As businesses rapidly integrate artificial intelligence into their core operations, a new and shadowy battlefield has emerged where malicious actors are meticulously mapping the exposed infrastructure of corporate large language models (LLMs). Researchers have recently uncovered two distinct and large-scale campaigns that, combined, have launched nearly 100,000 probing attacks against these AI services, signaling a significant shift in cyber threats. These operations are not focused on immediate disruption but on methodical reconnaissance, building a detailed map of the expanding AI attack surface for future exploitation. Detected by a security honeypot between October and the present, these activities reveal a concerted effort by attackers to understand and catalog the AI deployments that companies are moving from experimental sandboxes into full-scale production environments. The findings serve as a critical warning that any publicly facing LLM is likely already on an attacker’s radar.
1. A Tale of Two Cyber Campaigns Against AI Platforms
The initial campaign, which was active from October 2025 through January, presented a complex profile that blended characteristics of both ethical security research and more aggressive gray-hat operations. This campaign, originating from 62 distinct IP addresses across 27 countries, primarily leveraged server-side request forgery (SSRF) vulnerabilities. The attackers employed two main vectors to exploit these weaknesses. The first involved injecting malicious registry URLs into targeted systems, compelling the servers to initiate HTTP requests to attacker-controlled infrastructure. The second method manipulated MediaUrl parameters to achieve a similar outcome, triggering outbound connections that confirmed the vulnerability. The techniques used, particularly the reliance on ProjectDiscovery’s Out-of-band Application Security Testing (OAST) infrastructure for callback validation, strongly suggest the involvement of security researchers or bug bounty hunters. OAST tools are a hallmark of such legitimate testing, as they provide a reliable way to confirm the successful exploitation of vulnerabilities that do not produce an immediate, direct response.
However, despite the use of standard security research tools, the sheer scale and timing of the first campaign raised significant concerns, pushing its classification into the realm of gray-hat activity. The operation saw a dramatic and unusual spike over the Christmas holiday, with 1,688 attack sessions recorded in just 48 hours. This timing is often chosen by malicious actors to take advantage of reduced security staffing and slower response times within organizations. Furthermore, the broad and persistent nature of the probing suggests an effort that goes beyond typical, narrowly focused bug bounty hunting. While potentially not overtly malicious in its immediate intent, this campaign demonstrated how aggressive reconnaissance techniques can be used to systematically map vulnerabilities across a wide array of targets. The operation effectively blurred the lines between ethical hacking and unauthorized probing, creating a noisy and potentially disruptive environment for security teams trying to distinguish between legitimate research and the prelude to a genuine attack.
2. A More Malicious and Methodical Threat
In stark contrast to the first operation, the second campaign, which began on December 28, exhibited all the signs of a deliberate and malicious reconnaissance effort. Researchers have labeled this campaign as the one that should genuinely concern organizations due to its methodical and comprehensive approach. Over an intense 11-day period, this campaign generated 80,469 sessions from just two IP addresses, systematically probing more than 73 different LLM model endpoints. The primary objective appeared to be the identification of misconfigured proxy servers, which could later be used for more invasive attacks. The attackers demonstrated a deep understanding of the current AI landscape, targeting every major model family available. The list of targets included models from OpenAI (such as GPT-4o and its variants), Anthropic (Claude Sonnet, Opus, and Haiku), Meta (Llama 3.x), Google (Gemini), as well as models from DeepSeek, Mistral, Alibaba (Qwen), and xAI (Grok). This widespread targeting indicates a well-resourced and knowledgeable threat actor investing significant effort to map the entire corporate AI ecosystem.
The technical sophistication of the second campaign was evident in its stealthy methodology. The attackers used deliberately innocuous queries when testing the APIs of the various LLM services. This tactic was likely designed to fingerprint which specific model would respond to a request without triggering security alerts or intrusion detection systems that are often tuned to look for overtly malicious commands. By keeping the queries simple, the attackers could effectively catalog active and exposed endpoints while remaining under the radar. Further investigation into the two IP addresses responsible for this campaign revealed a troubling history. These same IPs had been previously observed exploiting numerous high-profile CVEs, including React2Shell (CVE-2025-55182) and CVE-2023-1389, along with over 200 other known software flaws. This established history of malicious activity, combined with the scale of the LLM probing, strongly suggests that the collected information is intended for future offensive operations, transforming this reconnaissance into a prelude for more damaging attacks.
3. Strengthening Defenses Against LLM Probes
To counter the immediate threats posed by these reconnaissance campaigns, organizations must adopt a multi-layered defense strategy focused on both prevention and detection. The first line of defense is to block the known indicators of compromise. Security teams should immediately blacklist the OAST callback domains and specific IP addresses identified as malicious infrastructure. However, since attackers frequently rotate their infrastructure, this step alone is insufficient. A more robust approach involves implementing strict egress filtering to lock down model pulls. This technique prevents SSRF callbacks from successfully reaching attacker-controlled servers, effectively neutralizing the method used to confirm vulnerability exploitation. By controlling outbound traffic, organizations can disrupt the feedback loop that attackers rely on to validate their probes. Furthermore, blocking OAST domains at the DNS level provides an additional layer of protection, severing the callback channel entirely and making it much more difficult for attackers to confirm a successful breach.
Beyond blocking known threats, proactive monitoring and detection are essential for identifying and mitigating sophisticated probing activities. Security teams should configure alerts to detect enumeration patterns, such as rapid-fire requests hitting multiple model endpoints from a single source in a short period. This behavior is a strong indicator of an attacker attempting to map an organization’s AI services. It is also crucial to watch for the subtle fingerprinting queries used in the second campaign. Monitoring for unusually simple or generic queries aimed at different model APIs can help identify stealthy reconnaissance before it escalates. To further enhance detection capabilities, organizations can implement rate-limiting on suspicious Autonomous System Numbers (ASNs), particularly those like AS152194, AS210558, and AS51396, which featured prominently in the observed attack traffic. Finally, monitoring network traffic using modern standards like JA4+ can help identify the automated tooling and scripts that attackers use, allowing security teams to catch campaigns at their earliest stages by fingerprinting the connection itself, not just its content.
A New Era of AI-Centric Security
The discovery of these two campaigns marked a turning point in the understanding of threats targeting enterprise AI. It became clear that as organizations moved LLMs from research into production, attackers had already begun a systematic effort to map this new frontier for weaknesses. The methodical probing and large-scale reconnaissance revealed a strategic investment by threat actors who were no longer just experimenting with AI but were actively preparing for future exploitation. The campaigns underscored the urgent need for a security-first approach to AI deployment. The strategies developed in response—from implementing egress filtering and DNS-level blocking to advanced monitoring of enumeration patterns and network fingerprints—formed the basis of a new security playbook. This playbook was built on the recognition that protecting AI required more than just securing the model itself; it demanded a comprehensive defense of the entire infrastructure supporting it. The events served as a critical lesson: in the age of AI, the first battle was not for control, but for information.
