How Malware Authors Incorporate LLMs to Evade Detection TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsApplication SecurityPrompt Injections Loom Large Over ChatGPT's Atlas BrowserPrompt Injections Loom Large Over ChatGPT's Atlas BrowserbyAlexander CulafiNov 26, 20256 Min ReadVulnerabilities & ThreatsCritical Flaw in Oracle Identity Manager Under ExploitationCritical Flaw in Oracle Identity Manager Under ExploitationbyRob WrightNov 24, 20252 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificRecent in World See AllApplication SecurityLINE Messaging Bugs Open Asian Users to Cyber EspionageLINE Messaging Bugs Open Asian Users to Cyber EspionagebyTara SealsNov 21, 20257 Min ReadEndpoint SecurityChina's 'PlushDaemon' Hackers Infect Routers to Hijack Software UpdatesChina's 'PlushDaemon' Hackers Infect Routers to Hijack Software UpdatesbyNate Nelson, Contributing WriterNov 20, 20253 Min ReadThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryThreat IntelligenceCybersecurity OperationsEndpoint SecurityVulnerabilities & ThreatsCybersecurity In-Depth: Digging into data about the latest attacks, threats, and trends using charts and tables.How Malware Authors Are Incorporating LLMs to Evade DetectionCyberattackers are integrating large language models (LLMs) into the malware, running prompts at runtime to evade detection and augment their code on demand.Robert Lemos, Contributing WriterNovember 26, 20254 Min ReadSource: Google Threat Intelligence GroupThreat actors are testing malware that incorporates large language models (LLMs) to create malware that can evade detection by security tools. In an analysis published earlier this month, Google's Threat Intelligence Group (GTIG) described how attackers are using AI services, such as Google Gemini and Hugging Face, to rewrite malicious code or generate unique commands for the malware to execute. The report highlighted five different programs, including an experimental VBScript program called PROMPTFLUX which attempts to use Google Gemini to rewrite its own source code and a Python data miner dubbed PROMPTSTEAL which queries the Hugging Face API to analyze compromised systems for vulnerabilities. Threat actors are quickly exploring ways to further incorporate AI technologies into their programs, the researchers wrote in the analysis."For skilled actors, generative AI tools provide a helpful framework, similar to the use of Metasploit or Cobalt Strike in cyber threat activity," the researchers said. "These tools also afford lower-level threat actors the opportunity to develop sophisticated tooling, quickly integrate existing techniques, and improve the efficacy of their campaigns regardless of technical acumen or language proficiency."Related:Streaming Fraud Campaigns Rely on AI Tools, BotsThese malware samples are the latest examples of how threat actors are evolving their tactics. Cybercriminals are using LLMs as a development tool to create malware, or generating legitimate-seeming applications that are actually Trojans. During the recent Black Hat Security Briefings, one researcher demonstrated how to train LLMs that can produce code that bypasses Microsoft Defender for Endpoint 8% of the time. Attackers Are Experimenting With AIGenerally, AI-augmented malware falls into two categories — those generated by LLMs and those that use LLMs during execution. In most cases, threat actors are using LLMs to assist in coding malware, or to automate attacks against targets. So far, most AI use by cyberattackers has been to assist in coding malware. In some cases, threat actors have used AI to almost entirely automate attacks against targets. At the moment, only a minority of AI-augmented malware actually attempts to call out to LLMs during execution, says Omar Sardar, malware operations lead for the Unit 42 threat-intelligence team at cybersecurity firm Palo Alto Networks."The bulk of these samples appear to be prototypes, and do not appear to use the LLM output to change behavior," Sardar says, adding that most of these experimental variations have obvious execution artifacts that can be detected by current endpoint detection and response (EDR) solutions.Related:Akira, Cl0p Top List of 5 Most Active Ransomware-as-a-Service GroupsGoogle's Threat Intelligence Group described three malware samples that were "observed in operations." A reverse shell program, FRUITSHELL, has hard-coded prompts to help evade detection, while the previously mentioned PROMPTSTEAL uses calls to the Hugging Face API to return Windows commands intended to help collect information from the targeted system. A third AI-using malware sample, QUIETVAULT, utilizes AI prompts to facilitate the search for secrets on the current system and exfiltrate them to an attacker-controlled account. Two other programs were deemed experimental and not used in actual attacks. While the guardrails of LLMs is the first line of defense against such attacks, an increasingly common approach to bypass those defenses is for attacker to use the pretext that they are participating in a capture-the-flag tournament and need the offensive code for their exercise. A request blocked by Google Gemini's safety alignment was later satisfied when the attacker requested the same information as part of a capture-the-flag exercise, according to the researchers."The actor appeared to learn from this interaction and used the CTF pretext in support of phishing, exploitation, and web shell development," the researchers wrote. "This nuance in AI use highlights critical differentiators in benign vs. misuse of AI that we continue to analyze to balance Gemini functionality with both usability and security."Related:'Dark LLMs' Aid Petty Criminals, But Underwhelm TechnicallyLLM-Generated Malware: Block and RollCompanies should expect attackers to continue experimenting with the use of AI at runtime to generate code and adapt to specific environments, obfuscate their activity to evade detection, enhance social engineering, and facilitate dynamic decision-making, says Ronan Murphy, chief data strategy officer at Forcepoint, a provider of AI-native data security. At present, however, these activities are pretty obvious."These attacks work because AI services allow malware to stay flexible and unpredictable, but they also depend on external network access, making them detectable and blockable through strong egress controls and AI-service monitoring," Murphy says. "While many of these techniques are still experimental and not yet widespread, they have real potential to make attacks more adaptive and harder to defend against."In many ways, the attempts to use LLMs at runtime mirror efforts to generate polymorphic code in the 1990s, says Amy Chang, leader of AI threat and security research at Cisco. Companies should look for ways to use AI to detect such behavior and stay ahead of attackers."As security industry players tout the use of LLMs to help network and system defenders against attackers, threat actors are doing the same thing to identify those same vulnerabilities for exploitation," she says. "Leveraging machine-learning models and/or algorithms that are better able to detect deviations from expected behavior and unexpected code manifestations than traditional signature-based detection methods."About the AuthorRobert Lemos, Contributing WriterVeteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.See more from Robert Lemos, Contributing WriterMore InsightsIndustry Reports2025 State of Threat Intelligence: What it means for your cybersecurity strategyGartner Innovation Insight: AI SOC AgentsState of AI and Automation in Threat IntelligenceGuide to Network Analysis Visibility SolutionsOrganizations Require a New Approach to Handle Investigation and Response in the CloudAccess More ResearchWebinarsIdentity Security in the Agentic AI EraHow AI & Autonomous Patching Eliminate Exposure RisksSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesMore WebinarsYou May Also LikeFEATUREDCheck out the Black Hat USA Conference Guide for more coverage and intel from — and about — the show.Edge PicksApplication SecurityAI Agents in Browsers Light on Cybersecurity, Bypass ControlsAI Agents in Browsers Light on Cybersecurity, Bypass ControlsLatest Articles in The EdgeHack the Hackers: 6 Laws for Staying Ahead of the AttackersNov 21, 2025|2 Min ReadWith AI Reshaping Entry-Level Cyber, What Happens to the Security Talent Pipeline?Nov 21, 2025|5 Min ReadSecuring the Win: What Cybersecurity Can Learn From the PaddockNov 20, 2025|5 Min ReadSame Old Security Problems: Cyber Training Still Fails MiserablyNov 20, 2025Read More The EdgeDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of Use

