Analyzing the Current State of AI Use in Malware

Unit 42 analyzed two malware samples demonstrating current AI integration trends in malware: a ConfuserEx-obfuscated .NET infostealer that calls OpenAI GPT-3.5-Turbo for logging/naïve evasion and obfuscation suggestions (largely unimplemented ‘‘AI theater’’), and a dropper that sends host telemetry to GPT-4 to gate execution of a Sliver payload. The report details four LLM-invoking functions, sample behaviors (data collection, exfiltration, opsec logging), provides SHA256 IOCs, and assesses implications of AI-assisted decision-making for future malware evolution.