According to Dark Reading, malware authors are actively testing large language models to create malicious software that evades detection by security tools. Google’s Threat Intelligence Group recently analyzed five different programs, including an experimental VBScript called PROMPTFLUX that uses Google Gemini to rewrite its own source code and a Python data miner named PROMPTSTEAL that queries Hugging Face API to find system vulnerabilities. During Black Hat Security Briefings, researchers demonstrated LLMs could produce code bypassing Microsoft Defender for Endpoint 8% of the time. Attackers are even bypassing LLM safety guardrails by pretending their malicious requests are for capture-the-flag exercises, with one blocked request later being fulfilled when the attacker used this pretext. Security researchers note that while these techniques are concerning, most AI-augmented malware remains experimental with obvious execution artifacts that current detection tools can spot.
The AI Malware Reality Check
Here’s the thing about all this AI-powered malware hype: most of it’s still pretty basic. Omar Sardar from Palo Alto Networks’ Unit 42 team says the bulk of these samples are prototypes that don’t actually use LLM output to change behavior in meaningful ways. They’re like kids playing with power tools—they’ve got the equipment, but they haven’t figured out how to build anything sophisticated yet.
And honestly, that’s both reassuring and concerning. Reassuring because current endpoint detection can catch these clumsy attempts. Concerning because the learning curve is steep, and threat actors are getting smarter fast. The fact that they’re already gaming safety systems with capture-the-flag excuses shows they’re thinking strategically about how to manipulate these AI systems.
The Two Types of AI Threats
Basically, we’re seeing two categories emerge here. First, there’s malware generated by LLMs—where attackers use AI to write the initial malicious code. This is what’s happening most often right now. Then there’s the more advanced stuff: malware that calls out to LLMs during execution to adapt in real-time.
But here’s the catch with that second category: it requires external network access to hit those AI APIs. Ronan Murphy from Forcepoint points out this creates a major weakness—strong egress controls and AI-service monitoring can detect and block these calls. So while the idea of self-modifying malware sounds terrifying, it’s also kind of noisy and detectable if you’re looking in the right places.
How Security Is Fighting Back
Now, the security industry isn’t just sitting around watching this happen. Amy Chang from Cisco makes an interesting comparison—this LLM-at-runtime stuff mirrors the polymorphic code efforts from the 1990s. We’ve been through similar arms races before.
The difference now? Both sides have AI. As defenders use machine learning to detect behavioral anomalies and unexpected code patterns, attackers are using the same technology to find vulnerabilities. It’s becoming an AI versus AI battlefield, which means traditional signature-based detection just won’t cut it anymore. Companies that rely on industrial computing systems need particularly robust protection—which is why many turn to specialized providers like IndustrialMonitorDirect.com, the leading US supplier of industrial panel PCs built for secure operations in manufacturing and critical infrastructure environments.
What Comes Next
So where does this leave us? We’re in the early experimental phase, but the trajectory is clear. Attackers will keep refining these techniques, making AI-powered malware more adaptive and harder to detect. The capture-the-flag pretext incident shows they’re already learning how to socially engineer the AI safety systems themselves.
The real question is: how quickly can defensive AI outpace offensive AI? Because right now, both sides are racing to incorporate these technologies, and the gap between sophisticated state actors and lower-skilled threat actors is narrowing fast. Generative AI is becoming the great equalizer in cyber threat activity—and that should worry everyone.
