{
	"id": "94c03a71-f100-4e19-b459-e37c46892136",
	"created_at": "2026-04-06T00:19:14.666942Z",
	"updated_at": "2026-04-10T03:23:51.63121Z",
	"deleted_at": null,
	"sha1_hash": "1190cb24f4a015f5d763f7b4e13d8162de614d5f",
	"title": "Growing Number of Threats Leveraging AI",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 55359,
	"plain_text": "Growing Number of Threats Leveraging AI\r\nBy About the Author\r\nArchived: 2026-04-05 13:19:36 UTC\r\nSymantec has observed an increase in attacks that appear to leverage Large Language Models (LLMs) to generate\r\nmalicious code used to download various payloads. \r\nLLMs are a form of generative AI designed to understand and generate human-like text. They have a wide range\r\nof applications, from assisting in writing to automating customer service. However, like many powerful\r\ntechnologies, LLMs can also be abused. \r\nRecent malware campaigns observed by Symantec involved phishing emails containing code used to download\r\nvarious payloads, including Rhadamanthys, NetSupport, CleanUpLoader (Broomstick, Oyster), ModiLoader\r\n(DBatLoader), LokiBot, and Dunihi (H-Worm). Analysis of the scripts used to deliver malware in these attacks\r\nsuggests they were generated using LLMs.\r\nLLM Attack Chain Examples\r\nThe following example details a campaign targeting a wide range of sectors. The attacks involve phishing emails\r\nwith attached .zip archives containing malicious .lnk files, which, once executed, trigger LLM-generated\r\nPowerShell scripts that lead to the deployment of malware. \r\nThe emails purport to relate to an urgent financing issue and contain a password-protected ZIP file, the password\r\nfor which is also included in the email. \r\nFigure 1. Phishing email with an attached password-protected ZIP file\r\nFigure 1. Phishing email with an attached password-protected ZIP file\r\nThe ZIP file contains an LNK file that, when executed, runs a PowerShell script (Figure 2) likely generated using\r\nan LLM. Functions and variables are nicely formatted with leading single-line comments that use highly accurate\r\ngrammar to explain their usage. \r\nFigure 2. LLM-generated PowerShell script\r\nFigure 2. LLM-generated PowerShell script\r\nThe script can easily be produced automatically using an LLM. We were able to produce similar results during our\r\nresearch using ChatGPT and a series of simple prompts (Figure 3).\r\nFigure 3. PowerShell script produced using ChatGPT\r\nFigure 3. PowerShell script produced using ChatGPT\r\nFinal payloads deployed in this campaign included the Rhadamanthys information-stealing malware and the\r\nCleanUpLoader backdoor (aka Broomstick, Oyster). \r\nhttps://symantec-enterprise-blogs.security.com/threat-intelligence/malware-ai-llm\r\nPage 1 of 5\n\nLLM assist with phishing and payload delivery\r\nThe following example details the use of LLM-generated code to facilitate the phishing stage and the payload\r\ndelivery stage of an attack. The following describes the attack chain events.\r\n1. Initial access: User receives a human-crafted phishing email with an attachment, mimicking an HR\r\nnotification.\r\nFigure 4. Phishing email mimicking HR notification\r\nFigure 4. Phishing email mimicking HR notification\r\n2. Execution of LLM-generated script: Opening the malicious attachment executes an HTML file with\r\nembedded JavaScript that is highly likely generated by an LLM. This script is designed to download and execute\r\nadditional payloads, although the webpage displayed in this case is fairly simple and the HTML behind it is small\r\nand quick to load.