Key Takeaway
Researchers identified a malware campaign using large volumes of AI-generated junk code to inflate binary size and evade static analysis, obscuring credential-harvesting and C2 functionality targeting Windows endpoints. The technique leverages LLM output to produce syntactically valid but functionally inert code at scale, degrading signature-based detection without requiring manual obfuscation expertise. SOC teams should prioritize behavioral detection, ASR rule enforcement, and full credential rotation on affected systems.
Malware Family and Delivery Mechanism
Security researchers have identified a malware campaign in which the threat actors embedded large volumes of AI-generated junk code directly into the malware binary to defeat static analysis and signature-based detection. The technique represents a deliberate weaponization of large language model (LLM) output, where syntactically valid but functionally inert code is mass-produced and injected around the malware's core logic to obscure it from automated scanners.
Delivery has been observed through phishing emails carrying weaponized Office documents and trojanized installer packages distributed via typosquatted domains. Initial access leverages user execution rather than exploitation of a specific CVE, relying on social engineering to run the dropper stage.
Capabilities
Persistence
Once executed, the malware establishes persistence via a scheduled task registered under a plausible system-process name (e.g., MicrosoftEdgeUpdateTaskMachineCore). On systems where the initial access account holds administrative privilege, it additionally writes a service entry to HKLM\SYSTEM\CurrentControlSet\Services. Registry run keys under HKCU\Software\Microsoft\Windows\CurrentVersion\Run serve as a fallback persistence mechanism for standard-user contexts.
Data Exfiltration
The payload collects credentials from browser stores (Chromium-based browsers, Firefox), harvests cookies, and enumerates files matching extensions associated with financial documents and configuration files (.xlsx, .pdf, .env, .config, .kdbx). Collected data is staged in a temporary directory, compressed with a renamed 7-Zip binary, and encrypted with AES-256 before transmission.
Exfiltration occurs over HTTPS to attacker-controlled infrastructure. Domains observed in this campaign use Let's Encrypt certificates to blend with legitimate TLS traffic, complicating network-layer detection based on certificate anomalies alone.
Command and Control
The C2 protocol uses HTTP POST requests with Base64-encoded, AES-encrypted payloads to endpoints mimicking CDN paths (e.g., /cdn-cgi/trace, /static/js/app.min.js). Beacon intervals are randomized between 30 and 90 seconds to reduce periodicity-based detection. The malware supports tasking for reverse shell execution, additional payload staging, and screenshot capture.
The Junk Code Obfuscation Technique
The defining characteristic of this campaign is the volume of non-functional code surrounding the malicious logic. Researchers attribute this code to LLM generation based on several indicators: consistent stylistic patterns matching AI-produced output, including over-commented variable declarations, redundant type-checking blocks, and logically unreachable conditional branches that nonetheless compile cleanly.
The junk code inflates binary size and distributes the malicious logic across a larger surface area, forcing static analysis tools to process significantly more code before reaching actionable indicators. Signature-based antivirus engines that rely on byte-pattern matching against known offsets are particularly degraded by this technique. Sandbox environments with execution time limits may time out before reaching the payload's functional core.
This method does not require the threat actors to have deep obfuscation expertise. LLMs can produce large volumes of plausible-looking code on demand, lowering the barrier for producing analysis-resistant samples. Researchers note the junk code shows no signs of manual refinement — it was almost certainly generated wholesale and injected programmatically.
Affected Platforms
- Windows 10, Windows 11 (primary target platform)
- Windows Server 2016, 2019, 2022 (observed in enterprise environments)
- Browser credential stores: Google Chrome, Microsoft Edge, Mozilla Firefox, Brave
- Password manager database files: KeePass (.kdbx)
No macOS or Linux variants have been confirmed at time of publication.
