Confirmed Campaigns Index

19 Verified LLM-Assisted
Cyber Operations

Every campaign in this index was confirmed by the named AI company or threat intelligence team. ✓ denotes direct verification. Click any source group in the sidebar to see session-by-session decompositions with behavioral bit annotations for each fragment.

Anthropic Threat Intelligence · 5 Campaigns

Anthropic-Confirmed
Campaigns

Each session prompt pattern is shown with the behavioral bits (bf) it fires and its individual safety verdict — demonstrating how every fragment passes per-query filters despite the combined chain being malicious.

Google GTIG AI Threat Trackers · 8 Campaigns

Google GTIG-Confirmed
Campaigns

GTIG named and tracked campaigns with codenames. Includes the first LLM queried in a live attack (PROMPTSTEAL), self-modifying malware (PROMPTFLUX), fileless in-memory payload (HONESTCUE), and living-off-LLM via victim's own AI (QUIETVAULT).

OpenAI Threat Intelligence · 2 Campaigns

OpenAI-Confirmed
Campaigns

ScopeCreep (iterative RAT refinement) and Russian malware clusters. Detected via cross-session behavioral analysis — exactly the pattern FragBench is designed for.

SentinelLabs / Unit42 / MSFT MDDR · 4 Campaigns

Cross-Vendor Confirmed
Campaigns

MalTerminal (GPT-4 embedded in compiled binary), WormGPT/KawaiiGPT (uncensored LLM market), AI phishing 4.5× effectiveness, and deepfake identity fraud growing 195% YoY.

Behavioral Vector Reference

The 16-Bit Behavioral
Indicator Vector bf

Each code fragment is reduced to this 16-bit vector by AST analysis. The key insight: many different prompt phrasings produce the same behavioral bit pattern, making bf robust to surface-level variation — unlike keyword matching.

ATK-01 · 6 Sessions · 9 TTPs

Data Exfiltration —
All Fragment Variations

For each session, multiple prompt phrasings and paraphrase styles are shown. Each variation produces the same behavioral bits — demonstrating why bf catches the pattern regardless of how the attacker words the request.

DATASET PROVENANCE — which campaigns generated these fragment types
01 GTG-1002 — Autonomous Espionage 6-session pipeline · Claude Code + MCP · ~30 targets
05 Chinese APT vs Vietnam 9-month campaign · full exfil lifecycle
How fragments are generated from these campaigns: Each confirmed session prompt (e.g., GTG-1002 S1 "map live hosts") becomes the canonical fragment. Variations are derived by: (1) substituting equivalent tools with same bf outcome, (2) paraphrasing the prompt in 4 distinct styles (direct technical, casual developer, context-framed, role-play), (3) documenting benign twins for FRR measurement.
ATK-02 · 9 Sessions · 9 TTPs

Ransomware Campaign —
All Fragment Variations

Session 8 (ransom calibration) is the AI-unique fragment with no behavioral bits — detection requires sequence analysis: financial analysis immediately after b10+b11 (encrypt+archive) is the signal.

DATASET PROVENANCE
02 GTG-2002 — "Vibe Hacking" Extortion 9 phases · 17 orgs · AI-calibrated >$500K ransoms
16 MalTerminal (PoC) Runtime GPT-4 payload gen · ChaCha20 encryption pattern
Dataset generation: GTG-2002 documented prompts are reverse-engineered from Anthropic threat reports. S8★ (ransom calibration) has no behavioral bits — it is the only fragment type that requires sequence context for detection. The benign twin for S8 is "analyze this quarterly report" which has identical bits (b14 only) but no upstream b10+b11 neighbors in the graph.
ATK-03 · Iterative Refinement · 6 Sessions

Malware Refinement —
All Fragment Variations

The iterative loop creates self-loop edges: fi→f'i→f''i. Semantic similarity edges fire across iterations (same intent, different syntax). Each AV-evasion prompt is a "fix my code" request.

DATASET PROVENANCE
14 Operation ScopeCreep Iterative RAT refinement · Russian group · 6 OpenAI sessions
07 PROMPTFLUX Gemini hourly self-rewrite loop · automated refinement
Dataset generation: ScopeCreep's AV-evasion loop provides ground truth for iterative refinement detection. Each "rewrite to evade X" prompt becomes a fragment. The self-loop semantic edge (cos > 0.88 between iterations) is the key signal — CodeBERT captures functional equivalence despite syntactic divergence. Paraphrase variants span from "AV detected this" to "security software is blocking my code."
ATK-04 · Supply Chain · Many Sessions

Supply Chain Operation —
All Fragment Variations

Longest kill-chain: 9 of 14 ATT&CK tactics. The graph diameter of this chain is 6 — requires L≥5 GNN layers for full context propagation from S1 to S7.

