Prompts as Code & Embedded Keys | The Hunt for LLM-Enabled Malware

216.73.216.6

Prompts as Code & Embedded Keys | The Hunt for LLM-Enabled Malware

· Published 25/09/2025 09:20 · Modified 25/09/2025 14:43

Essential information

Published: 25/09/2025 09:20
Modified: 25/09/2025 14:43
Tags: 2025-09-25 api keys lamehug llm-enabled malware malterminal offensive tools promptlock prompts rkor threat hunting
Related entities: 39 observables, 1 intrusion sets (apt), 8 techniques (mitre), 4 malware

Description

This research explores the challenges posed by LLM-enabled malware, which can generate malicious logic at runtime. The study identifies characteristics of such malware, including embedded API keys and specific prompt structures. Notable cases like PromptLock and APT28's LameHug are examined. The researchers developed hunting strategies based on API key detection and prompt analysis, leading to the discovery of new samples, including 'MalTerminal'. The implications for defenders are discussed, highlighting both the adaptability and potential brittleness of LLM-enabled malware. The research also uncovered various offensive tools leveraging LLMs for operational capabilities.