What Is Polymorphic AI Malware?
Polymorphic AI malware refers to a new class of malicious software. It leverages artificial intelligence models, such as GPT-based language models, to dynamically generate, obfuscate, or modify its own code at runtime or build time. Unlike traditional polymorphic malware, which often relies on techniques such as packers or encryption to alter its appearance, AI-generated polymorphism introduces a much more dynamic and sophisticated threat. The malware can continuously rewrite or regenerate its behaviorally identical logic. This produces structurally different code every time it is created or run, significantly weakening the effectiveness of static detection methods and traditional antivirus signature matching.
This capability represents a paradigm shift in offensive tooling. It enables adversaries to automate the generation of evasive payloads, minimize detection risk, and scale their attack infrastructure without manually rewriting code. For defenders, it introduces a new challenge: detecting intent and behavior when the code structure is no longer predictable.
Why It Matters
AI-assisted malware has the potential to fundamentally alter the way threats are created and detected. With a simple prompt, a threat actor can generate working malicious payloads that are both syntactically correct and highly obfuscated. Because the AI model can vary the structure of the code each time, every sample is effectively a new variant — despite maintaining the same functionality. This defeats many traditional defenses that rely on known signatures, static strings, or predictable patterns. Furthermore, AI can be used for evasion, embedding anti-analysis logic, variable name randomization, and payload delivery mechanisms with minimal effort.
Building the Proof of Concept
To explore the detection strategies of polymorphic AI-generated malware, we re-created HYAS Labs’ BlackMamba PoC, just to figure out how to detect it. The original malware functions as a keylogger that uses OpenAI to dynamically generate its core payload at runtime. In our version, we used Azure OpenAI (GPT-4o). The keylogger is never written to disk. Instead, the AI-generated code is obfuscated using base64 encoding and executed in memory via Python’s exec() function. While our implementation focuses on a keylogger, the same technique can be used to generate and execute any type of malware using any AI provider that supports code generation and API access.
The malware uses the keyboard Python library to hook into the system’s keystroke events and captures all key presses in real time. It uses the requests library to exfiltrate the captured data to a Slack webhook, simulating a real-world command and control channel through a legitimate SaaS platform.
For stealth and portability, we compiled the Python script into an executable using PyInstaller. It ran on multiple Windows machines with different leading EDR solutions. This allowed the malware to run independently of a Python installation and appear as a legitimate Windows process.
Challenges and Development Hurdles
The development process wasn’t without difficulties. Azure OpenAI’s content filters sometimes refused to generate keylogging code. We had to craft prompts carefully to ensure the model responded with valid Python code and avoided markdown formatting that could break execution (“`python). Additionally, we had to implement a code-cleaning routine to strip out markdown syntax from the AI’s response before executing it dynamically.
Finally, runtime testing in a Windows environment revealed subtle issues. Errors in the AI-generated code caused inconsistent behavior across executions, especially when variable or function names were undefined due to generation quirks. Debugging this required adding logging and cleaning layers to the execution pipeline.
In the end, we managed to create a malware that creates the malicious keylogger perfectly based on Azure OpenAI code and executes straight into memory, without creating a file on the disk.
Final Findings and Detection Insights
After compiling and running the executable in a controlled Azure Windows virtual machines with different EDR solutions, I observed several important findings:
- Detection Differences Between Script and Executable
The raw Python script was not detected in all tested EDR solutions. However, once compiled to a Windows executable, the file triggered a low-confidence informational detection based on the EDR’s behavioral analysis, likely due to high entropy or behavioral similarity to known malware. At this point, the file wasn’t quarantined or blocked by the EDR, but about 2 weeks later it was quarantined, probably due to an update. In a different EDR, the executable file wasn’t detected as malware at all. - HTTP Exfiltration Observed
The compiled malware successfully sent captured keystrokes to a pre-configured Slack webhook. This HTTP POST behavior was visible in network logs and confirmed the malware’s ability to exfiltrate data over encrypted web services using legitimate domains. - DNS Requests and HTTPS connections to OpenAI and Slack
During execution, the malware made DNS queries and HTTPS connections to both ai.openai.azure.com and hooks.slack.com domains, corresponding to the AI generation phase and the data exfiltration channel. These domains and other AI API domains are noteworthy indicators for defenders, especially in environments where such services are not typically used by endpoints. Unsigned executable files or non-browser processes typically do not make direct DNS requests to OpenAI APIs, making such behavior highly unusual and worthy of investigation. - Polymorphic Hash Behavior
Each time the file was executed its hash was different. This was caused by the AI’s variation in function names, structure, and base64-encoded payloads. As a result, signature-based detection methods that rely on file hashes were ineffective. - Static Indicators in Extracted Strings
Using FLOSS and the Sysinternals strings utility, we were able to identify static artifacts including “keyboard” and “requests” related strings, which are the python libraries we used for the keylogger and the OpenAI querying.
