SentinelLABS researchers detail the rise of LLM-enabled malware that embeds Large Language Model capabilities into malicious payloads, producing code at runtime and evading traditional static detection. Their retrohunt found thousands of samples and unique API keys, and they propose hunting for hardcoded provider API keys and prompt structures as effective detection techniques. #PromptLock #LameHug
Keypoints
- SentinelLABS researchers Alex Delamotte and Gabriel Bernadett-Shapiro analyzed LLM-enabled malware where models generate malicious code at runtime rather than storing it statically.
- Notable cases include PromptLock ransomware and APT28’s LameHug/PROMPTSTEAL campaigns as examples of operational LLM use.
- Despite adaptive behavior, many LLM-enabled samples hardcode artifacts such as API keys and prompts, creating detection opportunities.
- Two novel hunting strategies were proposed: wide API key detection using YARA to match provider-specific key structures and prompt hunting to find hardcoded prompt patterns in binaries.
- A year-long retrohunt of VirusTotal found over 7,000 samples with more than 6,000 unique API keys, and uncovered previously unknown samples like “MalTerminal.”
- Pairing prompt detection with lightweight LLM classifiers helped assess malicious intent and surface additional LLM-enabled threats.
- The research emphasizes defenders should pivot from relying solely on signatures to hunting for “prompts as code” and embedded API keys to mitigate runtime-generated code threats.
MITRE Techniques
- [T1552 ] Unsecured Credentials – Hardcoded API keys were embedded in binaries, creating detection opportunities (“…hardcode artifacts like API keys and prompts.”).
- [T1204 ] User Execution (Phishing/Lures) – Adversaries used AI-themed lures to trick users into executing LLM-enabled payloads (“…from AI-themed lures to genuine LLM-embedded malware.”).
- [T1059 ] Command and Scripting Interpreter – LLMs generate code at runtime rather than storing it statically, allowing dynamic malicious code execution (“…these threats generate malicious code at runtime rather than embedding it statically, creating significant detection challenges.”).
- [T1518 ] Software Discovery / Artifact Discovery – Prompt hunting and scanning binaries for prompt structures and API key formats to discover embedded LLM-related artifacts (“…prompt hunting that searches for hardcoded prompt structures within binaries.”).
Indicators of Compromise
- [API Keys ] hardcoded provider credentials in binaries – examples: OpenAI Base64-encoded identifiers detected via YARA, and 6,000+ unique API keys found during a VirusTotal retrohunt.
- [File Names ] identified samples – example: “MalTerminal” (potential earliest known LLM-enabled malware).
- [Malware Families ] reported campaigns – examples: PromptLock ransomware, LameHug/PROMPTSTEAL (APT28).
- [VirusTotal Samples ] large-scale sample set – example context: over 7,000 samples discovered in a year-long retrohunt (and many more hashes and samples).
Read more: https://www.sentinelone.com/labs/labscon25-replay-llm-enabled-malware-in-the-wild/