By NHI Mgmt Group Editorial TeamDomain: Breaches & IncidentsSource: SwarmneticsPublished July 24, 2025

TL;DR: Russian malware linked to Fancy Bear used an Alibaba chatbot in real time on compromised systems to vary commands, move through Windows directories, and exfiltrate files, according to Swarmnetics. Static command matching is no longer enough when attackers can generate actions dynamically inside the host.


At a glance

What this is: This article examines malware that queries an LLM during execution to adapt commands on compromised systems and evade fixed-pattern detection.

Why it matters: It matters because security teams that rely on static signatures, hardcoded command matching, or narrow sandboxing need to reassess how AI-assisted malware changes detection, telemetry, and response design.

👉 Read Swarmnetics' analysis of Russian malware using real-time LLM commands


Context

LLM-assisted malware changes the operational problem for defenders because the malicious code no longer has to carry every command in advance. Instead, it can generate or vary instructions at runtime, which makes command-based detections less reliable and raises the bar for behavioural monitoring and containment. For identity and access teams, the intersection appears when compromised systems can use authenticated tooling, API access, or delegated execution paths to turn one foothold into broader action.

The article’s core claim is not that AI malware has fully matured, but that adversaries are testing a model where the payload becomes a controller rather than a fixed script. That matters for security governance because tools built to look for known strings, known tool calls, or known malware families may miss the adaptive layer that sits between compromise and impact.


Key questions

Q: What breaks when malware generates commands through an LLM at runtime?

A: Signature-based detections lose precision because the malicious commands are no longer fixed in the payload. Security teams need to watch for the behaviour that surrounds execution, including process creation, directory traversal, staging, and outbound transfer, rather than relying on exact strings or known malware artifacts.

Q: Why does AI-assisted malware increase post-compromise risk for identity teams?

A: Because the malware can abuse whatever credentials, tokens, or delegated permissions already exist on the compromised host. If those identities can reach sensitive services, a single foothold can become authenticated misuse across systems, which turns local compromise into an access governance problem.

Q: How do security teams know whether command-based detection is still working?

A: Look for whether alerts are driven by behaviour, sequence, and egress patterns rather than by exact command names. If a slight change in syntax causes the detection to fail, the control is too brittle for adaptive malware and needs retraining or redesign.

Q: Who is accountable when AI tools are abused to support malware operations?

A: Accountability sits across AI governance, security operations, and identity ownership. Teams that approve models, expose them to users, or connect them to tools need documented controls for abuse detection, access restriction, and incident response. Where AI assistants are integrated into workflows, governance must cover both the model and the permissions around it.


Technical breakdown

How real-time LLM command generation changes malware behaviour

Traditional malware embeds commands, indicators, and task logic directly into the payload. In this pattern, the malware calls an LLM during execution and uses the model to generate or vary next-step actions on the fly. That reduces the attacker’s need to ship new payloads for each task and makes the resulting behaviour less predictable for static scanners. It also creates a separation between compromise and execution logic, which complicates pattern-based detection. The key technical shift is not that the LLM performs exploitation, but that it can act as a runtime command adapter once the attacker already has a foothold.

Practical implication: defenders need behavioural detections that focus on runtime actions, not just fixed command strings.

Why AI-assisted malware complicates endpoint and network detections

Endpoint tools often look for known process trees, shell commands, scripted artefacts, or common exfiltration patterns. If an LLM changes the command syntax or sequences actions dynamically, those signatures become less dependable. The same issue applies to network monitoring when requests are generated in variable language or through alternate transfer methods such as HTTP POST or SFTP. This does not remove the need for traditional controls, but it shifts detection value toward context, sequence, and privilege use. The important point is that adaptive command generation can make malicious activity appear more like ordinary automation unless telemetry is rich enough to distinguish intent.

Practical implication: tune EDR, SIEM, and network analytics to alert on suspicious execution sequences and unusual data movement.

The identity and access angle in AI-enabled malware

AI-enabled malware does not need to be autonomous to be dangerous. Once inside a system, it can leverage whatever credentials, access tokens, service permissions, or delegated tooling are already present on that host. That is an NHI governance problem as much as a malware problem, because the blast radius depends on what identities the compromised environment can reach. If secrets are present on the machine, the malware can often turn local compromise into authenticated abuse of downstream services. In that sense, the runtime model is only as dangerous as the standing access available to the compromised workload or user session.

Practical implication: reduce the privilege and secret exposure available on endpoints, workloads, and automation runners.


Threat narrative

Attacker objective: The attacker appears to want stealthy post-compromise control that supports file theft and host reconnaissance without relying on static payloads.

  1. Entry occurs through phishing messages that impersonate Ukraine officials and deliver the malware to the victim environment.
  2. Escalation happens when the malware invokes an LLM in real time to generate or vary commands on the compromised system, making activity harder to match against fixed signatures.
  3. Impact follows when the malware enumerates Windows directories and exfiltrates documents and system information over HTTP POST or SFTP.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Static detection is now facing an adaptive adversary problem. Malware that generates commands through an LLM does not remove the need for EDR or network inspection, but it does reduce the value of detections built around fixed strings and known command lines. The governance implication is straightforward: security teams must assume the payload can mutate its own instructions after compromise. Practitioners should pivot toward behaviour-based correlation and endpoint context rather than signature confidence alone.

