in as few as four HTTP requests and reportedly being used in ransomware activity, underscoring how exposed services and AI-enabled tradecraft are converging into a faster, more scalable attack model.
May 25, 2026
Criminal Abuse of Exposed LLM Infrastructure and GenAI-Enabled Phishing Techniques
Security researchers reported escalating **criminal abuse of large language model (LLM) infrastructure**, including active exploitation of exposed or weakly authenticated AI service endpoints. Pillar Security documented more than **35,000 attack sessions** over ~40 days against honeypots and attributed the activity to an operation dubbed **“Bizarre Bazaar,”** described as an early example of actor-attributed “**LLMjacking**.” The activity targeted misconfigured/self-hosted deployments and AI APIs (including **unauthenticated Ollama endpoints on `11434`** and **OpenAI-compatible APIs on `8000`**), with attackers moving quickly once endpoints appeared in internet-wide scanners such as Shodan/Censys. Reported objectives included **stealing compute** (e.g., crypto mining), **reselling illicit API access** on underground markets, **exfiltrating prompt/conversation data**, and attempting **pivoting into internal systems** via publicly accessible **Model Context Protocol (MCP) servers**. Separately, Palo Alto Networks **Unit 42** described a proof-of-concept phishing technique where a benign-looking page calls a legitimate LLM API to generate **per-victim JavaScript** in real time, assembling a **personalized phishing site** in the browser to reduce the presence of static indicators and evade traditional detections; researchers noted similar building blocks are already being used for obfuscated JavaScript and malware-related activity.
Mar 21, 2026
Large-Scale Automated Reconnaissance and Brute-Force Campaigns Targeting Exposed AI and Linux Server Surfaces
Threat activity observed in late 2025 and early 2026 shows **high-volume, automated probing** of emerging and legacy internet-facing attack surfaces, including exposed large language model (LLM) endpoints. GreyNoise reported **91,403 attack sessions** against its *Ollama* honeypot infrastructure, attributing the traffic to two operations systematically enumerating AI deployments across major commercial model ecosystems (including OpenAI, Google, Anthropic, Meta, and others). One operation used two IP addresses to methodically test API formats and identify live endpoints across dozens of LLM targets while relying on innocuous prompts (for example, simple greetings and basic trivia questions) to reduce the likelihood of detection; GreyNoise noted the source IPs had prior associations with exploitation of known vulnerabilities, suggesting reconnaissance intended to feed follow-on exploitation. In parallel, Check Point Research detailed an updated, modular **GoBruteforcer** botnet variant that compromises Linux servers by **brute-forcing weak credentials** across common services (including FTP, MySQL, PostgreSQL, and *phpMyAdmin*), then reuses newly compromised hosts to expand scanning and password-guessing at scale. Check Point assessed that **50,000+ internet-facing servers** may be exposed to this activity, citing two drivers: widespread reuse of **AI-generated deployment/configuration examples** that propagate predictable usernames and weak defaults, and continued exposure of legacy stacks (such as *XAMPP*) with insufficient hardening. The newer GoBruteforcer variant reportedly adds more sophisticated capabilities and obfuscation, and the operators appear financially motivated, with activity linked to data theft, selling initial access, and cryptocurrency theft.
Mar 21, 2026