惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

aimingoo的专栏
aimingoo的专栏
V
V2EX
G
Google Developers Blog
F
Full Disclosure
Martin Fowler
Martin Fowler
宝玉的分享
宝玉的分享
H
Hacker News: Front Page
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
NISL@THU
NISL@THU
G
GRAHAM CLULEY
V
Vulnerabilities – Threatpost
Hacker News - Newest:
Hacker News - Newest: "LLM"
A
About on SuperTechFans
The Cloudflare Blog
C
Cisco Blogs
D
DataBreaches.Net
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Vercel News
Vercel News
P
Privacy International News Feed
Microsoft Security Blog
Microsoft Security Blog
Help Net Security
Help Net Security
Recorded Future
Recorded Future
PCI Perspectives
PCI Perspectives
S
Schneier on Security
AI
AI
N
News | PayPal Newsroom
雷峰网
雷峰网
C
Cyber Attacks, Cyber Crime and Cyber Security
P
Proofpoint News Feed
The Last Watchdog
The Last Watchdog
L
LINUX DO - 最新话题
Hugging Face - Blog
Hugging Face - Blog
Apple Machine Learning Research
Apple Machine Learning Research
Schneier on Security
Schneier on Security
S
Securelist
云风的 BLOG
云风的 BLOG
Stack Overflow Blog
Stack Overflow Blog
博客园_首页
AWS News Blog
AWS News Blog
TaoSecurity Blog
TaoSecurity Blog
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Recent Commits to openclaw:main
Recent Commits to openclaw:main
博客园 - 三生石上(FineUI控件)
C
CXSECURITY Database RSS Feed - CXSecurity.com
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
Cloudbric
Cloudbric
C
Cybersecurity and Infrastructure Security Agency CISA
Project Zero
Project Zero
C
Check Point Blog
S
Security Affairs

