A threat actor, likely associated with TA547, has deployed an AI-generated PowerShell script in a targeted email campaign aimed at organizations in Germany. This campaign delivered the Rhadamanthys info stealer, showcasing the actor’s history of disseminating various malware for Windows and Android systems. The meticulously commented PowerShell script, suspected to be generated by a large language model like ChatGPT, Gemini, or CoPilot, demonstrates an unprecedented level of sophistication in malicious code composition.
Researchers note the uncommon clarity and grammar perfection in the script’s comments, characteristics typically absent in human-authored code. Furthermore, experiments with ChatGPT-4 produced similar PowerShell scripts, corroborating the likelihood of AI involvement in generating the malicious code. The emergence of AI in malicious activities underscores the evolving tactics employed by threat actors, who leverage generative AI to bolster the complexity and efficacy of their attacks.
Beyond this incident, financially motivated threat actors have been utilizing AI power for a range of malicious activities, including crafting customized phishing emails and building highly credible phishing pages. Some nation-state actors, particularly from China, Iran, and Russia, have also turned to generative AI to enhance productivity in researching targets and evading detection. While large language models attempt to restrict output that could be used for malicious purposes, threat actors have resorted to launching their own AI chat platforms for cybercriminals, posing significant challenges to cybersecurity efforts.
