Full Report
If there’s a constant in cybersecurity, it’s that adversaries are always innovating. The rise of offensive AI is transforming attack strategies and making them harder to detect. Google’s Threat Intelligence Group, recently reported on adversaries using Large Language Models (LLMs) to both conceal code and generate malicious scripts on the fly, letting malware shape-shift in real-time to evade
Analysis Summary
# Tool/Technique: Large Language Model (LLM) Integration by Adversaries (General Concept)
## Overview
Adversaries are leveraging Large Language Models (LLMs) to transform attack strategies across multiple phases, primarily focusing on generating novel malicious code on-the-fly and dynamically altering malware behavior to achieve real-time evasion against conventional security controls.
## Technical Details
- Type: Technique/Framework Reliance (Offensive AI Abuse)
- Platform: Undisclosed/Flexible (Code generation implies ability to target various platforms based on script output, e.g., Windows/Linux scripts)
- Capabilities: Automated code generation, real-time code modification, evasion tactics enhancement.
- First Seen: Adversary use reported leading up to late 2025 (as per Google's and Anthropic's reporting referenced).
## MITRE ATT&CK Mapping
Since LLMs are tools enabling other activities, the mappings focus on the resulting malicious actions:
- **T1562 - Defense Evasion**
- T1562.001 - Impair Defenses: LLMs can be used to generate payload logic specifically designed to bypass known signatures or EDR heuristics.
- **T1027 - Obfuscated Files or Information**
- Related to techniques used to conceal code generated by LLMs.
- **T1059 - Command and Scripting Interpreter**
- LLMs are used to generate malicious scripts for execution.
## Functionality
### Core Capabilities
- **Code Concealment:** Using LLMs to structure malicious code in ways that are harder for traditional signature analysis to detect.
- **On-the-Fly Malicious Script Generation:** Creating new, functional malware scripts dynamically during an attack sequence.
### Advanced Features
- **Real-Time Malware Shaping (Polymorphism/Metamorphism):** Malware can "shape-shift" in execution based on environmental feedback, likely guided by LLM outputs, to evade detection by conventional defenses (like EDR).
- **AI Orchestration:** In sophisticated scenarios (e.g., the AI-orchestrated cyber espionage campaign reported by Anthropic), AI manages integration across attack stages (Initial Access through Exfiltration) largely autonomously.
## Indicators of Compromise
*Note: As this entry describes a generalized technique enabled by LLMs rather than a specific piece of malware, traditional IOCs are not defined. IOCs will belong to the resulting malware/scripts.*
- File Hashes: N/A (Dynamic)
- File Names: N/A (Dynamic)
- Registry Keys: N/A
- Network Indicators: N/A (Depends on the final objective/payload)
- Behavioral Indicators: Observing rapid, context-aware changes in program behavior or script execution patterns that suggest AI-driven adaptation.
## Associated Threat Actors
- General description suggests broad adoption, especially by sophisticated actors capable of utilizing advanced/private or customized AI APIs.
- Mention of adversaries utilizing LLMs reported by Google Threat Intelligence Group and actors involved in the "AI-orchestrated cyber espionage campaign" (Anthropic report).
## Detection Methods
- **Behavioral Detection:** Emphasis on detecting anomalous dynamic runtime modification and advanced logic injection, rather than static code signatures.
- **Advanced EDR/XDR Analysis:** Requirements for deeper inspection into script execution processes and memory inspection to catch LLM-generated payload stages.
- **Network Detection and Response (NDR):** Crucial for detecting anomalous network traffic/behavior resulting from AI-controlled execution that EDR might miss pre-execution.
## Mitigation Strategies
- **Defense-in-Depth:** Utilizing NDR in conjunction with EDR, as EDR alone is reportedly insufficient against speed/scale of AI-fueled threats.
- **AI/ML Security Best Practices:** Enhancing defenses to specifically counter LLM-generated obfuscation and code blending.
- **Strict Application Control:** Limiting the ability of compromised processes to execute or dynamically alter critical code segments.
## Related Tools/Techniques
- **ClickFix-related attacks:** Leveraging steganography (hiding malware in image files) as an evasion technique that slipped past signature scans.
- **RATs and Info-Stealers:** Payloads frequently deployed as a result of these AI-assisted initial compromise operations.
- **AV/EDR Disabling Tools:** Tools specialized in disrupting endpoint security software.
- **Octo Tempest:** Threat actor group noted for social engineering leading to security product compromise (disabling AV/deleting alerts).
---
# Tool/Technique: ClickFix-related Malicious Payloads
## Overview
Malware associated with "ClickFix" campaigns that heavily relies on steganography to conceal itself within seemingly benign files (like image files disguised as software updates or CAPTCHAs) to bypass signature-based scanning.
## Technical Details
- Type: Malware Family/Campaign Technique
- Platform: Undisclosed, but executed upon user interaction (deception) to deploy RATs and info-stealers.
- Capabilities: Hiding malicious code using steganography, user deception.
- First Seen: A related campaign was referenced in August 2025 reporting.
## MITRE ATT&CK Mapping
- **T1562 - Defense Evasion**
- T1562.008 - Impair Defenses: Bypassing signature-based detection via steganography.
- **T1027 - Obfuscated Files or Information**
- Related to hiding malicious content within image containers.
- **T1566 - Phishing**
- T1566.002 - Spearphishing Link/Attachment: Used indirectly via deceptive UI (update screens/CAPTCHAs) leading to deployment.
## Functionality
### Core Capabilities
- Malware delivery via steganography hidden inside image files.
