Cybersecurity researchers have identified what is believed to be the earliest known instance of malware that leverages a Large Language Model (LLM) to generate malicious code at runtime.
Dubbed ‘MalTerminal’ by SentinelLABS, the malware uses OpenAI’s GPT-4 to dynamically create ransomware code and reverse shells, presenting a new and formidable challenge for detection and threat analysis.
The discovery highlights a significant shift in adversary tradecraft, where the malicious logic is not hardcoded into the malware itself but is generated on-the-fly by an external AI model.
This approach can render traditional security measures, such as static signatures, ineffective, as the code can be unique for each execution. The findings were part of broader research into how threat actors are weaponizing LLMs.
A New Generation Of Adaptable Threats
Unlike other adversarial uses of AI, such as creating convincing phishing emails or using AI software as a lure, LLM-enabled malware embeds the model’s capabilities directly into its payload. This allows the malware to adapt its behavior based on the target environment.
SentinelLABS researchers established a clear definition for this threat, distinguishing it from malware simply created by an LLM, which they note remains immature.
The primary concern with LLM-enabled malware is its unpredictability. By offloading code generation to an LLM, the malware’s actions can vary significantly, making it difficult for security tools to anticipate and block its behavior.
Prior documented cases like PromptLock, a proof-of-concept ransomware, and LameHug (or PROMPTSTEAL), linked to the Russian APT28 group, demonstrated how LLMs could be used to generate system commands and exfiltrate data. These examples paved the way for hunting more advanced threats.
The breakthrough came from a novel threat-hunting methodology developed by SentinelLABS. Instead of searching for malicious code, researchers hunted for the artifacts of LLM integration: embedded API keys and specific prompt structures.
They wrote YARA rules to detect key patterns for major LLM providers like OpenAI and Anthropic. A year-long retrohunt on VirusTotal flagged over 7,000 samples with embedded keys, though most were non-malicious developer errors.
The key to finding MalTerminal was focusing on samples with multiple API keys, a redundancy tactic for malware, and hunting for prompts with malicious intent.
The researchers used an LLM classifier to score the maliciousness of discovered prompts. This strategy led them to a set of Python scripts and a Windows executable named MalTerminal.exe.
Analysis revealed it used an OpenAI chat completions API endpoint that was deprecated in November 2023, suggesting the malware was created before that date, making it the earliest known sample of its kind.
MalTerminal prompts an operator to choose between deploying ransomware or a reverse shell, then uses GPT-4 to generate the necessary code.
| File name | Purpose | Notes |
|---|---|---|
| MalTerminal.exe | Malware | Compiled Python2EXE sample:C:UsersPublicProjMalTerminal.py |
| testAPI.py (1) | Malware | Malware generator Proof-of-Concept (PoC) scripts |
| testAPI.py (2) | Malware | Malware generator PoC scripts |
| TestMal2.py | Malware | An early version of MalTerminal |
| TestMal3.py | Defensive Tool | “FalconShield: A tool to analyze suspicious Python files.” |
| Defe.py (1) | Defensive Tool | “FalconShield: A tool to analyze suspicious Python files.” |
| Defe.py (2) | Defensive Tool | “FalconShield: A tool to analyze suspicious Python files.” |
Cyber Defense for Threats
The emergence of malware like MalTerminal, PromptLock, and LameHug signals a new frontier in cyber defense. The primary challenge is that detection signatures can no longer rely on static malicious logic.
Furthermore, network traffic to legitimate LLM APIs can be difficult to distinguish from malicious use. However, this new class of malware has its own weaknesses. Its dependency on external APIs and the need to embed API keys and prompts within its code create new opportunities for detection.
If an API key is revoked, the malware can be neutralized. Researchers also discovered other offensive LLM tools, including vulnerability injectors and people search agents, by hunting for these artifacts.
While LLM-enabled malware is still in an experimental stage, its development gives defenders a critical opportunity to adapt their strategies for a future where malicious code is generated on demand.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