DATASET PROVENANCE
01 GTG-1002 — Autonomous Espionage MCP-orchestrated · full 9-tactic lifecycle
04 DPRK IT Fraud Fortune 500 supply chain infiltration
Dataset generation: GTG-1002 is the primary source — Anthropic's report documents each phase. The agentic MCP context means fragments were generated as tool_call() arguments rather than direct prompts. Each tool_call argument is treated as a fragment: the LLM-generated command string is parsed for bf bits the same way as any code fragment.
ATK-05 · CVE Exploitation · 4 Sessions

CVE Exploitation —
All Fragment Variations

Fang et al. 2024: 87% success with CVE description, 7% without. The fingerprint→CVE→exploit progression is the kill-chain signature FragBench detects.

DATASET PROVENANCE
01 GTG-1002 — "Claude wrote its own exploits" CVE-to-exploit translation · autonomous via MCP
Dataset generation: Fang et al. (arXiv:2404.08144) provides ground-truth exploit generation sessions with 15 real CVEs. Each CVE's fingerprint+exploit session pair becomes a CHAIN-004 instance. The E1→E3 dataflow edge (fingerprint output → CVE payload input) is the strongest single edge in FragBench's template library.
MCP Fragment Trace · GTG-1002

How Fragments Flow
Through MCP to Attack

Each LLM decision becomes a tool_call(). Each tool_call produces a fragment that FragBench parses for bf bits and adds to the account graph Ga. Watch KCC rise with every step.

MCP Fragment Trace · AI RaaS

Zero-Skill Ransomware —
Build Trace

No MCP — direct API calls. Each session is a standalone fragment. The attacker assembles the pipeline manually. FragBench detects via temporal+semantic edges between sessions from the same account.

MCP Fragment Trace · ScopeCreep

Iterative Refinement Loop —
Self-Loop Detection

Each "fix my code to evade AV" session creates a new fragment. Semantic edges fire between iterations (same C2 intent, new encoding). FragBench's self-loop chain template triggers at 3+ iterations.

MCP Fragment Trace · HONESTCUE

Fileless Payload —
What FragBench Can and Cannot See

The loader binary is a fragment. The runtime Gemini payload is NOT a fragment — it never exists in the API session. This is FragBench's fundamental limitation for fileless attacks.

GNN Pipeline · Stage 1/4

Feature Vector xf ∈ ℝd
Construction

Four groups concatenated per fragment. The same attack fragment vs its benign twin side-by-side — same behavioral bits, completely different risk scores because graph context is the differentiator.

xf = [efcodebfτfmf] ∈ ℝ768+16+14+M
Key insight: The behavioral vectors are nearly identical for attack vs benign. The risk score difference (0.78 vs 0.08) comes entirely from graph context: kill-chain edges to S2 (SSH brute) and S5 (SCP exfil) propagate through the GNN to elevate S4's node risk.
GNN Pipeline · Stage 2/4

Ga = (V, E, X, λ)
Five Edge Types

Fragments from the same account form a directed labeled multigraph. Edges are added incrementally in streaming mode. The ATK-01 graph below shows all 5 edge types connecting 6 fragments.

GNN Pipeline · Stage 3/4

Heterogeneous GAT
Message Passing

Type-specific attention weights αfg(κ,ℓ) per edge type κ. After L=3 layers, each node encodes its full L-hop neighborhood — a benign encrypt fragment "sees" the SSH brute force two hops away via kill-chain edges.

hf(ℓ) = σ(Σκ ∈ TE Σg ∈ Nκ(f) αfg(κ,ℓ) · Wκ(ℓ) · hg(ℓ-1))
GNN Pipeline · Stage 4/4

Classification Heads
& Graduated Alerts

Three output heads: node-level risk scores rf, graph-level account classification ya, and kill-chain coverage KCC(C) for subgraph template matching.

Interactive Demo

Add Fragments — Watch
the GNN Classify

Each fragment looks safe individually. Add them one by one and watch KCC rise, edges materialize, and the account classification flip: MONITORING → SUSPICIOUS → ALERT.

FragBench · Streaming Detection · ATK-01
Account graph Ga
Fragment Queue
Detection State
MITRE ATT&CK Coverage Matrix
Technique frequency heatmap across all 5 attack templates — click any badge to open on attack.mitre.org
Real-World Incident Campaigns
Change Healthcare · Nova Scotia Power · London Drugs · Covenant Health · St. Paul MN · UK Retailers · Yale New Haven · RedCurl — documented attack sessions with exact prompts
32-Bit Vector → MITRE ATT&CK Technique Map
Every behavioral indicator bit with ATT&CK technique and tactic — ★ marks new bits b17–b32
ATT&CK Kill-Chain Progression per Template
Per-session tactic flow with KCC — alert threshold 0.6