Recorded Future

The Threat Isn’t the Frontier Model Iran-Nexus TAG-182 Disseminates MarkiRAT Surveillance Tool Where Expertise Meets Algorithm: The Insikt Group® Intelligence Edge Evaluating Mexico’s New Cybersecurity Plan The Purchase Scam Tactic Headed for the World Cup | Recorded Future FortiBleed Campaign Exposing Credentials for 73,932 FortiGate Systems The Klue Security Incident and Its Impact on Recorded Future State Digital Surveillance Risk Landscape The Intelligence No One Else Has: Inside Recorded Future’s Proprietary Collection Engine The Intelligence No One Else Has: Inside Recorded Future’s Proprietary Collection Engine Cyber-Enabled Maritime Sanctions Evasion Recorded Future Launches Impact and Metrics Dashboard 2026 FIFA World Cup: What Public Safety Officials Need to Know China's Noncombatant Evacuation Operations: 2005–2025 Russia’s Defense-Based Economy Risks Forcing Putin to Fight Wars May 2026 CVE Landscape Why Holistic Sourcing Wins: The Numbers Behind the Recorded Future Advantage Threats to the 2026 FIFA World Cup Remembering Sir Alex Younger Iran Expands Handala Brand to Physical Threats The Vulnerability Flood Is Now a Board Conversation. Here's How to Lead It. At Mythos Speed: A Defender's Playbook for the AI Vulnerability Surge in 2026 April 2026 CVE Landscape Beyond Acceleration and Automation: How AI + Intelligence Changes Cyber Defense NIST NVD Enrichment Policy Change: Prioritizing Vulnerabilities with Attacker Behavior Signals A Complete History of Cybersecurity: From Early Viruses to AI-Powered Threats The Different Types of Payment Fraud and How to Prevent Them Digital Citizenship Glossary: Key Terms Every Internet User Should Know Quantum Risk Explained Threat Activity Enablers: The Backbone of Today’s Threat Landscape Recorded Future Named a Leader in the 2026 Gartner® Magic Quadrant™ for Cyberthreat Intelligence Technologies. And there’s more. Hacking Embodied AI Working in London at the World’s Largest Intelligence Company Risk Scenarios for the US’s Strategic Pivot Building with AI: Here's What No Briefing Will Tell You Lazarus Doesn't Need AGI The Money Mule Solution: What Every Scam Has in Common From Overwhelmed to Autonomous: Rethinking Threat Intelligence in 2026 Critical minerals and cyber operations Today, trust is the superpower that makes innovation possible AI Hype vs. Reality: Is AI Really Rewriting the Vulnerability Equation? Evolution of Chinese-Language Guarantee Telegram Marketplaces Emerging Enterprise Security Risks of AI From Bazooka to Fake Nikes Your Supply Chain Breach Is Someone Else's Payday 4 Essential Integration Workflows for Operationalizing Threat Intelligence Recorded Future Iran War: Future Scenario and Business Implications A New Way to Buy Recorded Future: Solutions and Packages Built for the 2026 Threat Landscape March 2026 CVE Landscape: 31 High-Impact Vulnerabilities Identified, Interlock Ransomware Group Exploits Cisco FMC Zero-Day VIP Credential Monitoring Blog Third-Party Risk Is an Intelligence Operation. It's Time We Treated It Like One. Understanding and Anticipating Venezuelan Government Actions The Iran War: What You Need to Know Day in the Life: Product Manager at Recorded Future Panorama del cibercrimen en América Latina y el Caribe Latin America and the Caribbean Cybercrime Landscape Panorama do cibercrime na América Latina e Caribe Industrialization of the Fraud Ecosystem Blog The Shift: An Era of Quantum Geopolitics ClickFix Campaigns Targeting Windows and macOS 2025 Year in Review: Malicious, Infrastructure 2025 Identity Threat Landscape Report: Inside the Infostealer Economy: Credential Threats in 2025 February 2026 CVE Landscape: 13 Critical Vulnerabilities Mark 43% Drop from January Latin America's Cybersecurity Turning Point: From Reactive Defense to Threat Intelligence Recorded Future Expands Coverage of Scams and Financial Fraud with Money Mule Intelligence from CYBERA January 2026 CVE Landscape: 23 Critical Vulnerabilities Mark 5% Increase, APT28 Exploits Microsoft Office Zero-Day Preparing for Russia’s New Generation Warfare in Europe 2025 Cloud Threat Hunting and Defense Landscape GrayCharlie Hijacks Law Firm Sites in Suspected Supply-Chain Attack Network Intelligence: Your Questions, Global Answers Fragmentation Defined 2025's Threat Landscape. Here's What It Means for 2026 State of Security Report | Recorded Future From 27 Steps to 5: How Recorded Future Reimagined Threat Hunting with Autonomous Threat Operations Rublevka Team: Anatomy of a Russian Crypto Drainer Operation Autonomous Threat Operations in action: Real results from Recorded Future’s own SOC team | Recorded Future PurpleBravo’s Targeting of the IT Software Supply Chain Threat and Vulnerability Management in 2026 Best Ransomware Detection Tools December 2025 CVE Landscape: 22 Critical Vulnerabilities Mark 120% Surge, React2Shell Dominates Threat Activity Practitioners Reveal What Makes Threat Intelligence Programs Mature GRU-Linked BlueDelta Evolves Credential Harvesting New ransomware tactics to watch out for in 2026 Digital Threat Detection Tools & Best Practices BlueDelta’s Persistent Campaign Against UKR.NET The $0 Transaction That Signaled a Nation-State Cyberattack China’s Zero-Day Pipeline: From Discovery to Deployment Cyber on the Geopolitical, Battlefield: Beyond the, “Big Fourˮ What’s Next for Enterprise Threat Intelligence in 2026 Palestine Action: Operations and Global Network Implications of Russia-India-China Trilateral Cooperation GrayBravo’s CastleLoader Activity Clusters Target Multiple Industries November 2025 CVE Landscape: 10 Critical Vulnerabilities Show 69% Drop from October 5 Real-Word Third-Party Risk Examples When the Digital World Turns Physical: The Expanding Role of Threat Intelligence in Executive Protection Critical React2Shell Vulnerability Under Active Exploitation by Chinese Threat Actors The Bug That Won't Die: 10 Years of the Same Mistake The Hidden Cascade: Why Law Firm Breaches Destroy More than Data Intellexa’s Global Corporate Web The Maturity Gap: The Next Frontier in Threat Intelligence Inside the CopyCop Playbook: How to Fight Back in the Age of Synthetic Media
AI Malware: Hype vs. Reality
2025-12-01 · via Recorded Future