Detection Opportunities
Although polymorphic AI malware evades many traditional detection techniques, it still leaves behind detectable patterns. Some of the most promising detection methods we identified include:
- Identify unusual connections to AI tools – such as OpenAI API, Azure OpenAI, or other services with API-based code generation capabilities like Claude. Our research on real-time data shows that most of the traffic to the API AI domains comes from browsers processes, and if you exclude the browsers you get a very interesting use case. Below we have a sample KQL query based on Microsoft Defender logs:
let aiDomains = dynamic([
"api.openai.com",
".openai.azure.com",
"api.anthropic.com",
"api.groq.com",
"api.ai21.com",
"api.huggingface.co",
"api-inference.huggingface.co",
"api.windsurf.com",
"generativelanguage.googleapis.com",
"aiplatform.googleapis.com",
"api.cohere.ai",
"bedrock-runtime.amazonaws.com",
"api.grok.xai.com",
"api.mistral.ai",
"api.codeium.com",
"api.deepseek.com",
"api.qlerify.com",
"api.codegeex.com",
"api.replit.com"
]);
DeviceNetworkEvents
| where RemoteUrl has_any (aiDomains)
// List of known browsers and their usual path, if your organization uses others you can add them here
| where not (
(
InitiatingProcessFolderPath startswith @"C:\Program Files\Google\Chrome\Application" and InitiatingProcessFileName =~ "chrome.exe"
) or (
InitiatingProcessFolderPath startswith @"C:\Program Files (x86)\Google\Chrome\Application" and InitiatingProcessFileName =~ "chrome.exe"
) or (
InitiatingProcessFolderPath startswith @"C:\Users\" and InitiatingProcessFolderPath has @"\AppData\Local\Chromium\Application" and InitiatingProcessFileName =~ "chrome.exe"
) or (
InitiatingProcessFolderPath startswith @"C:\Program Files\Microsoft\Edge\Application" and InitiatingProcessFileName =~ "msedge.exe"
) or (
InitiatingProcessFolderPath startswith @"C:\Program Files (x86)\Microsoft\Edge\Application" and InitiatingProcessFileName =~ "msedge.exe"
) or (
InitiatingProcessFolderPath startswith @"C:\Program Files\Mozilla Firefox" and InitiatingProcessFileName =~ "firefox.exe"
) or (
InitiatingProcessFolderPath startswith @"C:\Program Files (x86)\Mozilla Firefox" and InitiatingProcessFileName =~ "firefox.exe"
) or (
InitiatingProcessFolderPath startswith @"C:\Users\" and InitiatingProcessFolderPath has @"\AppData\Local\Programs\Opera" and InitiatingProcessFileName =~ "opera.exe"
)
)
| project-reorder DeviceName,RemoteUrl, InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessParentFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName, LocalIP, RemoteIP, ActionType, TimeGenerated- No parent GUI – For enhanced accuracy, you can filter the detection on processes launched without explorer.exe or desktop interaction. Attackers will make sure this malware will run on the host without human interaction.
- File System Artifacts – While these artifacts are not exclusive to polymorphic AI malware, the presence of PyInstaller unpacking behavior (_MEI folders, temp DLLs) can still provide strong signals, especially when combined with other anomalies like suspicious network activity.
- Webhook usage – While webhook usage is also not exclusive to polymorphic AI malware, it is important to detect such hooks usage since it is a known exfiltration technique.
It’s important to baseline legitimate AI and webhook usage in your environment to avoid false positives. Some corporate tools, integrations, or developers may legitimately communicate with AI services and Slack APIs. Filtering out known good behavior ensures that detections remain actionable and reduce noise.
Conclusion
This proof of concept demonstrates how AI can be weaponized to create polymorphic, evasive malware that is capable of bypassing traditional antivirus defenses and blending into legitimate environments. The combination of AI-generated payloads, in-memory execution, and cloud-based exfiltration creates a powerful and stealthy attack chain.
For defenders, this presents a compelling challenge as static signatures alone are no longer sufficient. Detection strategies must now evolve to focus on behavioral indicators, network patterns, and code structure — even when that structure changes constantly.
AI is not just a tool for defenders — it is now a tool for attackers too. And that means the future of threat detection must be smarter and more adaptable than ever before.
About the Author
Liora Itkin is a Security Researcher currently working at CardinalOps, where she focuses on detection engineering and threat coverage optimization. She previously worked as a Security Researcher at Palo Alto Networks, in incident response at a leading MDR company, and in an intelligence unit—building a strong foundation in SOC operations and detection strategy. She is particularly interested in advancing detection methodologies and frequently collaborates with the security community through research and knowledge sharing.