A newly tracked hacktivist cluster known as Forbidden Hyena is combining traditional cybercrime tools with generative AI and a previously undocumented remote access trojan, BlackReaperRAT, to target Russian government entities and critical infrastructure organizations. Research by BI.ZONE shows that while AI-driven attacks currently account for less than 1% of incidents against Russian companies in 2025, the tactics used by this group illustrate how quickly adversaries are operationalizing AI.
Forbidden Hyena’s focus on Russian government and critical infrastructure
According to BI.ZONE Threat Intelligence, Forbidden Hyena primarily targets Russian government agencies along with organizations in healthcare, energy, retail, and utilities (housing and public services). These sectors form part of critical infrastructure, where successful compromise can disrupt essential services, impact safety, and trigger significant public concern.
Although the group brands itself as a hacktivist collective, its activity reflects a broader shift in the threat landscape. BI.ZONE analysts note that the proportion of attacks motivated purely by ideology declined from 20% to 12% in the second half of 2025. Increasingly, politically themed operations are blended with classic financial extortion, where attackers monetize network access and data through ransomware and sale of footholds.
How Forbidden Hyena uses AI and LLM-generated scripts in attacks
PowerShell and Bash scripts for persistence and Sliver deployment
On one of Forbidden Hyena’s command-and-control (C2) servers, investigators identified several helper scripts that exhibit strong indicators of being created with large language models (LLMs). These include two PowerShell scripts and a Bash script used at different stages of the intrusion chain.
The first PowerShell script is designed to establish persistence for malware on compromised hosts, configuring autorun mechanisms to ensure the payload relaunches after system reboots. The second PowerShell script silently installs AnyDesk, a legitimate remote access tool often abused by attackers as a covert, “living-off-the-land” management channel, thereby blending malicious supervision with routine admin traffic.
The Bash script acts as an initial loader. It downloads and executes an obfuscated implant for the Sliver framework, a popular red-team and adversary-emulation toolkit used both by penetration testers and threat actors. This layered approach allows Forbidden Hyena to chain specialized malware (RATs, ransomware) with legitimate software and widely available offensive security frameworks.
Code style reveals likely use of generative AI
The strongest evidence of AI assistance lies in the style and structure of the scripts. BI.ZONE analysts note extensive debug output, unusually detailed comments, and descriptive variable and function names that mirror textbook examples. At the same time, the scripts show minimal to no obfuscation, which seasoned malware authors typically apply to hinder analysis and detection.
These traits are characteristic of code directly produced by generative AI tools and only lightly modified by humans, if at all. In practice, this suggests that AI is currently being used mainly to speed up the creation of supporting infrastructure—installers, loaders, persistence helpers—rather than to develop highly sophisticated, fully autonomous malware. Nevertheless, BI.ZONE points to a growing trend of “weaponization of AI”, where the role of AI-generated components in offensive operations is expected to become more advanced and specialized over time.
BlackReaperRAT: new VBScript remote access trojan with Telegram-based C2
Delivery via RAR archives and stealthy persistence
The most significant technical discovery in this campaign is BlackReaperRAT, a previously undocumented Remote Access Trojan (RAT) written in VBScript (VBS). Victims receive the malware in RAR archives that contain a set of .bat and .vbs files.
When executed, the user is shown a seemingly legitimate PDF document intended as a decoy, while the trojan installs silently in the background. To maintain long-term access, BlackReaperRAT leverages several persistence mechanisms, including Windows registry keys, Task Scheduler entries, and startup folder autoloading.
The command-and-control channel is implemented in an unusual way: instead of a classic C2 server, the RAT periodically queries the description field of a specific Telegram channel, extracting commands embedded and encrypted in the text. This technique makes takedown and blocking more difficult, as the traffic blends with legitimate connections to a popular messaging platform.
Capabilities and risks for segmented and offline environments
Once active, BlackReaperRAT provides attackers with a broad range of post-exploitation capabilities. It can:
- execute arbitrary commands via cmd.exe;
- download and run additional modules or payloads;
- propagate through USB drives by replacing files with malicious shortcuts.
The USB-spreading functionality is particularly dangerous for isolated or air‑gapped network segments, where removable media remain a common method of transferring data and updates. Users believe they are opening familiar documents from a flash drive but in reality are triggering a shortcut that launches the malware and extends the infection.
Milkyway ransomware: from hacktivism to monetization
The ultimate objective of Forbidden Hyena’s operations is ransomware-driven extortion. After gaining persistence and moving laterally through the network, the attackers deploy an updated variant of the previously known Blackout Locker ransomware, now rebranded as Milkyway. Once key systems are reached and reconnaissance is complete, the group encrypts data and demands payment to restore access.
This model illustrates the ongoing evolution of hacktivism into a hybrid threat that merges ideological narratives with a clear profit motive. Even groups with political messaging increasingly build a repeatable “attack economy” with reusable code, internal specialization, and pragmatic target selection—aligning with wider global trends observed in incident reports from organizations such as ENISA and the Verizon Data Breach Investigations Report.
Although AI-assisted attacks on Russian organizations currently account for less than 1% of cases, Forbidden Hyena’s toolkit shows that artificial intelligence is already a practical instrument for adversaries. To stay ahead, organizations should strengthen monitoring of PowerShell and Bash activity, tightly control the use of legitimate remote access tools such as AnyDesk and RDP, restrict and audit USB device usage, and invest in anomaly detection and internal threat intelligence capabilities. Incorporating AI-related risks into threat models today will significantly improve the chances of detecting and disrupting emerging clusters like Forbidden Hyena before they cause systemic damage.