Introduction

Generative AI (GenAI) and large language models (LLMs) are being rapidly integrated into all aspects of our society, from communication to cybersecurity. Enterprises and vendors are already using GenAI and LLMs to augment their defenses. Attackers are also adopting LLMs, primarily as a force multiplier rather than the one-click super malware often implied in article headlines. From phishing lures to code generation and basic orchestration, GenAI is lowering the skill barrier and speeding up familiar workflows, not unleashing a brand new class of unstoppable, fully autonomous malware.

In practice, most AI malware activity today resides in the early stages of AI maturity, focused on AI-assisted coding & tradecraft, localized content, and experimental orchestration that still relies heavily on humans and traditional tools, even as vendors rush to brand narrow proof of concepts (PoCs) or niche incidents as the first-ever AI attacks. This post cuts through that hype by introducing a simple AI malware Maturity Model (AIM3) to define what truly counts as AI malware, map recent public claims to concrete maturity levels, and give defenders a realistic view of how AI is actually changing attacker economics today and how to prepare for more capable, orchestrated threats that are clearly on the way.

What counts as “AI malware”

We define AI malware as malicious or offensive software whose core development or runtime behavior is dependent on GenAI or LLMs. The malicious software can use LLMs to generate or select commands at runtime, inspect files or environment telemetry for action planning, or orchestrate parts of the attack chain without step-by-step human input. Five types of AI malware meet this description: LLM-Translated, LLM-Generated, LLM-Deployed, LLM-Driven, and LLM-Embedded.

Types of AI Malware

Measuring AI malware maturity with AIM3

Despite the numerous types of AI malware observed over the past few years, there is a lack of consensus regarding the current state of AI malware maturity. Maturity models exist for cybersecurity adoption, such as MITRE’s “AI Maturity Model”, but there's no attacker-centric model that directly measures the sophistication of AI-enabled malware itself and the operational risk it poses to organizations. To address this gap, Recorded Future proposes the five-level AIM3 that’s helping teams determine the sophistication level of AI threats and identify where to focus detection and governance efforts. AIM3 provides defenders with a means to distinguish genuine AI-driven threats from marketing noise.

Levels of Recorded Future’s AI Malware Maturity Model (AIM3)

Levels of Recorded Future’s AI Malware Maturity Model (AIM3)

Level 1 - Experimenting:

Attackers, Researchers, and Academia are creating prototypes, toy examples, and PoCs that leverage GenAI using rudimentary methods. At this stage, individuals are merely exploring the possibilities of GenAI and LLMs for malicious applications vs. operationalizing in a serious manner.

Level 2 - Adopting:

Threat actors incorporate GenAI into familiar workflows such as authoring phishing emails, researching targets, and developing code. While the core operational tasks remain conventional, there is an emphasis on automating and supporting low-order tasks without reinventing traditional tradecraft.

Level 3 - Optimizing:

Attackers are beginning to incorporate AI into their attack chains by leveraging GenAI on-host or via APIs to perform introspection, generate commands, and adapt code in near real-time. This is a shift in focus from bespoke GenAI use to treating GenAI as an integrated part of the attack chain.

Level 4 - Transforming:

AI-native offensive frameworks emerge at this level, combining multi-step planning and tool use with a human-in-the-loop (HITL) approach. These are the early, purposeful attempts at AI-first threat operations, utilizing agentic patterns rather than bolting GenAI onto legacy playbooks.

