Skip to content
.ca
sign in
7 minhigh

The AI Malware Surge: Behavior, Attribution, and Defensive Readiness

AI-assisted malware development has rapidly matured, driven largely by the adoption of models like DeepSeek R1, which lowers the barrier to entry for threat actors. This surge has resulted in a high volume of structurally novel malware, including infostealers, RATs, and ransomware, many of which evade traditional signature-based detection while leaving distinct LLM-generated artifacts in their code.

Conf:highAnalyzed:2026-03-24reports

Authors: Arctic Wolf Labs

ActorsNyxStealerTroyStealerD0MINAG0Ndeepseek_rootkitAlastor 2025Pika DropperPHANTOM_REALMSHADOW_REALMSomalifuscator LoaderBlueSky InjectBunnyKitWindowsAudioService RAT
BYOVDAI-Assisted MalwareDeepSeekMaaSNyxStealer

Source:Arctic Wolf

IOCs · 4

Key Takeaways

  • AI-assisted malware development has surged, with DeepSeek R1 heavily adopted by threat actors to generate functional malware rapidly.
  • 39% of analyzed AI-generated samples had zero AV detections at the time of collection, highlighting the structural novelty of AI-generated code.
  • Threat actors leave distinct LLM artifacts in code, such as '[citation:N]' markers, verbose comments, emojis, and 'deepseek_' filename prefixes.
  • While most AI malware originates from low-tier actors, mature groups (e.g., NyxStealer) use AI to accelerate MaaS development and evasion.
  • AI is increasingly integrated at runtime (8% of samples) for dynamic text generation, adaptive behaviors, and API abuse.

Affected Systems

  • Windows
  • Linux
  • Redis
  • SSH

Vulnerabilities (CVEs)

  • CVE-2026-0828
  • CVE-2025-7771

Attack Chain

Threat actors utilize AI models like DeepSeek R1 to rapidly scaffold and generate malware, including infostealers, RATs, and rootkits. Initial access often occurs via RDP or dropped payloads, followed by persistence mechanisms such as scheduled tasks, IFEO hijacks, and registry run keys. The malware executes defense evasion techniques like timestomping and hidden directories, before achieving its primary objective, such as extracting browser credentials or establishing C2 via Telegram bots and Discord webhooks.

Detection Availability

  • YARA Rules: Yes
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No
  • Platforms: Arctic Wolf

Arctic Wolf developed custom YARA rules (e.g., AI_Gen_EmojiInCode_Batch, AI_Gen_LLMApiAbuse_MultiPlatform) to detect LLM-generation artifacts, though the rule bodies are not publicly shared in the report.

Detection Engineering Assessment

EDR Visibility: High — AI-generated malware still relies on standard OS APIs for execution, persistence (scheduled tasks, registry keys), and credential access, which are highly visible to modern EDR solutions. Network Visibility: Medium — C2 traffic often uses legitimate services like Telegram and Discord, blending in with normal traffic, though beaconing patterns and hardcoded API keys can be detected. Detection Difficulty: Moderate — While the malware payloads are structurally novel and evade static AV (39% evasion rate), their post-exploitation behaviors follow known patterns that behavioral analytics can catch.

Required Log Sources

  • Process Creation (Event ID 4688/Sysmon 1)
  • File Creation (Sysmon 11)
  • Registry Event (Sysmon 12/13/14)
  • Scheduled Task (Event ID 4698)

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Hunt for unusual scheduled task creation (e.g., D0MINAG0N, HiddenOptimizer) combined with script execution (PowerShell/BAT) originating from user profile directories.Event ID 4698 (Scheduled Task Created), Event ID 4688 (Process Creation)PersistenceLow
Look for modifications to the IFEO registry key for utilman.exe pointing to unusual binaries like sihost32.exe.Sysmon Event ID 13 (Registry Value Set)Persistence/Privilege EscalationLow
Monitor for unexpected outbound network connections to Discord webhooks or Telegram API endpoints from non-browser processes.Sysmon Event ID 3 (Network Connection), EDR Network LogsCommand and Control / ExfiltrationMedium
Search for file creation events involving '.deepseek_*' prefixes or '/tmp/deepseek.log' on Linux systems.Linux Auditd / EDR File Creation LogsExecution/PersistenceLow

Control Gaps

  • Signature-based Antivirus (AV)

Key Behavioral Indicators

  • Presence of '[citation:N]' strings in executable scripts
  • Verbose markdown-style comments or emojis in executable code
  • Hardcoded LLM API keys
  • IFEO hijacks for utilman.exe

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Block known malicious Telegram bot tokens and Discord webhooks at the network perimeter.
  • Search endpoint telemetry for the provided SHA-256 hashes, scheduled task names, and file path artifacts.

Infrastructure Hardening

  • Enforce a zero-trust execution model for scripting engines (VBS, JS, PowerShell) using application control.
  • Restrict outbound access to Telegram and Discord APIs from server environments.

