{ "name": "Prompts as Code & Embedded Keys | The Hunt for LLM-Enabled Malware", "slug": "prompts-as-code-embedded-keys-the-hunt-for-llm-enabled-malware", "description": "This research explores the challenges posed by LLM-enabled malware, which can generate malicious logic at runtime. The study identifies characteristics of such malware, including embedded API keys and specific prompt structures. Notable cases like PromptLock and APT28's LameHug are examined. The researchers developed hunting strategies based on API key detection and prompt analysis, leading to the discovery of new samples, including 'MalTerminal'. The implications for defenders are discussed, highlighting both the adaptability and potential brittleness of LLM-enabled malware. The research also uncovered various offensive tools leveraging LLMs for operational capabilities.", "published": "2025-09-25T07:20:58+00:00", "created_at": "2025-09-25T07:20:58+00:00", "modified_at": "2025-09-25T12:43:05+00:00", "created_at_opencti": "2025-09-25T07:20:58+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2025-09-25", "api keys", "lamehug", "llm-enabled malware", "malterminal", "offensive tools", "promptlock", "prompts", "rkor", "threat hunting" ], "related_entities": { "observables": [ { "id": "", "name": "e88a7b9ad5d175383d466c5ad7ebd7683d60654d2fa2aca40e2c4eb9e955c927" }, { "id": "", "name": "e24fe0dd0bf8d3943d9c4282f172746af6b0787539b371e6626bdb86605ccd70" }, { "id": "", "name": "dc9f49044d16abfda299184af13aa88ab2c0fda9ca7999adcdbd44e3c037a8b1" }, { "id": "", "name": "d6af1c9f5ce407e53ec73c8e7187ed804fb4f80cf8dbd6722fc69e15e135db2e" }, { "id": "", "name": "d1b48715ace58ee3bfb7af34066491263b885bd865863032820dccfe184614ad" }, { "id": "", "name": "cf4d430d0760d59e2fa925792f9e2b62d335eaf4d664d02bff16dd1b522a462a" }, { "id": "", "name": "c86a5fcefbf039a72bd8ad5dc70bcb67e9c005f40a7bacd2f76c793f85e9a061" }, { "id": "", "name": "c5ae843e1c7769803ca70a9d5b5574870f365fb139016134e5dd3cb1b1a65f5f" }, { "id": "", "name": "c1a80983779d8408a9c303d403999a9aef8c2f0fe63f8b5ca658862f66f3db16" }, { "id": "", "name": "bdb33bbb4ea11884b15f67e5c974136e6294aa87459cdc276ac2eea85b1deaa3" }, { "id": "", "name": "bb2836148527744b11671347d73ca798aca9954c6875082f9e1176d7b52b720f" }, { "id": "", "name": "b49aa9efd41f82b34a7811a7894f0ebf04e1d9aab0b622e0083b78f54fe8b466" }, { "id": "", "name": "b43e7d481c4fdc9217e17908f3a4efa351a1dab867ca902883205fe7d1aab5e7" }, { "id": "", "name": "b3fcba809984eaffc5b88a1bcded28ac50e71965e61a66dd959792f7750b9e87" }, { "id": "", "name": "b2bda70318af89b9e82751eb852ece626e2928b94ac6af6e6c7031b3d016ebd2" }, { "id": "", "name": "ae6ed1721d37477494f3f755c124d53a7dd3e24e98c20f3a1372f45cc8130989" }, { "id": "", "name": "a32a3751dfd4d7a0a66b7ecbd9bacb5087076377d486afdf05d3de3cb7555501" }, { "id": "", "name": "a67465075c91bb15b81e1f898f2b773196d3711d8e1fb321a9d6647958be436b" }, { "id": "", "name": "a30930dfb655aa39c571c163ada65ba4dec30600df3bf548cc48bedd0e841416" }, { "id": "", "name": "943