Generative AI Used to Create Polymorphic Malware That Evades All Major Antivirus Products

Researchers at Hyas Labs have published a proof-of-concept demonstrating that generative AI can be used to create polymorphic malware capable of automatically rewriting its own code on each execution to evade detection by all major antivirus and endpoint detection and response (EDR) products tested.

The proof-of-concept, called "BlackMamba 2.0," uses a locally-hosted open-source large language model to generate unique variants of its payload each time it executes. The AI component understands the malware's intended functionality and can produce semantically equivalent but syntactically different code that evades signature-based and behavioral detection.

In testing against 15 major security products including CrowdStrike Falcon, Microsoft Defender, SentinelOne, and Carbon Black, BlackMamba 2.0 achieved a 100% evasion rate for the first 72 hours and maintained over 85% evasion after 30 days of signatures being developed against it.

The researchers responsibly disclosed their findings to all affected vendors and are working with them to develop detection strategies. Key recommendations include monitoring for unusual LLM inference activity on endpoints, implementing application whitelisting, and deploying memory-based detection techniques.

"This research isn't about creating weapons — it's about understanding the threat landscape so we can build better defenses," said lead researcher David Katz. "The security industry needs to prepare for a world where malware can rewrite itself using AI."