User Protection

  • Deploy behavioral EDR solutions that do not rely solely on static signatures.
  • Implement anti-ransomware and memory protection modules to block process injection and BYOVD attacks.

Security Awareness

  • Educate security teams that AI-generated malware may contain hallucinatory code or obvious artifacts (e.g., emojis, citations) but can still be highly destructive.

MITRE ATT&CK Mapping

  • T1021.100 - Inbound File Copy via RDP Session
  • T1574.001 - DLL Search Order Hijacking
  • T1564.001 - Hidden Files and Directories
  • T1070.006 - Timestomp
  • T1555.003 - Credentials from Web Browsers
  • T1059.001 - PowerShell
  • T1053.005 - Scheduled Task/Job
  • T1546.012 - Image File Execution Options Injection
  • T1547.001 - Registry Run Keys / Startup Folder
  • T1547.004 - Winlogon Helper DLL
  • T1055 - Process Injection
  • T1068 - Exploitation for Privilege Escalation

Additional IOCs

  • Urls:
    • 1465066143516459277 - Discord Webhook ID for INFERNAL GRABBER 9000
    • 1466914664373026817 - Primary Discord Webhook ID for TroyStealer
    • 1466914033511694512 - Secondary Discord Webhook ID for TroyStealer
    • 1448889380151365694 - Discord Webhook ID for XOR-encrypted stealer
    • 1474984647388565554 - Discord Webhook ID for Roblox Logger
  • File Hashes:
    • 7a9e20192d7391826adc96574ddb2778e67783ac317f07a01de717ab6f2955fe (SHA256) - Referential hash for AI-generated malware sample
    • 8471257186db7db30d74816409fa09a09898ee099e7e0d1ad015546975e53a8f (SHA256) - Referential hash for AI-generated malware sample
    • b954ba7bca64b0f9bb98d61cd752859bd6edbcbf5052e75605a3644006ee9fd3 (SHA256) - Referential hash for AI-generated malware sample
    • 66a6ee009bf2de7703319a0e8523914822e28d88c2b755f30aa479a8d9c1a4ce (SHA256) - Referential hash for AI-generated malware sample
    • d9c7314568e03ff1f4c6e6ece56bdd46c9ea94ec37ba9fce56f707a24ebb1e93 (SHA256) - Referential hash for AI-generated malware sample
    • 4f94977a0d43789f66269578a6325f24a513aaef82c3334094448918cf9ad184 (SHA256) - Referential hash for AI-generated malware sample
  • Registry Keys:
    • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe - IFEO Hijack pointing to sihost32.exe (login screen trigger)
    • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell - Winlogon Shell replaced with cmd.exe /c exit by BlueSky Inject
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper - Registry Run key for sihost32 dropper
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\WinMaintenance - Registry Run key for Pika family
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SysOptimizer - Registry Run key for Pika family
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MasterOptimizer - Registry Run key for Pika family
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\WindowsHelper - Registry Run key for RAGE MODE
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SystemService - Registry Run key for RAGE MODE
  • File Paths:
    • %LOCALAPPDATA%\nyx-local\ - Working directory for NyxStealer family
    • %APPDATA%\Roaming\pika\ - Directory for Pika Dropper
    • %Drive%\System32\Cache\Volatile\sys_*.dat - File pattern for BlueSky Inject
    • /tmp/deepseek.log - Log file for deepseek_rootkit on Linux
    • C:\Windows\System32\sihost32.exe - File masquerade for sihost32 dropper
    • C:\Users\[redacted]\Local\Temp\fkpuzejo.exe - Executable observed performing credential access from web browsers
    • socxtnre.exe - Executable observed performing DLL sideloading and defense evasion
  • Command Lines:
    • Purpose: Replaces the default Windows shell to terminate the session or disrupt the user environment | Tools: cmd.exe | Stage: Impact/Persistence | cmd.exe /c exit
  • Other:
    • 7783894445:AAFa4sP1oV8_oVxU2R8rdFt7KhSrDM1WS3k - Telegram Bot Token for Polymorphic engine RAT
    • 8000470850:AAHyT_Gwj6685m2I5ozXvtOfKEetCzFHcgw - Telegram Bot Token for French Telegram RAT
    • 8560781579:AAEUDh85VzbLprw5-LhAjxmxqQU62awFbsE - Telegram Bot Token for NyxStealer v1
    • 8208206890:AAEtzuW4hmQFHTxTIOBugdICEciLB2s3uzE - Telegram Bot Token for NyxStealer v2
    • D0MINAG0N - Scheduled Task name for D0MINAG0N malware
    • HiddenOptimizer - Scheduled Task name for Pika Dropper
    • WindowsUpdateManager - Scheduled Task name for Pika Dropper
    • WinNetObject - Scheduled Task name for sihost32 dropper
    • BlueSkyInject - Scheduled Task name for BlueSky Inject
    • BlueSkyInject Maintenance - Scheduled Task name for BlueSky Inject

Related