d3537730e41e0a6fe8048885a07ea2017847558a916f88c2c9afe32851fe6" }, { "id": "", "name": "854b559bae2ce8700edd75808267cfb5f60d61ff451f0cf8ec1d689334ac8d0b" }, { "id": "", "name": "8013b23cb78407675f323d54b6b8dfb2a61fb40fb13309337f5b662dbd812a5d" }, { "id": "", "name": "7bbb06479a2e554e450beb2875ea19237068aa1055a4d56215f4e9a2317f8ce6" }, { "id": "", "name": "766c356d6a4b00078a0293460c5967764fcd788da8c1cd1df708695f3a15b777" }, { "id": "", "name": "75b4ad99f33d1adbc0d71a9da937759e6e5788ad0f8a2c76a34690ef1c49ebf5" }, { "id": "", "name": "68ca559bf6654c7ca96c10abb4a011af1f4da0e6d28b43186d1d48d2f936684c" }, { "id": "", "name": "5f6bfdd430a23afdc518857dfff25a29d85ead441dfa0ee363f4e73f240c89f4" }, { "id": "", "name": "5ab16a59b12c7c5539d9e22a090ba6c7942fbc5ab8abbc5dffa6b6de6e0f2fc6" }, { "id": "", "name": "4ddbc14d8b6a301122c0ac6e22aef6340f45a3a6830bcdacf868c755a7162216" }, { "id": "", "name": "4c73717d933f6b53c40ed1b211143df8d011800897be1ceb5d4a2af39c9d4ccc" }, { "id": "", "name": "3afbb9fe6bab2cad83c52a3f1a12e0ce979fe260c55ab22a43c18035ff7d7f38" }, { "id": "", "name": "384e8f3d300205546fb8c9b9224011b3b3cb71adc994180ff55e1e6416f65715" }, { "id": "", "name": "3082156a26534377a8a8228f44620a5bb00440b37b0cf7666c63c542232260f2" }, { "id": "", "name": "2eb18873273e157a7244bb165d53ea3637c76087eea84b0ab635d04417ffbe1b" }, { "id": "", "name": "2755e1ec1e4c3c0cd94ebe43bd66391f05282b6020b2177ee3b939fdd33216f6" }, { "id": "", "name": "165eaf8183f693f644a8a24d2ec138cd4f8d9fd040e8bafc1b021a0f973692dd" }, { "id": "", "name": "1612ab799df51a7f1169d3f47ea129356b42c8ad81286d05b0256f80c17d4089" }, { "id": "", "name": "1458b6dc98a878f237bfb3c3f354ea6e12d76e340cefe55d6a1c9c7eb64c9aee" }, { "id": "", "name": "09bf891b7b35b2081d3ebca8de715da07a70151227ab55aec1da26eb769c006f" } ], "malware": [ { "id": "legacy:malware:58783db4661b6647", "name": "Rkor", "slug": "rkor" }, { "id": "legacy:malware:933bdc791f1ad210", "name": "MalTerminal", "slug": "malterminal" }, { "id": "legacy:malware:8a70185da384464d", "name": "PromptLock", "slug": "promptlock" }, { "id": "legacy:malware:17e98d4654f95c2e", "name": "LameHug", "slug": "lamehug" } ], "intrusion_sets": [ { "id": "2e5c75e1-c481-46c4-8d26-f0774a3457fa", "name": "APT28", "slug": "apt28" } ], "attack_patterns": [ { "id": "7616ff60-a18f-4663-9824-b889aa01c8ce", "name": "T1588" }, { "id": "a72ebeae-8e62-4039-8135-e9c611011fdc", "name": "T1573" }, { "id": "f1bb7823-4f4b-4565-b472-bf0cfca467b1", "name": "T1486" }, { "id": "45082a8e-9c79-470e-ad1b-decac7188e8f", "name": "T1083" }, { "id": "dc342445-1b78-48b4-aa06-89ed2ad7c28e", "name": "T1071" }, { "id": "c12e0e03-aab0-4646-a929-e921a3d27f02", "name": "T1219" }, { "id": "0c836307-129e-4ff7-a532-180c633cacba", "name": "T1027" }, { "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221", "name": "T1059" } ] }, "external_refs": [ "https://www.sentinelone.com/labs/prompts-as-code-embedded-keys-the-hunt-for-llm-enabled-malware", "https://otx.alienvault.com/pulse/68d5097ace5dc1d6a0b8f9d0" ] }