AI-assisted cloud intrusion achieves admin access in 8 minutes

In November 2025, the Sysdig Threat Research Team observed a rapid and sophisticated cyberattack on an AWS environment, where the attackers gained administrative access in under 10 minutes, leveraging large language models (LLMs) for automation. The attack began with the theft of credentials from public S3 buckets, which were then used for privilege escalation via Lambda code injection and lateral movement across 19 AWS principals. The attackers utilized Amazon Bedrock for LLMjacking, executed GPU instance provisioning for resource abuse, and employed a variety of techniques to evade detection, including IP rotation and role chaining. Sysdig's analysis highlighted the importance of employing the principle of least privilege and enhancing runtime detection to counteract such AI-assisted threats. The misuse of AI models, rapid enumeration of AWS services, and creation of backdoor access points underscore the evolving complexity of cloud-based cyber threats, with the attack demonstrating both the speed and potential for AI to significantly influence offensive operations in cloud security environments.