AI tooling as lure, attack surface and force-multiplier — the cross-day pattern no single daily framed whole

Five separate daily items this week, each minor on its own, line up into the most important emerging pattern of the window: AI products are now simultaneously a lure brand, an attack surface, and an offensive force-multiplier. As a lure: ACR Stealer was distributed through counterfeit Claude AI download pages promoted by malicious search ads (2026-05-26), and a cryptojacking campaign used AI-chatbot search-result poisoning to steer victims to GPU-utility lookalikes that dropped ScreenConnect and process-hollowed miners under a signed Microsoft binary (2026-05-28). As an attack surface: LLMShare malvertising hid fake outage pages inside ChatGPT share links to serve infostealers (2026-05-30); ChatGPhish abused the ChatGPT Markdown renderer's trust of third-party image URLs and links for IP exfiltration and phishing from legitimate chatgpt.com (2026-05-30); and Red Canary detailed Entra Agent ID privilege escalation, injecting credentials into agent blueprints for tenant-wide lateral movement (2026-05-30). As a force-multiplier: Sysdig TRT documented the first observed LLM-agent-driven post-exploitation, moving from a Marimo-notebook RCE (CVE-2026-39987) to internal-database exfiltration in four pivots in under an hour (2026-05-30).

The synthesis for a public-sector SOC: treat AI-brand download and search results as a live malvertising vector (block lookalike domains, prefer vendor-canonical download paths); scope DLP and egress controls to LLM rendering and share endpoints; and govern non-human agent identities (Entra Agent IDs, service-principal-equivalent AI agents) with the same conditional-access and credential-hygiene controls applied to service principals.