Hackers Turn IT Tools Into Remote-Access Payloads

According to GBHackers reporting based on Sysdig telemetry, a financially motivated threat actor leveraged a publicly exposed Ollama model server as the reasoning engine for an automated, multi-stage offensive tool. GBHackers reports the attacker wrapped unauthenticated model inference into a VAPT-style pipeline that performed service fingerprinting (mapped to CPE identifiers), vulnerability matching and applicability triage, web reconnaissance that parsed pages and headers, payload synthesis including protocol-aware payloads and backdoored service triggers, and blind time-based SQL injection crafting with filter-evasion.

GBHackers says Sysdig researchers captured the framework's architecture and the prompt-engineered logic because the actor submitted full-stage instructions on every model call. Per GBHackers, the framework required machine-parseable JSON outputs and enforced strict, name-bound stages; it exposed a limited tool surface (request(...), payload builders, and sweep primitives) and used a reusable confirmation marker. The researchers labeled the tool "VAPT" and reported an RCE verification sequence, echo VAPTb3gin; id; echo VAPTfin, that served as a detection indicator. GBHackers also notes the framework included a "PROPOSE-ONLY" mode where the model suggested payloads and a deterministic verifier (oracles.py) validated results, demonstrating maintained software practices rather than ad-hoc scripting.

Companies monitoring model-driven attack surfaces have an increased detection surface when models are exposed without authentication. Observed design choices in this incident - stage-bound JSON outputs, oracle-based verification, and embedded marker checks - mirror engineering practices used in legitimate automation tools and thus can make malicious tooling more modular and reusable across campaigns. Researchers estimate roughly 175,000 publicly exposed Ollama instances (The Hacker News, January 2026), making unauthenticated inference capacity widely available to attackers at no cost.

Security teams should treat unauthenticated model endpoints as code-execution and orchestration risks, not just data-leakage endpoints. Detection opportunities highlighted by GBHackers include the presence of stage markers like the VAPTb3gin/VAPTfin pair, mandatory machine-parseable JSON traffic patterns, unusual model inference requests that include full multi-step instructions, and orchestration calls to payload-builder primitives.

GBHackers reports the captured probes targeted RFC 1918 and HackTheBox ranges during the observation window; future telemetry showing similar orchestration hitting production or customer IP blocks would indicate operationalization beyond testing. Observers should also watch for reuse of the reported stage-naming conventions, "PROPOSE-ONLY" orchestration patterns, or published tooling that incorporates oracles.py style verifiers, any of which would suggest wider adoption of this approach.