NCC Group flags AI fraud platform Kitana in attacks

NCC Group researchers have identified Kitana, an AI-assisted fraud platform used in attacks on online consumers. The tool has targeted hospitality platforms in the US and Canada, as well as eCommerce sites in Chile and Saudi Arabia.

Kitana is an adversary-in-the-middle platform designed to trick users into entering payment details, passwords and one-time authentication codes on fake versions of legitimate websites. Attackers can then capture those details while observing and intervening in sessions in real time.

Researchers said the platform differs from more established web-skimming operations such as Magecart because it does not depend on compromising a merchant's website. Instead, victims are routed through attacker-controlled domains that mirror genuine sites, giving operators direct visibility into user activity.

According to NCC Group's analysis, the system combines a transparent reverse proxy with real-time operator control and command-and-control functions through Telegram. Exposed infrastructure suggests the tool remains under active development.

The discovery stemmed from analysis of an IP address previously associated with a supply chain compromise. Fifteen days after that activity, researchers found a login page for a "Kitana Project Panel" on the same host.

NCC Group said code linked to the operation points to wider potential use beyond the countries already observed. Researchers also found what they described as insecure development practices, including hardcoded credentials and API keys embedded in scripts.

The finding was part of a wider threat intelligence report that also tracked global ransomware activity in May. The report recorded 749 ransomware attacks worldwide, almost unchanged from 748 in April, suggesting criminal activity remained at a high level.

Industrials remained the most targeted sector, accounting for 29% of recorded attacks. North America was again the most affected region.

Qilin was the most active ransomware operation in May, responsible for 15% of all observed attacks, up 8% from April. The Gentlemen ranked as the second most active threat group for the second straight month and increased its share by 6% over the same period.

By contrast, DragonForce recorded an 8% decline in ransomware attacks, while Akira's activity fell by 17%. The shifts point to a ransomware landscape in which a small number of groups continue to account for a large share of incidents, even as rankings change from month to month.

Blurred lines

The report also highlights a growing overlap between state-backed cyber operations and financially motivated ransomware activity. Researchers pointed to reports linking an Iranian state-backed MuddyWater campaign to activity disguised as Chaos ransomware.

According to the analysis, that operation used ransomware branding, extortion notes and victim negotiation channels in what researchers described as an effort to conceal espionage or intelligence objectives and make attribution harder. Such tactics complicate response efforts for victim organisations because an apparent ransomware case may mask a different strategic purpose.

Matt Hull, vice president of cyber intelligence and response at NCC Group, said: "Historically, organizations could draw a relatively clear distinction between ransomware attacks driven by financial gain and nation-state operations designed to support strategic objectives. That distinction is becoming increasingly difficult to make.

"What we're seeing is a convergence of criminal and state-backed activity. Threat actors are sharing infrastructure, adopting common tooling and, in some cases, deliberately operating behind established ransomware brands to obscure attribution and delay response efforts.

"This creates a more complex threat environment. Organisations can no longer assume a ransomware incident is purely financially motivated. Understanding an adversary's behavior, objectives and operational context is becoming just as important as identifying the malware or ransomware group involved."

NCC Group said the trend reflects a wider pattern in which state-aligned actors borrow methods long associated with cybercriminal groups. The report said organisations in critical infrastructure, supply chains and strategically important industries are likely to remain attractive targets for espionage and long-term network access.

NCC Group also linked Kitana to a broader shift in AI-assisted cybercrime tooling. The platform shows how attackers are using AI in development work to build convincing fraud infrastructure while also exposing weaknesses in coding and operational security.

For defenders, that creates a mixed picture: more adaptable and deceptive attacks on one side, but mistakes in implementation on the other. The exposed Kitana infrastructure contained hardcoded credentials and API keys, suggesting development "without sufficient technical oversight."