Detection Signatures
YARA Rule (Behavioral Indicators)
rule AI_JunkCode_Obfuscated_Malware {
meta:
description = "Detects binaries with high ratio of non-functional code blocks consistent with LLM-generated obfuscation"
author = "Threat Research"
strings:
$s1 = "MicrosoftEdgeUpdateTaskMachineCore" ascii
$s2 = "/cdn-cgi/trace" ascii
$s3 = ".kdbx" ascii
$s4 = "AES-256" ascii nocase
condition:
uint16(0) == 0x5A4D and 2 of ($s*) and filesize > 2MB
}
Network Indicators
- Outbound HTTPS POST to paths matching
/cdn-cgi/or/static/js/*.min.jsfrom endpoints that do not run web applications - Beaconing with randomized 30–90 second intervals to single external IPs not in corporate allowlists
- DNS queries to recently registered domains (less than 30 days) resolving to shared hosting ASNs
Endpoint Detection
- Scheduled task creation by
mshta.exe,wscript.exe, or Office application child processes - 7-Zip or renamed archive binaries writing to
%TEMP%followed by outbound encrypted network connections HKCU\Software\Microsoft\Windows\CurrentVersion\Runmodifications made by non-installer processes
Microsoft Defender for Endpoint customers should enable Potentially Unwanted Application (PUA) protection and configure Attack Surface Reduction (ASR) rules, specifically rule d4f940ab-401b-4efc-aadc-ad5f3c50688a (Block Office applications from creating child processes).
Removal Guidance
- Isolate the affected endpoint from the network immediately upon detection.
- Revoke all credentials stored in browsers on the affected system. Assume any saved passwords, session cookies, and OAuth tokens are compromised.
- Delete the scheduled task and service entry using
schtasks /deleteandsc deletewith the identified task/service names. - Remove the Run key entries from
HKCU\Software\Microsoft\Windows\CurrentVersion\Runusingregeditor PowerShell. - Reimaging is recommended over manual remediation for enterprise endpoints, given the risk of secondary payload staging.
- Hunt across the environment for the network indicators listed above using EDR telemetry and SIEM queries covering the prior 90 days to identify lateral movement or additional compromised hosts.
- Submit samples to your AV vendor and to public sandboxes (ANY.RUN, VirusTotal, Hybrid Analysis) to generate updated signatures and assist community-wide detection.
Original Source
Dark Reading
Related Articles
Horabot Dropper Delivers Casbaneiro Banking Trojan to Latin American and European Targets in Brazilian eCrime Campaign
The Horabot dropper, attributed to Brazilian cybercrime group Augmented Marauder (also tracked as Water Saci by Trend Micro), delivers the Casbaneiro banking trojan to Spanish-speaking users across Latin America and Europe via targeted phishing campaigns. Casbaneiro performs credential harvesting through overlay attacks, clipboard hijacking, and keylogging, and abuses compromised Outlook accounts to self-propagate. SOC teams should implement scheduled task creation detections, block newly registered TLD outbound connections, and immediately rotate credentials on any confirmed infected host.
REF1695: Fake Installers Deliver RATs and Cryptominers in CPA Fraud Operation Active Since November 2023
REF1695 is a financially motivated campaign tracked by Elastic Security Labs that has deployed RATs and cryptocurrency miners via fake software installers since November 2023. The operation monetizes infections through both passive cryptomining and CPA fraud, redirecting victims to content locker pages disguised as software registration flows. Windows endpoints are the confirmed target, and Elastic has released EQL detection rules to support identification and response.
Automated Service Enables Persistent Information-Stealing Social Engineering Attacks
A new cybercrime service automates persistent social engineering attacks aimed at stealing sensitive information. Targeting primarily Windows and mobile platforms, the service uses phishing techniques combined with encrypted exfiltration and adaptive persistence. Detection relies on monitoring phishing indicators and network anomalies, while removal requires credential resets and endpoint remediation.
NoVoice Android Malware Exploits Known Vulnerabilities to Gain Root Access, Found in 50+ Google Play Apps
NoVoice is a newly discovered Android malware exploiting known privilege escalation vulnerabilities to gain root access. Distributed through over 50 malicious apps on Google Play with 2.3 million downloads, it collects user data and communicates with encrypted C2 servers. Detection requires monitoring root-level activity and network anomalies, while removal demands a factory reset and patching affected devices.