This article describes a novel AI-augmented attack where a benign webpage requests code from trusted LLM APIs, assembles malicious JavaScript in-browser at runtime, and renders personalized phishing pages that evade network-based detection. The report demonstrates a proof-of-concept that leverages prompt engineering and polymorphic LLM-generated code to bypass guardrails and recommends runtime behavioral analysis and in-browser protections to mitigate the threat. #LogoKit #Unit42
Keypoints
- Attackers can embed engineered prompts in a benign webpage that call trusted LLM API endpoints from the client to dynamically generate malicious JavaScript at runtime.
- The generated code is polymorphic and unique per visit, increasing evasion against signature- and network-based detection.
- Malicious snippets can be delivered from trusted LLM domains or via backend proxies/CDNs, bypassing conventional network analysis.
- Proof-of-concept replicated a LogoKit phishing campaign by dynamically generating scripts that personalized pages and exfiltrated credentials to attacker servers.
- Prompt engineering can circumvent LLM safety guardrails (e.g., rephrasing blocked requests to permitted functionality like generic AJAX POST functions).
- Effective defenses include runtime behavioral analysis within the browser (e.g., Prisma Browser with Advanced Web Protection) and restricting unsanctioned LLM usage.
MITRE Techniques
- [T1059.007 ] Command and Scripting Interpreter: JavaScript – Used to generate, assemble and execute JavaScript snippets in the victim’s browser at runtime (e.g., using eval to run constructed child scripts). ‘…executing constructed child scripts with an eval function (e.g., retrieved, decoded or assembled payloads).’
- [T1027 ] Obfuscated Files or Information – Attackers translate code into text, encode, fragment or otherwise conceal payloads within prompts and webpages to evade inspection. ‘…obfuscating code in plain text… encoding, encryption and code fragmenting…’
- [T1071.001 ] Application Layer Protocol: Web Protocols – Malicious code snippets and prompts are sent and received over standard web protocols to/from trusted LLM API endpoints to bypass network controls. ‘…could be transferred over the network from a trusted domain, as access to domains of popular LLM API endpoints is often allowed from the client side.’
- [T1105 ] Ingress Tool Transfer – The LLM service API returns code snippets that are transferred into the victim environment and later assembled/executed in-browser. ‘…these snippets are returned via the LLM service API, then assembled and executed in the victim’s browser at runtime…’
- [T1041 ] Exfiltration Over C2 Channel – Credential harvesting and exfiltration are performed from the dynamically generated phishing page to attacker-controlled servers (e.g., via AJAX POST requests). ‘…personalizing the page based on the victim’s email in the address bar and exfiltrating captured credentials to an attacker’s web server.’ ‘…a request for a generic $AJAX POST function…’
Indicators of Compromise
- [Campaign ] Phishing campaign model used in PoC – LogoKit (replicated page behavior and personalization/exfiltration functionality).
- [LLM Domains ] Trusted LLM API endpoints used to deliver code snippets – examples mentioned: DeepSeek, Google Gemini (used as delivery sources or referenced models).
- [Encoded URLs ] Obfuscated/exfiltration URLs embedded in prompts – Base64-encoded exfiltration URLs (no explicit examples disclosed), and other obfuscated endpoints.
- [Exfiltration Endpoints ] Credential exfiltration destinations and AJAX endpoints – context: captured credentials sent to attacker web servers via AJAX POST (specific URLs not disclosed).
Read more: https://unit42.paloaltonetworks.com/real-time-malicious-javascript-through-llms/