Escalating Threat Trends in AI-Driven Malware Engineering and State-Aligned Abuse of LLM Capabilities
Google’s threat intelligence team uncovered PROMPTFLUX, an emerging VBScript-based malware family that taps Gemini’s API to regenerate its own code on demand. The script feeds the model machine-parsable prompts to obtain fresh obfuscation routines, aiming to bypass signature-based controls and shift its structure during execution. Although the self-updating function appears disabled in the sample, the surrounding telemetry and logged AI outputs confirm an effort to build a metamorphic engine that can evolve over time. Additional variants include versions that attempt full-code rewrites on a timed schedule, pointing to ongoing development rather than active deployment. The malware currently shows no capability to breach a host on its own, though its design signals a move toward automated evasion at scale. External researchers note that the actor’s assumptions about LLM capability are flawed, and some regenerative features may not work as intended. Even so, the direction of travel is clear: threat groups are experimenting with AI-driven automation to accelerate tooling. Google also documented broader misuse of Gemini by criminal and state-aligned entities across multiple regions. These actors employ AI to build lure content, refine exploitation workflows, generate adaptable malware components, and accelerate C2 development. Some evade guardrails by framing their prompts as CTF exercises, turning safety boundaries into a workaround for operational support. Examples include ransomware prototypes, reverse shells, data miners, and credential theft scripts generated through model-driven guidance. Chinese, Iranian, and North Korean clusters have all integrated AI assistance into reconnaissance, phishing operations, and code development for espionage and financial gain. In parallel, North Korean groups have adopted deepfake personas to push backdoors under the cover of legitimate tools. AI-backed tradecraft is becoming routine, and defenders should assume adversaries will rapidly scale these methods. Prioritize detection strategies that focus on behavioral signals, prompt injection monitoring, and model abuse indicators to counter emerging AI-assisted threats.
Curly COMrades Leveraging Hyper-V to Evade EDR
Curly COMrades has been observed using built-in Windows virtualization to install tiny Alpine Linux virtual machines on compromised hosts, then running custom backdoors and proxy tooling inside those hidden environments. The light-footprint VMs host an ELF reverse shell, dubbed CurlyShell, and a proxy component, CurlCat, while other implants remain on the host to harvest credentials and maintain access. CurlyShell runs headless as a background process, polling a command-and-control server over HTTP for instructions and returning execution results, whereas CurlCat funnels traffic through SSH to support bidirectional transfers. Analysis shows an operational pattern of repeated tool updates and modular implants, including a [.]NET agent for persistence, a credential harvester, and PowerShell-based remote execution, indicating sustained access rather than one-off intrusions. Bitdefender and Georgia CERT link this activity to campaigns targeting Georgia and Moldova, with the cluster active since late 2023 and assessed as aligned with Russian interests. The actor’s decision to isolate malicious code inside VMs materially reduces the effectiveness of traditional host-focused detection, enabling longer dwell times and stealthy data movement. By separating execution from the compromised Windows host, they create an environment that evades common endpoint controls while still harvesting credentials and deploying remote-access implants. The campaign shows deliberate, sustained investment in operational resilience and adaptability, increasing the risk to targeted organizations and regional stability. Defenders should treat VM-hosted execution as a primary risk vector and assume adversaries will continue refining this approach to retain covert presence. Immediately verify Hyper-V role enablement across assets and disable it on systems where it is not required; implement network-layer detection for anomalous outbound HTTP polling and SSH-tunneled traffic; strengthen endpoint hygiene by isolating privileged accounts, enforcing multi-factor authentication, and accelerating credential rotation when suspicious activity is detected.
ValleyRAT: Targeted Windows RAT Employing Geofencing, Privilege Escalation, and Anti-Analysis Measures
ValleyRAT is a modular Windows remote-access trojan built around a four-stage delivery chain—downloader, loader, injector, and payload—designed for precise, high-confidence targeting of Chinese-language users and organizations. The campaign emphasizes stealth through in-memory decryption and living-off-the-land execution, using trusted system binaries such as MSBuild[.]exe to run malicious components under the cover of legitimate processes. Before executing its payload, ValleyRAT performs an environmental gate check by probing the registry for WeChat and DingTalk entries; the absence of both triggers immediate termination and a staged error message, signaling deliberate geographic and audience selection rather than opportunistic compromise. The malware prevents duplicate runs via a named mutex and maintains a low forensic footprint through transient execution and selective persistence. These behaviors mark detections as strong indicators of targeted intrusion operations rather than commodity infections. Once active, ValleyRAT rapidly pursues elevation and control by exploiting multiple user account control bypasses and manipulating token privileges to obtain SeDebugPrivilege, enabling it to inspect and terminate higher-integrity processes. The threat systematically degrades endpoint defenses by terminating a broad set of antivirus and host protection processes, removing autostart settings from security vendors, and performing CPUID checks to detect virtualized analysis environments. Overall, ValleyRAT demonstrates sustained operator investment in evasion, escalation, and targeted operational security, raising the threat level for exposed organizations. Treat ValleyRAT alerts as targeted intrusions and respond with incident hunting focused on registry and process indicators, block or tightly control MSBuild and other developer utilities, enforce application allowlisting and least privilege for token manipulation, monitor for anomalous outbound polling and randomized beaconing, harden startup and Run key monitoring, accelerate credential rotation and multifactor authentication for privileged accounts, and deploy EDR tuned for in-memory execution and living-off-the-land techniques.
CISA Flags Active Exploitation of Critical CWP Command Execution Vulnerability
CISA has issued a warning that attackers are abusing a critical remote command execution flaw in CentOS Web Panel, prompting the agency to add the issue to its Known Exploited Vulnerabilities catalog and mandate federal remediation by November 25. The vulnerability, tracked as CVE-2025-48703, allows unauthenticated attackers to run arbitrary shell commands as any known user on a targeted instance. The flaw stems from the file-manager changePerm endpoint accepting requests without confirming a valid user session, then passing an unsanitized permission parameter into a shell command. Research published in June showed how a crafted POST request could trigger injection and open a reverse shell on CentOS 7 systems running affected versions. All releases before 0.9.8.1204 are vulnerable, and the vendor issued a fix in mid-June following responsible disclosure. CISA has not shared details on the current exploitation activity, but the agency’s action indicates real-world abuse and elevates the urgency for users who rely on CWP as a free alternative to commercial hosting panels. While the KEV directive applies to federal entities, the catalog is a reliable signal for all organizations to prioritize patching and, where necessary, disable vulnerable products until remediation is applied. The CWP flaw highlights recurring risks in user input handling, shell injection, and incomplete access controls that enable attackers to pivot rapidly once exposed. Environments that depend on hosting panels, file-sharing services, or remote-access platforms should assume increased scanning and attempted exploitation as proof-of-concept code circulates. Organizations that delay patching run a heightened risk of compromise, especially where public-facing administration interfaces are involved. Patch affected CWP instances to version 0.9.8.1205 or higher, restrict panel access to trusted networks, enforce authentication controls, and monitor logs for anomalous POST requests to file-manager endpoints; apply the latest CentreStack and Triofox updates; and continuously track CISA’s KEV catalog as a priority list for rapid remediation across all exposed infrastructure.
