✅ Report Title:

AI-Powered Threats Case Study #01: Malware Utilization & Evolution

S2W Threat Intelligence Center has published a report on malware analysis using generative AI. This advanced threat intelligence report covers not only real-world cases of malware development leveraging AI/LLMs but also plausible hypothetical scenarios.

✅ Executive Summary:

1) Background: With the advancement of AI/LLM, it is being utilized in various fields, but it is also being applied in unethical areas.

- Malware developers can leverage it for various aspects of malware development, including creating malicious functions, enhancing sophistication, and evading detection.

2) Real Case: AI/LLM is being used in the development of malware that is being currently distributed.

- There are frequent cases where scripts used in malware contain code generated by AI/LLM.

- LLM operators have disclosed cases where malware developers have used LLM for malware development.

3) Hypothetical Cases: There are studies that demonstrate how AI/LLM can be utilized in various ways to enhance malware sophistication.

- Research exists where AI/LLM automatically generates malware to lower detection rates.

- AI/LLM can create fully autonomous malware that independently assesses situations and generates malware accordingly.

4) Implications: It can be anticipated that more sophisticated malware with a higher success rate of evading detection will emerge through AI/LLM.

📌 How can we detect malware developed using AI/LLMs?

- When requesting code implementation to AI/LLM, the generated code typically includes comments explaining each step, and the comments and variable names are written in the user's language. Attackers often use AI/LLM-generated code directly in malware and distribute it, leaving such traces in the discovered malware. These characteristics can sometimes be observed in malicious code found in the wild.

- For example, FunkSec is a ransomware group that utilizes LLM in the process of developing malware. It also appears to generate documents such as ransom notes using LLM.

- Additionally, while the FunkSec group typically exhibits linguistic errors or uses only basic English, the code demonstrates fluent English usage. This suggests a similarity to LLM-generated code patterns and other indications of LLM involvement. Based on this evidence, it can be inferred that the group utilizes LLM to develop malware.

- There is a growing number of cases where malware distributed via links or attachments in email bodies appears to have been written with the assistance of LLM. One example is the use of AsyncRat to target France, where the VBScript used in the AsyncRat Dropper, embedded in malicious emails, exhibits characteristics of LLM-generated code.

- Additionally, traces of AI/LLM are frequently found in scripts used to download malware. According to Symantec's investigation, traces of AI/LLM-generated code were identified in malicious scripts that download malware such as Rhadamanthys, NetSupport, CleanUpLoader, ModiLoader, LokiBot, and Dunihi.

✅ Recommended Threat Detection and Mitigation Actions:

- Many cases exist where currently distributed malware includes AI/LLM-generated malicious code.

- Malware developers utilize AI/LLM to implement malicious functionalities or assist in debugging malware.

- To prepare for the rise of AI/LLM-powered malware, various forms of malware leveraging AI/LLM have been proposed.

- AI/LLM-generated malware is expected to continue evolving, becoming more diverse and sophisticated.

For detailed analysis for each case, please refer to the full report via the link below.

🧑‍💻 Author: S2W TALON (Updated. 2025-02-27)

👉 Contact us: https://s2w.inc/en/contact

*The full report is available upon request.

News Highlights

Weekly Darkweb in March W2

2025.03.12

Threat Intelligence Reports

Analysis of DocSwap Malware Disguised as Security Document Viewer

2025.03.17

List