Pierluigi Paganini
September 22, 2025
SentinelLABS researchers discovered MalTerminal, the earliest known LLM-enabled malware, which generates malicious logic at runtime, making the detection more complex. Researchers identified it via API key patterns and prompt structures, uncovering new samples and other offensive LLM uses, such as people search agents, red team tools, and LLM-assisted vulnerability injection utilities.
SentinelLABS presented MalTerminal at the LABScon 2025 security conference.
Researchers analyzed how threat actors integrate LLMs into malware development and the challenges this poses for defenders. Unlike traditional threats, LLM-enabled malware can generate code dynamically, making detection harder. The experts warn that attackers can exploit LLMs in several ways: lures via fake AI tools, attacks on LLM-integrated apps, manual refinement of LLM-generated malware, “hacking sidekick” uses for phishing or coding, and embedding LLMs directly into malware for operational advantage.
SentinelOne mentions PromptLock, LameHug/PROMPTSTEAL as notable cases of LLM-enabled malware.
The PromptLock malware uses the gpt-oss:20b model from OpenAI locally via the Ollama API to generate malicious Lua scripts on the fly and execute them. LAMEHUG uses LLM Qwen 2.5-Coder-32B-Instruct via the huggingface[.]co service API to generate commands based on statically entered text (description).
Qwen 2.5-Coder-32B-Instruct is a large open-source language model developed by Alibaba’s Qwen team, specifically optimized for coding tasks. The malware gathers system info and searches for Office, PDF, and TXT files in common folders. It stores the data locally, then exfiltrates it via SFTP or HTTP POST.
These samples show defenders face malware that generates logic at runtime, complicating signature detection. However, attackers rely on built-in prompts and API keys, which give the malware power but also make it fragile if those keys are revoked.
Researchers hunted LLM-enabled malware by targeting these dependencies, API keys and prompts. Since most threat actors use commercial LLM services, malware must embed identifiable keys and structured prompts. They used YARA rules to detect provider-specific key patterns, uncovering over 7,000 samples (mostly non-malicious leaks, but some linked to real malware). They also searched binaries for hardcoded prompts, using LLM classifiers to flag malicious intent.
“Hunting for prompts also led us to discover a multitude of offensive tools leveraging LLMs for some operational capability.” reads the report published SentinelLabs. “We were able to identify prompts related to agentic computer network exploitation, shellcode generators and a multitude of WormGPT copycats.”
This dual approach is highly effective, allowing the researchers to uncover previously unknown LLM-enabled tools, including a suite we have named MalTerminal.
MalTerminal (compiled Python -> MalTerminal.exe) calls OpenAI GPT-4 to generate ransomware or a reverse shell on demand; it embeds a deprecated chat API, pointing to an early development date. Researchers also found Python loaders (testAPI.py, TestMal2.py) that offer operator menus, plus brittle “FalconShield” scanners (TestMal3.py/Defe.py) that ask GPT to label code as malicious.
The experts found no evidence that these tools saw real-world deployment, the authors may have built PoC or red-team utilities. Prompt-hunting revealed many offensive LLM uses:
“Although the use of LLM-enabled malware is still limited and largely experimental, this early stage of development gives defenders an opportunity to learn from attackers’ mistakes and adjust their approaches accordingly. We expect adversaries to adapt their strategies, and we hope further research can build on the work we have presented here.” concludes the report.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, LLM-enabled malware)