\r\nFigure 5. Webpage displayed during attack\r\nFigure 5. Webpage displayed during attack\r\nAnalysis of the HTML file, which facilitates a crucial link of the attack chain, reveals the characteristic features of\r\nan LLM-generated file (Figure 6).\r\nFigure 6. LLM-generated HTML file\r\nFigure 6. LLM-generated HTML file\r\nThe file itself can easily be produced automatically using an LLM, with little human effort required.\r\n3. Final payload download: By the time the user sees the page shown in Figure 5, the next stage payload – a\r\nloader for the Dunihi (H-Worm) malware – would have already been downloaded if the user has not configured\r\ntheir browser to ask for download permission first.\r\nSymantec also observed campaigns delivering the ModiLoader (DBatLoader) malware loader, the LokiBot\r\ninformation-stealing Trojan, and NetSupport remote access Trojan. The use of LLMs to generate HTML code used\r\nin these campaigns is also suspected. \r\nConclusion\r\nThe potential for AI to revolutionize our world is undeniable; however, it is also revolutionizing cybercrime. AI\r\ntools such as LLMs lower the barrier to entry for many threat actors, while increasing the level of sophistication\r\nfor others. \r\nAs we have shown, AI-powered tools have given threat actors not only the ability to quickly craft convincing and\r\ntargeted phishing emails, but also to generate malicious code that would normally require considerable expertise,\r\ntime, and resources. \r\nIt is worth highlighting that AI is only going to get better. While the benefits for society are sure to be great,\r\nmalicious actors will also benefit, using it to launch more sophisticated and effective attacks faster and at a larger\r\nhttps://symantec-enterprise-blogs.security.com/threat-intelligence/malware-ai-llm\r\nPage 2 of 5\n\nscale. \r\nSymantec is at the forefront of cybersecurity, offering robust protection against the never-ending wave of new\r\nthreats, including those recently observed, highly likely generated by LLMs. Our security solutions are equipped\r\nwith advanced detection capabilities that block AI-based LLM-generated threats, with our threat hunting experts\r\ncontinuously monitoring the threat landscape, harvesting emerging threats, conducting detailed analysis, updating\r\nour automation models, and ensuring our customers are always protected.\r\nProtection/Mitigation\r\nFor the latest protection updates, please visit the Symantec Protection Bulletin.\r\nIndicators of Compromise\r\nIf an IOC is malicious and the file is available to us, Symantec Endpoint products will detect and block that file.\r\nIOC Description\r\n0A90FADE657A0C0AC73D4E085E168AA8515994700A12612D1C20CB00ED15A0CA\r\nPowerShell\r\nscript\r\nF5FC667D818A26FBB5C04657B131D86AF1746A349CEB9D6E441D24C8673393B2\r\nPowerShell\r\nscript\r\nFA0FEE451B2DD9C532189705177457D0982E1F27F11E3E2B0B31B9ECE654FF4C\r\nPowerShell\r\nscript\r\n9160A5F4DB292A50BAED109BFF1C94738418FB8E6D729D7FC4A7841DB06F8F3E\r\nPowerShell\r\nscript\r\nC645FD15DDA1AA3D5554B847E1D243493EA22F81FAF3D1F883100A4B51438B27\r\nPowerShell\r\nscript\r\n121E900D1EFC6D9E537471360848B333BFBBB7E08ECADB1D75897882CE2DCB20 Rhadamanthys\r\n29F8B50F737FEEF9EC7439780DAEAD395BF2BF278A4540DDFFE64CA70AA9F462 Rhadamanthys\r\n4FB58687A364C3F6D6F7E0CA03654F9DEC0F8832A499D61D40B0D424DB1B1B14 