{ "name": "How attackers are jailbreaking LLMs with CTF framing and how to catch them", "slug": "how-attackers-are-jailbreaking-llms-with-ctf-framing-and-how-to-catch-them", "description": "Threat actors are bypassing AI model safety guardrails by framing exploit requests as legitimate security research, such as capture-the-flag challenges or CVE-hunting exercises. This technique manipulates upstream LLMs into generating working exploit code that attackers deploy against real targets. Multiple independent operators have been observed targeting five applications\u2014PraisonAI, LiteLLM, FastGPT, Open-WebUI, and Gotenberg\u2014using CVE-templated User-Agent strings and similar framing across multiple fields including passwords and AWS session names. The jailbreak framing leaks into every LLM-generated field because the model incorporates the prompt context into its output. This pattern represents a shift from manually written scanners to LLM-assisted exploit generation, creating detectable fingerprints across request headers, account aliases, and IAM session names that legitimate traffic rarely exhibits.", "published": "2026-06-15T19:33:12.547000+00:00", "created_at": "2026-06-16T11:48:52.307000+00:00", "modified_at": "2026-06-16T09:48:52+00:00", "created_at_opencti": "2026-06-16T11:48:52.307000+00:00", "author": "AlienVault", "confidence": 100, "report_types": [ "threat-report" ], "labels": [ "ai agent exploitation", "ai platform targeting", "credential harvesting", "ctf framing", "cve exploitation", "cve-2026-33017", "cve-2026-39987", "cve-2026-40281", "cve-2026-42208", "cve-2026-42266", "cve-2026-42271", "cve-2026-42302", "cve-2026-42589", "cve-2026-44336", "cve-2026-44694", "cve-2026-45301", "cve-2026-45331", "cve-2026-45397", "cve-2026-45672", "cve-2026-47391", "llm jailbreaking", "prompt injection", "rce campaigns" ], "tags": [ "2026-06-15", "CVE-2026-33017", "CVE-2026-39987", "CVE-2026-40281", "CVE-2026-42208", "CVE-2026-42266", "CVE-2026-42271", "CVE-2026-42302", "CVE-2026-42589", "CVE-2026-44336", "CVE-2026-44694", "CVE-2026-45301", "CVE-2026-45331", "CVE-2026-45397", "CVE-2026-45672", "CVE-2026-47391", "ai agent exploitation", "ai platform targeting", "credential harvesting", "ctf framing", "cve exploitation", "llm jailbreaking", "prompt injection", "rce campaigns" ], "related_entities": { "vulnerabilities": [ { "id": "d48adb7b-1737-499c-aeb6-d7fbf2a98f17", "name": "CVE-2026-39987" }, { "id": "24214050-4274-4b46-aabf-f287300234ed", "name": "CVE-2026-40281" }, { "id": "a16c12ae-c97b-4b5a-bb3c-4490839a722e", "name": "CVE-2026-42208" }, { "id": "e723c0e0-ac40-4ec0-93e1-55909d843d52", "name": "CVE-2026-45672" }, { "id": "8017c024-9dc3-4bca-9e55-d35e68166c09", "name": "CVE-2026-45301" }, { "id": "ccc956d2-9b82-4403-97a8-4ab428a7c3ea", "name": "CVE-2026-42589" }, { "id": "47f3fdda-fc71-46a5-8e31-f8f0d524622c", "name": "CVE-2026-0770" }, { "id": "db13e3a8-6680-4900-a4fe-098330ac35b1", "name": "CVE-2026-47391" }, { "id": "1dfc1331-e18e-492c-a182-b5334776965b", "name": "CVE-2026-44336" }, { "id": "bf2240e6-e00a-4ad5-804a-0a5ceb5b879b", "name": "CVE-2026-45331" }, { "id": "103ba8bc-6a0d-474e-aa2c-d496684f3841", "name": "CVE-2026-42271" }, { "id": "658866f4-a3a3-4685-95d3-89eef5369b32", "name": "CVE-2026-33017" }, { "id": "a057b738-aea5-40a6-92d7-c373ff6cf265", "name": "CVE-2026-44694" } ], "indicators": [ { "id": "be86e90e-41e1-4a15-8654-63f54983886c", "name": "115.171.80.253" }, { "id": "524c8c39-963c-4a16-bbd6-c8fb590a7e48", "name": "38.181.81.164" }, { "id": "10f0d5ea-c693-40bc-8abb-20ad353be0b6", "name": "68.77.201.89" }, { "id": "54091eb0-7a49-442c-ae7d-6a4f467b79cd", "name": "212.107.30.69" }, { "id": "f137afff-0ae8-463c-983f-69a4e5b27549", "name": "103.142.140.246" }, { "id": "2c990cb5-426b-4c5b-8949-8f617bc4fdb2", "name": "103.142.140.238" } ], "observables": [ { "id": "aea150d9-e66b-46db-a33b-57e2d21e7c87", "name": "103.142.140.238" }, { "id": "3c90fab6-f157-47dd-b8b1-ed50ea2b0258", "name": "38.181.81.164" }, { "id": "58a0613b-1e49-45ae-b73f-33310099a8e2", "name": "103.142.140.246" }, { "id": "6e10367c-b0f6-4449-8407-b06b42d3e140", "name": "115.171.80.253" }, { "id": "cf286f20-71df-4ee0-b0e3-eb6f72964b68", "name": "212.107.30.69" }, { "id": "b0a62813-2096-4427-900f-affe5fd14ad4", "name": "68.77.201.89" } ] }, "external_refs": [ { "id": "0d05a1a0-0ff3-4ad6-a5a9-77e671c95c66", "standard_id": "external-reference--0b339155-a0f0-5487-853a-1ffd6ad4dee8", "entity_type": "External-Reference", "source_name": "AlienVault", "description": null, "url": "https://otx.alienvault.com/pulse/6a30537886784fbb90bd4a5b", "hash": null, "external_id": "6a30537886784fbb90bd4a5b", "created": "2026-06-16T11:48:52.241Z", "modified": "2026-06-16T11:48:52.241Z", "createdById": null }, { "id": "181993ad-981f-4158-a8eb-e37d907c53f3", "standard_id": "external-reference--fa622255-4602-52cc-b45a-fc14d825dcd8", "entity_type": "External-Reference", "source_name": "AlienVault", "description": null, "url": "https://www.sysdig.com/blog/how-attackers-are-jailbreaking-llms-with-ctf-framing-and-how-to-catch-them", "hash": null, "external_id": null, "created": "2026-06-16T11:48:52.266Z", "modified": "2026-06-16T11:48:52.266Z", "createdById": null } ] }