Level 5 - Scaling:

Threat actors are building agentic systems to manage campaigns end-to-end with no human oversight. Automated decision-making is implemented at scale for the planning, execution, and persistence stages of operations. This level of sophistication represents the upper bound of GenAI capabilities that current experimentation is moving toward.

With AIM3 defined, we can now examine what has actually been reported in the public domain and in research.

What we see in the wild

Timeline of AI Malware Reports Mapped to Maturity

2023 to 2024 (Early experimentation)

  • Malterminal (AIM3: Level 1 - Experimenting) is an early malware prototype that shows an LLM-driven ransomware and remote access tool (RAT) concept with AI primarily used for code generation as a result of a human prompt. This sample was almost certainly non-hostile experimentation, based on the embedded feature that provides an assessment of maliciousness and creates a malware analysis report on the resultant payload.

Early- to mid-2025 (AI-invoking malware appears)

  • FRUITSHELL (AIM3: Level 2 - Adopting) is a PowerShell reverse shell script for penetration testers that contains hard-coded prompt instructions for attempting to bypass LLM-based analysis. The LLM awareness in the development process puts this example in the Adopting Level.
  • PROMPTFLUX (AIM3: Level 1 - Experimenting) is a malware dropper written in VBScript that uses Google Gemini to rewrite its own source code and run the new payload for persistence. This sample, labeled as experimental by Google, is one of the first instances of worm-like features using AI.
  • Lamehug a.k.a PROMPTSTEAL (AIM3: Level 3 - Optimizing) is an LLM-driven information stealer sample that invokes the HuggingFace API to generate reconnaissance commands. Discovered by CERT-UA, Lamehug is attributed to APT28 with moderate confidence, potentially marking the first use of AI malware in state-sponsored cyber operations. APT28 leveraging AI in their attack chain puts this at Optimizing Level.
  • HexStrike-AI (AIM3: Level 3 - Optimizing) is an open-source penetration testing framework powered by model context protocols (MCPs) connected to traditional red team tooling. One of the first public red teaming frameworks to leverage GenAI by deploying multiple AI agents to drive traditional tools such as nmap. The LLM invocation and agent use puts this at Optimizing Level.
  • Amazon Q Dev (AIM3: Level 2 - Adopting) for Visual Studio Code extension version 1.84.0 contained malicious prompt-injected instructions to delete local and cloud environments. Despite syntax errors preventing the code from executing properly, this example still obtained a CVE (CVE-2025-8217) due to the embedded malicious code. This is at Adopting Level due to the LLM being aware, but with an erroneous implementation.
  • Cyberspike’s Villager (AIM3: Level 3 - Optimizing) is an AI-native penetration testing framework developed by the China-based red team project, Cyberspike. It attempts to be an AI-first successor to Cobalt Strike, integrating DeepseekAI and Kali Linux to automate red team workflows. Much like HexStrike-AI, Villager employs traditional red team tooling, including AsyncRAT (a remote access tool) and Mimikatz (a credential harvester), during its operation. The LLM invocation and agent use put this at the Optimizing Level.

Late-2025 (AI-driven implementations find success)

  • OSSTUN (AIM3: Level 2 - Adopting) is a command and control (C2) framework that Google observed being developed alongside other tools by the state-sponsored threat actor RedGolf (also known as APT41), using Gemini. RedGolf LLM awareness in the development process placed this example in the Adopting Level.
  • PromptLock (AIM3: Level 1 - Experimenting) is touted as the first AI-powered ransomware that utilizes an LLM to comprehend local files and craft customized ransomware notes. Shortly after discovery, it was identified as a PoC artifact for an academic paper, putting it at Experimenting Level.
  • S1ngularity a.k.a QUIETVAULT (AIM3: Level 3 - Optimizing) is a set of malicious versions of a widely used package system, Nx, that was published to the Node.js npm registry. The package leveraged AI to exploit vulnerable GitHub Actions, stealing credentials and then exfiltrating the data to an exposed repository within the victim's GitHub account. The successful use of LLMs in their attack chain puts this at the Optimizing Level.
  • Anthropic (AIM3: Level 4 - Transforming) detailed and disrupted what they claim as the first reported AI-orchestrated cyber-espionage attack. In this case, Anthropic was able to attribute this activity to Chinese state actors who jailbroke Claude Code. The threat actors then leveraged Claude Code’s agentic capabilities to perform a variety of actions across the cyber kill chain, representing the only observed example from the AIM3 Transforming Level. However, the Anthropic report received criticism for its fully orchestrated claim, noting that the campaigns still required 10% human intervention at some decision points, which prevented it from reaching the Scaling AIM3 level.