Rhadamanthys\r\n2AE6737D691BFF402FC50A29EDDCBE9FD0B0C18250776435F61CE70F3C9481CD JavaScript\r\nBC824A97E877EF38D5D14E0D51433F3890873B58B710C0E5D41A4638A1A3FAF4 JavaScript\r\nEB8A22036655F0EB19924868031D3CDD273630B167A5FEC72B3C98FE887CA9C6 JavaScript\r\n30DD8CBBA98F2E4CBB8D8D85A7A9AC97B0157A77C83D9B8DEAB50C2225C0CB22 LNK file\r\n948D0D1FABBD858C13C387737EF833BEB982141CFC2E2D0E26024918EB0AF479 LNK file\r\nhttps://symantec-enterprise-blogs.security.com/threat-intelligence/malware-ai-llm\r\nPage 3 of 5\n\nIOC Description\r\nC7D1DC81BB9CC86DD129AC414E8805DDDBFFF23D347E5F3349D5D59F4172F3BA LNK file\r\nA1739E001E0720341F14466231A21BD12A74485DAB59B0F4FDE7F931467CB4B2 LNK file\r\nF1CFC6E55777A62A1B269901793550CE8D0126D1035C5BEBF5C8145A83EF842B LNK file\r\nDC6C5B4ABB65C8E5169F96A65D0A225C91AD2A58E13ECABA5B3FF29D07A4660B LNK file\r\n3A88FCB26F7A6BE68B65AB18D8358365E9A4FD7D4C0EF8FC581771CCFB746271\r\nPassword-protected ZIP\r\nfile\r\n44B3095A86F2091CCB9B52B9ECF995BC5B9E2294EB9E38D90E9FD743567F5F22\r\nPassword-protected ZIP\r\nfile\r\nBA325F828378C1733044F3022D73D770E2A8E81AEB01605B13866DE7E722075D\r\nPassword-protected ZIP\r\nfile\r\nCAD698049830745BA6685B5D571DEF86FA77D046D2403A7C48ED8D0258314093\r\nPassword-protected ZIP\r\nfile\r\nD38A62A73A9FE1ED0CE7F6902E52D90A056374123D6ECF4D5FF9A01008E922CB\r\nPassword-protected ZIP\r\nfile\r\nBF0B4C933B9EF188A9073D68D955ADD8CBE8398F3EC2E04CE285D45C8183C033\r\nPassword-protected ZIP\r\nfile\r\n4153F2CE9CD956B29A1D1F21669932596FD1564863F65782D1EEA4E06E8623F7 ZIP file\r\n5077EEE9D9933E1DB4B311B893A8F3583CA9F0D9F6DB33938A67BF5054133AA8 ZIP file\r\nBAC7079571FA4FA2E3543FD4EDFB5144EC4FF9046065C7F11CB8C9552117D138 ZIP file\r\nC8032306AB5C5BF09C38BD05A2F41BB4DCE98A56DF0570C6A58F116127E0532D ZIP file\r\n9BD692BC32E13185232E95FF7693D0039B5C5C563323982BFAB34A5D1E0379AE HTML\r\nB1D48CA54EFB57B9BD626420391FBBC638C9F4271F009DFB31B28C33B76A4228 HTML\r\nD05032CA22352BA77CE67A2975A33A5A3A7170705817FE4305B162F7E4E7065B HTML\r\nA2C1B716D20B61BC4C57748E1EC195FBAC2C5B143CF960D0FFEE895160D4B0DB EXE file\r\nhttps://symantec-enterprise-blogs.security.com/threat-intelligence/malware-ai-llm\r\nPage 4 of 5\n\nIOC Description\r\nB6AADA8476838CD39EFD5A3681F50ECEB0938BBCDECD3712FDB81394ED2922BB EXE file\r\nBB932056CAE8940742E50B4F2B994A802E703F7BC235E7DD647D085AE2B2BAF7 CleanUpLoader\r\nC398B3E06EF860670B9597DAED85632834FA961AEA87164B8BA8BB2F094A14EF CleanUpLoader\r\nBCDB4F1AF705889ACE73E8A0C8626BC6B615393A4C4F28EA00E5A51EB6E541D9 VBS\r\nCD003F5CE0DDE74B9793685C549A6883B405FCA4D533F27FBB050199A2339A28 VBS\r\nF06D83CE130BAE96EBFDE9ADDDD0FF1245FEBF768E6D984B69816B252808BA0C RAR file\r\nGrowing Number of Threats Leveraging AI\r\nNguyen Hoang Giang\r\nNguyen Hoang Giang\r\nSenior Threat Analysis Engineer\r\nYi Helen Zhang\r\nYi Helen Zhang\r\nThreat Analysis Engineer\r\nSource: https://symantec-enterprise-blogs.security.com/threat-intelligence/malware-ai-llm\r\nhttps://symantec-enterprise-blogs.security.com/threat-intelligence/malware-ai-llm\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://symantec-enterprise-blogs.security.com/threat-intelligence/malware-ai-llm"
	],
	"report_names": [
		"malware-ai-llm"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434754,
	"ts_updated_at": 1775791431,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1190cb24f4a015f5d763f7b4e13d8162de614d5f.pdf",
		"text": "https://archive.orkl.eu/1190cb24f4a015f5d763f7b4e13d8162de614d5f.txt",
		"img": "https://archive.orkl.eu/1190cb24f4a015f5d763f7b4e13d8162de614d5f.jpg"
	}
}