Following is a summary of the latest updates:

• Suspicious Ollama Activities: Introduced a new analytic story focused on monitoring misuse and abuse of locally hosted LLMs through Ollama. This story includes detections such as Abnormal Network Connectivity, Service Crash or Availability Attack, Excessive API Requests, API Endpoint Scan Reconnaissance, Memory Exhaustion Resource Abuse, Model Exfiltration or Data Leakage, RCE via Model Loading, and Suspicious Prompt Injection or Jailbreak. A dedicated TA-Ollama is developed to parse Ollama server logs, enabling precise detection of adversarial prompt engineering, local model abuse, and AI-powered lateral movement scenarios.
• Suspicious Microsoft 365 Copilot Activities: Added a new analytic story that targets emerging risks in GenAI integration with Microsoft 365 Copilot. Detections include M365 Copilot Application Usage Pattern Anomalies, Failed Authentication Patterns, Non-Compliant Devices Accessing Copilot, and Session Origin Anomalies. These analytics help security teams identify compromised identities, unauthorized device access, and abnormal usage trends associated with enterprise AI assistants.
• LokiBot and PromptLock Malware: Expanded coverage for LokiBot, a pervasive credential-stealing Trojan distributed via phishing and malicious attachments. A new detection (Windows Visual Basic Command-Line Compiler DNS Query) was added alongside enhanced tagging across related analytics to better identify suspicious DNS communications and data exfiltration attempts.
• PromptLock Coverage: In addition, we introduced coverage for PromptLock, the first known GenAI-driven ransomware proof-of-concept discovered by ESET in 2025. PromptLock leverages a local AI model (gpt-oss:20b) via the Ollama API to dynamically generate Lua scripts for multi-platform encryption and exfiltration. These detections focus on anomalous AI invocation patterns, file encryption activity, and use of local LLM APIs for malicious automation.
• APT37 (Rustonotto and FadeStealer) and GhostRedirector: Expanded coverage for APT37, adding a new detection for suspicious Windows Cabinet file extraction activity linked to their Rustonotto and FadeStealer toolsets. This update enhances visibility into phishing-based infections, persistence mechanisms, and data exfiltration behavior. Also introduced a new GhostRedirector and Rungan analytic story to track server compromises involving malicious IIS modules, SQL injection abuse, and stealthy PowerShell activity used to maintain access and manipulate web traffic.