Full Report
Learn how to detect malware that generates code at runtime. SentinelLABS reveals hunting techniques and how to uncover novel AI-enabled threats.
Analysis Summary
# Tool/Technique: LLM-Enabled Malware (General Threat Concept)
## Overview
LLM-Enabled Malware refers to malicious payloads that integrate Large Language Model (LLM) capabilities directly into their operation. The key characteristic distinguishing these threats is their ability to generate malicious code or content dynamically at runtime, bypassing traditional static analysis methods that rely on pre-embedded or fixed malicious artifacts.
## Technical Details
- Type: Technique / Malware Category
- Platform: Not explicitly stated, but likely Windows/x64 initially (typical for ransomware/APT tools), capable of impacting any system where LLM APIs are accessed.
- Capabilities: Runtime code generation, adaptive behavior, weaponization of LLM functions.
- First Seen: Research presented in November 2025, indicating emerging in-the-wild activity prior to this date.
## MITRE ATT&CK Mapping
This emerging concept spans multiple tactics, focused heavily on evading detection and executing code:
- **TA0002 - Execution**
- T1059.005 - Command and Scripting Interpreter: Visual Basic
- T1620 - Instruction Injection (Potential for dynamically generated code execution)
- **TA0005 - Defense Evasion**
- T1140 - Deobfuscate/Decode Files or Information (If prompts/keys are decoded)
- T1027 - Obfuscated Files or Information (Runtime generation acts as a form of obfuscation)
## Functionality
### Core Capabilities
- Leveraging embedded Large Language Model capabilities within the malicious payload.
- Generating malicious code or content dynamically at runtime, rather than relying on static embedding.
- Hardcoding configuration artifacts (API keys, prompts) which serves as a critical detection opportunity.
### Advanced Features
- Potential for highly adaptive or context-aware malicious operations due to LLM integration.
- Discovery of novel samples like "MalTerminal," potentially the earliest known LLM-enabled malware.
## Indicators of Compromise
Indicators focus on the hardcoded dependencies used by the malware creators:
- **File Hashes:** Over 7,000 samples and 6,000+ unique API keys identified in a retrohunt, no specific hashes provided in the summary.
- **File Names:** Not detailed, but includes examples like "MalTerminal".
- **Registry Keys:** Not detailed.
- **Network Indicators:** Reliance on external LLM API endpoints (e.g., OpenAI infrastructure) for generating payloads or performing tasks. (No specific defanged URLs provided).
- **Behavioral Indicators:** Executing processes that interact with API key identifiers or structures associated with major LLM providers.
## Associated Threat Actors
- **APT28:** Associated with campaigns like LameHug/PROMPTSTEAL.
- General Adversaries leveraging AI themes or tools.
## Detection Methods
The research highlights limitations with traditional methods and proposes novel hunting techniques:
- **Signature-based detection:** Ineffective against runtime-generated code.
- **Behavioral detection:** Needs enhancement to detect dynamic execution linked to LLM calls.
- **YARA Rules:** Used for *wide API key detection*, targeting specific provider key structures (e.g., OpenAI's Base64-encoded identifiers).
- **Prompt Hunting:** Searching for hardcoded prompt structures within binaries, often paired with lightweight LLM classifiers to verify malicious intent.
## Mitigation Strategies
- Focus detection efforts on the static artifacts that cannot be obfuscated: hardcoded API keys and prompts.
- Implement comprehensive YARA rules targeting known LLM API key formats embedded in binaries.
- Develop and apply lightweight LLM classifiers trained to identify malicious intent within dynamically generated code segments.
## Related Tools/Techniques
- **PromptLock ransomware:** An example of malware leveraging LLM capabilities.
- **LameHug/PROMPTSTEAL:** Specific campaigns attributed to APT28 utilizing LLM components.
- **MalTerminal:** Potentially the earliest discovered LLM-enabled malware.