Hype vs. reality - what’s true, what’s exaggerated

With a few years of “AI malware” headlines behind us, some patterns are clear. Most public activity sits well below the fully autonomous, Hollywood-style threats often implied by marketing.

Where the activity really is (AIM3 Levels 1–3)

Mapped to AIM3, the picture is clear: the vast majority of examples sit at Levels 1–3 (Experimenting through Optimizing), with a single contested Level 4 case and no verified Level 5 activity. Families like PromptLock, PROMPTFLUX, and MalTerminal look more like PoC exercises rather than in-the-wild malware. The Anthropic case is the single and highly contested example of Level 4 (Transforming) maturity, but even this initial example was not fully autonomous.

Seen through that lens, a few things snap into focus: fully embedded models are still theoretical, many first-ever AI malware claims rest on thin or experimental evidence, and the real inflection point to watch is not brute autonomy but steadily improving AI-driven orchestration. In other words, the data tells us where the hype is running ahead of reality and where the next genuine shifts in attacker capability are likely to appear.

BYOAI and embedded models: still hypothetical in the wild

Most of the published implementations of AI malware call cloud or remote LLMs, not locally embedded models. Even in known malicious instances, such as Lamehug, families invoke remote services, like the HuggingFace API, for LLM calls at runtime. In some cases, the payload may use locally available LLM services that make these remote calls on its behalf; however, no observed sample currently features a Bring Your Own AI (BYOAI) capability. This is effectively our LLM-Embedded category: AI malware that ships its own model to run locally on the host.

The first-ever AI malware problem

Between July and November 2025, four “first-ever” reports emerged involving Malterminal, Lamehug, PromptLock, and the Anthropic cyberattack, which claimed different aspects of the AI malware landscape. After reporting, many of these claims were subject to scrutiny by the research community as academic, experimental, or underwhelming. Although these examples represent a clear incremental evolution of scripting and automation, vendors seem quick to make stronger claims than can be independently verified in the field.

Outlook

AI malware is still in its early stages of maturity, primarily situated at the experimental to optimization levels of the AIM3 framework. What we are seeing today is AI-assisted tradecraft that mirrors traditional TTPs; a natural result of increased AI adoption, which is being observed in several other industries as well.

That said, the direction AI adoption is taking is clear. The progression from straightforward AI-generated content to AI-invoking malware and red team orchestration frameworks is a sign that more capable and autonomous operations are on the horizon. The contested Anthropic disruption is one of the first examples of this and serves as an early warning sign for defenders.

All roads lead to AI orchestration

The trajectory of AI activity clearly leads toward AI orchestration, but not yet fully scaled AI operations. Frameworks like HexStrike-AI and CyberSpike’s Villager, although still niche today, point to attacker playbooks where orchestration and AI-driven tool use become the norm. The timeline of AI malware observations shows a clear progression: starting with simple AI-generated code, moving to on-host command generation and orchestration, and culminating in agentic, multi-step operations. If these frameworks continue to mature, they are likely to require less human intervention over time.

Recorded Future Malware Intelligence helps organizations understand and protect against malware

To see how Recorded Future can help your team track malware along the AI maturity scale, watch this 3-minute video on investigating LAMEHUG malware (AIM3).