The first sample, a Python-based tool dubbed "Pandora," showcases a modular approach to cybercrime. While many of its functions—DDoS attacks, SQL injection, ransomware attacks and a variety of administrative bypasses—are not new, the tool integration with the LLM makes it a significant threat. The tool has a hardcoded OpenAI API key and also has a function that bruteforces the service to generate a valid API key.
 

Modular Architecture: Pandora has a wide range of functions. These include ddos, admin-finder, dorking, and ransom-maker, all designed to automate reconnaissance and exploitation as shown in figure 1.

Figure 3: Hardcoded OpenAI API key and OpenAI API generation code

The second sample is a .NET info-stealer that focuses on data exfiltration with the help of LLM usage. This is an interesting malware sample as it uses an LLM to generate code based on the environment it is running into. It sends the environment details to the LLM and asks for evasion techniques to bypass the defences. This shows novel techniques and usage of LLMs used by the malware author to bypass the system defences.  
 

• Targeted Data Exfiltration: The code's functions explicitly name its targets: ExtractBrowserCookies, ExtractChromeCookies, ExtractFirefoxCookies, and ExtractEdgeCookies as shown in Figure 4. It also targets user directories like Desktop, Documents, and Videos. 

Figure 4: Data extraction used by cryptostealer.exe

AI for Detection Evasion: The malware uses the LLM to generate custom evasion techniques (GenerateEvasionTechnique), analyze the target environment for weaknesses (AnalyzeTargetEnvironment), and create obfuscated communication protocols (GenerateObfuscatedCommunication). The ultimate goal is to generate a convincing social engineering message (socialEngineeringPrompt) to make the exfiltration traffic look legitimate as shown in Figure 5.

Figure 5: Prompts used by cryptostealer.exe

The final sample represents a much more advanced threat, although one that’s still in development. This malware binary is in development of a RAT that leverages a commercial LLM API for its core operational logic.
 

• Fileless and Evasive Execution: It loads a DLL named InMemoryCompiler.dll to compile and run new C# code directly in system memory. This enables the malware to do fileless execution without putting the code on the disk. Combined with the LLM code generation this becomes a very potent technique to bypass the detection tools as shown in Figure 6.

Figure 6: Prompt to test the in-memory compilation and execution of code

Dynamic Payload Generation via LLM: The malware's communication with the generativelanguage.googleapis.com API is not for static commands but for dynamic code generation. It sends a prompt to the AI, such as "Can you write a single, self-contained C# program...", and receives a fresh, custom payload in return. This means the attacker can change the malware's functionality at will, making it a polymorphic threat that is constantly changing. The malware binary has a hardcoded LLM API key. The .pdb file name and reference in code suggests that the malware is in development mode as shown in Figure 7.

Figure 7: References to .pdb file likely mean the malware is in development

To provide a more complete picture, here are some key data points from VirusTotal that highlight the usage of LLMs in malicious binary files.



Please note our observation: for now, malware authors are using hardcoded API keys of the LLM providers. We would not be surprised if malware authors start utilizing the LLM at the command and control (C2) side, thus avoiding embedding the API key in the malware binary, to carry out the malicious activities described in our case studies. An even more serious case involves state-sponsored threat actors, who will have the resources and infrastructure to host their own LLMs.



We have discovered more than 1,000 malicious binaries on VirusTotal that use LLM API calls to connect with LLM service providers. While some of these binaries do not directly use LLMs for malicious purposes, they are using them as a lure to install malware. Here are some statistics and data that provide insight into this evolving threat landscape.

IOCS AND YARA RULES

Escalating AI-powered threats offer more evidence that traditional, reactive security measures are no longer sufficient. Operators must embrace a proactive approach centered on continuous monitoring and immutable data protection to combat advanced threats.

Crucial among these capabilities are:

• Immutable Backups and Recovery: Immutable backups prevent ransomware and other malware from encrypting or corrupting critical data. In the event of a successful AI-powered attack, organizations can rapidly recover clean data, minimizing downtime and impact.
  
  
• AI-Powered Anomaly Detection: AI and machine learning should continuously monitor data for anomalies that may indicate a sophisticated attack. This includes detecting unusual access patterns, data exfiltration attempts, or changes in file entropy that might signal the presence of polymorphic malware.
  
  
• Continuous Data Observability: Deep visibility into data activity across the entire environment, including cloud, on-premises, and SaaS applications is critical. Continuous observability allows security teams to identify and investigate suspicious behavior in real-time, even when dealing with fileless or evasive AI-powered threats.
  
  
• Automated Threat Hunting and Response: Integrating with security orchestration, automation, and response (SOAR) platforms can automate threat hunting and response actions. This enables organizations to quickly contain and eradicate AI-powered threats, reducing the manual effort required from security teams.
   

Implementing a robust continuous monitoring and data security platform helps organizations build a resilient defense against the evolving landscape of AI-powered malware. This is critical, since such malware is no longer a future concern.