AI-assisted malware is also an identity and access governance issue. Once a host is compromised, the attacker inherits whatever credentials, tokens, or delegated access the environment already holds. That means the real control question is not only how the malware executes, but what identities it can abuse after execution. In NHI terms, the compromised host becomes a launch point for authenticated misuse if secrets and service permissions are left within reach. Practitioners should treat workstation and runner identities as part of the malware threat surface.

Command variability creates a detection-response latency gap. When commands are generated at runtime, security teams may see activity only after it has already adapted, executed, and moved data. That widens the time between first execution and meaningful intervention, especially if alerting depends on exact command patterns. The better control model is layered telemetry with policy enforcement around execution, egress, and privileged access. Practitioners should design for partial visibility and rapid containment, not perfect pre-execution certainty.

AI malware does not need to be autonomous to change the threat model. Even a human-in-the-loop sample can force defenders to update assumptions about how malicious code behaves once it is inside the environment. The key shift is architectural: the threat now includes a live model dependency that can alter attack steps in response to the host context. For security programmes, that means detection engineering, identity controls, and response playbooks must account for adaptive post-exploitation logic, not just familiar malware families.

What this signals

Adaptive payloads widen the gap between compromise and detection. For programmes that still anchor on fixed indicators, the practical change is to treat execution context as the primary signal. That means investing in telemetry that can survive command mutation and in policy boundaries that prevent a compromised host from becoming an authenticated pivot point.

Runtime model use inside malware makes secret hygiene more urgent, not less. If the host already contains service credentials or delegated access, the attacker can convert a behavioural foothold into identity abuse quickly. Security teams should map where long-lived secrets and high-value tokens still exist on endpoints, build in-line controls around egress, and align that work with behavioural detection rather than treat it as a separate hygiene exercise.


For practitioners

  • Harden host-level execution controls Restrict scripting interpreters, constrain child-process spawning, and alert on unusual command synthesis paths so that runtime-generated instructions are easier to contain. Focus on the points where malware would need to convert generated text into execution.
  • Reduce local secret exposure Remove long-lived API keys, session tokens, and service credentials from endpoints and automation runners that could be abused after compromise. Segment access so a single workstation or container cannot authenticate broadly into downstream services.
  • Tune detections for behavioural sequences Build analytics around file discovery, recursive directory access, abnormal compression or staging, and outbound transfer patterns such as HTTP POST and SFTP. Sequence-based detections will hold up better than hardcoded command matching when an LLM is in the loop.
  • Revisit identity boundaries on compromised hosts Assume any endpoint that holds delegated access can become an NHI abuse point after malware lands. Review which service accounts, certificates, and tokens are accessible on user systems and limit what a compromised machine can reach.

Key takeaways

  • LLM-assisted malware shifts the attacker advantage from fixed payloads to adaptive runtime behaviour.
  • The main control weakness is brittle, command-string detection that cannot keep pace with generated variation.
  • Identity and secret exposure on compromised hosts determine how far the malware can move after execution.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5, CIS Controls v8 and NIST AI RMF set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
MITRE ATT&CKTA0001 , Initial Access; TA0006 , Credential Access; TA0010 , ExfiltrationThe article spans phishing entry, adaptive execution, and document exfiltration.
NIST CSF 2.0DE.CM-1Runtime command generation requires continuous monitoring for anomalous events.
NIST SP 800-53 Rev 5SI-4System monitoring controls are central to detecting adaptive malware activity.
CIS Controls v8CIS-8 , Audit Log ManagementAudit logging is needed to reconstruct dynamic post-compromise actions.
NIST AI RMFMANAGEAI RMF applies where AI is embedded in attack tooling and alters operational risk.

Map detections to initial access, credential abuse, and exfiltration tactics, then test whether they survive command variation.


Key terms

  • LLM-powered malware: Malware that uses a large language model during an attack to generate code, rewrite text, alter obfuscation, or adapt tactics. The model does not replace the attacker, but it can increase speed, variation, and resilience while the intrusion is underway.
  • Runtime command generation: A technique where malicious instructions are created at execution time rather than hardcoded into the payload. This makes the malware less predictable because the actual commands can change from run to run, reducing the reliability of signature-based detection and static command matching.
  • Post-Compromise Abuse: Post-compromise abuse is the use of a hijacked identity to perform actions that appear legitimate, such as reading mail, creating rules, changing MFA settings, or abusing OAuth grants. It is where the business impact of identity compromise usually becomes visible and where containment must be focused.

What's in the full analysis

Swarmnetics' full article covers the operational detail this post intentionally leaves for the source:

  • The exact malware behaviour observed on the compromised host, including how the LLM was called in real time.
  • The phishing and execution sequence used to deliver the sample and how the researchers traced it.
  • The command, directory, and exfiltration patterns that defenders can compare against their own telemetry.
  • The researchers' assessment of how reliable or repeatable the technique appears in practice.

👉 The full Swarmnetics article covers the phishing chain, LLM runtime behaviour, and observed exfiltration methods.

Deepen your knowledge

NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management. It helps practitioners connect access control, lifecycle discipline, and operational containment across identity programmes.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org