- Deceptive presentation (appearing as legitimate software updates or CAPTCHAs) to trick users.
### Advanced Features
- Successful evasion of traditional signature-based antivirus scans due to the hidden nature of the payload execution trigger.
## Indicators of Compromise
*Note: Specific indicators are not provided in the source text, only the technique.*
- File Hashes: N/A
- File Names: Deceptive names related to software updates or security challenges.
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators: Unexpected file activity or execution stemming from image file/update prompt interactions.
## Associated Threat Actors
- Actors behind the specific "ClickFix-related attacks."
## Detection Methods
- **Behavioral Detection:** Focusing on the post-interaction behavior where the hidden data is extracted and executed.
- **Deception Awareness:** Training users to recognize and bypass deceptive UI elements like fake CAPTCHAs or update prompts.
## Mitigation Strategies
- **Application Whitelisting/Control:** Preventing unauthorized execution from atypical file types or locations.
- **User Awareness Training:** Educating users on social engineering tactics involving deceptive screens.
- **Advanced Inspection:** Implementing tools capable of deep content inspection of image files or embedded resources for latent executables.
## Related Tools/Techniques
- Remote Access Trojans (RATs)
- Information Stealers
---
# Tool/Technique: Compromising Anti-Virus Exclusion Rules
## Overview
Threat actors are actively targeting and exploiting mechanisms that allow security products (like AV) to be configured with exclusion rules, often by combining social engineering, man-in-the-middle attacks, and SIM swapping techniques.
## Technical Details
- Type: Technique (Configuration Manipulation)
- Platform: Enterprise Network Environments (Where AV/Security Policies are managed)
- Capabilities: Achieving persistent, low-detection access by disabling or configuring AV/EDR to ignore malicious activity.
- First Seen: Research by Microsoft's threat team in October 2025 highlighted this trend.
## MITRE ATT&CK Mapping
- **T1562 - Defense Evasion**
- T1562.001 - Impair Defenses: Directly disabling or configuring exclusions for security products.
- **T1204 - User Execution**
- Related to the social engineering component used to convince victims.
- **T1071 - Application Layer Protocol**
- Relevant if Attack-in-the-Middle is used to alter policy communication.
## Functionality
### Core Capabilities
- Social engineering victims into manually disabling security products or approving exceptions.
- Using technical means (AiTM, SIM swapping) to manipulate security configurations or notifications.
### Advanced Features
- Being able to automatically delete email notifications related to security alerts, ensuring the attacker’s presence remains undiscovered.
- Facilitating uninhibited malware spread across an enterprise network without tripping endpoint alerts.
## Indicators of Compromise
- Behavioral Indicators: Unexplained disabling of security services, automatic deletion of specific security alert emails, unusual network propagation following initial access.
## Associated Threat Actors
- Octo Tempest (Reported by Microsoft Threat Intelligence in October 2025).
## Detection Methods
- **Configuration Auditing:** Regularly auditing security product configurations for changes, especially those that grant overly broad exclusions.
- **Identity Monitoring:** Monitoring for unusual SIM swap activity or compromised credentials used to access administrative endpoints.
## Mitigation Strategies
- **Principle of Least Privilege:** Restricting which accounts (especially standard users) can modify security software settings or create exclusions.
- **Multi-Factor Authentication (MFA):** Implementing strong MFA, especially protecting against SIM swapping risks.
- **Network Monitoring (NDR):** Using NDR to track malware spread laterally, even if the EDR sensors are blind due to exclusion rules.
## Related Tools/Techniques
- SIM Swapping
- Attack-in-the-Middle (AiTM)
- Endpoint security software disabling tools.
---
# Tool/Technique: EDR Silencing/Disabling Tools (General Class)
## Overview
A category of dynamic and adaptive tools created specifically to detect, exploit, and disable Endpoint Detection and Response (EDR) software running on target systems.
## Technical Details
- Type: Malicious Tool Category
- Platform: Endpoint OS (Implied Windows/Linux, matching EDR targets)
- Capabilities: Detecting EDR presence, executing logic to disable or circumvent EDR monitoring/alerting functions.
- First Seen: Trend reported in late 2024 onward.
## MITRE ATT&CK Mapping
- **T1562 - Defense Evasion**
- T1562.001 - Impair Defenses: Direct disabling of security software.
## Functionality
### Core Capabilities
- Detecting the presence of EDR solutions on an endpoint.
- Executing specific routines to neutralize EDR functions (e.g., blocking hooks, modifying services).
### Advanced Features
- Dynamic adaptation, suggesting these tools may use AI or complex environmental checking to remain effective against evolving EDR versions.
## Indicators of Compromise
- Behavioral Indicators: Suspicious process termination attempts targeting security services or drivers.
## Associated Threat Actors
- Various actors utilizing these specialized evasion tools.
## Detection Methods
- **Host Integrity Checks:** Verifying the ongoing integrity of EDR drivers and services independently of the EDR itself (e.g., via hypervisor or specialized security agents).
- **Network Anomaly Detection:** Relying on NDR to catch post-disabling malicious activity that the EDR would normally flag.
## Mitigation Strategies
- **EDR Diversity:** Deploying multiple, potentially vendor-diverse, defensive layers rather than relying on a single EDR solution.
- **Kernel Integrity Protection:** Strengthening protections against unauthorized modification of kernel-mode drivers, where EDR typically operates.
## Related Tools/Techniques
- Syscalls manipulation (to avoid EDR monitoring layers).
- Custom malware capable of writing directly to security product configuration files.