The integration of large language models (LLMs) into malware development represents a significant escalation in cyberattack tactics, as detailed by Google’s Threat Intelligence Group (GTIG). Threat actors are increasingly leveraging AI services, such as Google Gemini and Hugging Face, to dynamically rewrite malicious code and generate unique commands at runtime. This strategy, exemplified by programs like PROMPTFLUX and PROMPTSTEAL, demonstrates a shift towards more adaptive and sophisticated attacks.

Initially, the experimentation focused on using LLMs to assist in coding malware, automating the process for attackers. However, GTIG’s analysis revealed a move towards utilizing LLMs during execution, creating malware that can dynamically adjust its behavior and evade detection. The observed malware samples—FRUITSHELL, PROMPTSTEAL, and QUIETVAULT—highlight this trend. FRUITSHELL incorporates hard-coded prompts to evade detection, while PROMPTSTEAL utilizes the Hugging Face API to analyze compromised systems for vulnerabilities. QUIETVAULT employs AI prompts to facilitate the search for secrets and their subsequent exfiltration.

A key element of this evolving strategy is the actor’s ability to learn and adapt. The researcher observed an attacker using a “capture-the-flag” (CTF) pretext after initially being blocked by Gemini’s safety alignment, demonstrating a capacity to exploit LLM functionality for phishing and web shell development. This highlights the importance of continuously analyzing the nuances of AI misuse.

Several experts have commented on the potential long-term implications of LLM-augmented malware. Ronan Murphy, Chief Data Strategy Officer at Forcepoint, notes that attackers are increasingly attempting to use AI to analyze security defenses, mirroring the efforts of defenders. Omar Sardar, Malware Operations Lead at Palo Alto Networks’ Unit 42, indicates that the majority of these early samples are prototypes that don't actively utilize LLMs for behavioral change, but the potential for widespread adaptation is evident.

The techniques being explored – dynamic code generation, vulnerability analysis, and social engineering – echo earlier approaches like polymorphic code development in the 1990s. Amy Chang, Leader of AI Threat and Security Research at Cisco, emphasizes the need for security players to use AI to detect these deviations from expected behavior.

This evolving landscape necessitates a proactive approach from cybersecurity professionals. Companies must expect attackers to continue experimenting with LLMs at runtime to generate code and adapt to specific environments, obfuscate their activity, and enhance social engineering. However, the reliance on external network access for many of these techniques makes them detectable and blockable through strong egress controls and AI-service monitoring. The primary challenge lies in identifying and mitigating adaptive threats, and leveraging machine-learning models to detect anomalous behavior. Ultimately, the trend signals a necessary shift in defensive strategies, focusing on continuous monitoring, behavioral analysis, and a deeper understanding of how attackers are leveraging AI to circumvent traditional security measures.