How Attackers are Using AI to Generate Malware

The HP threat research team uncovered a large-scale, sophisticated ChromeLoader campaign distributed via malvertising. This campaign lures victims to download professional-looking, fake PDF tools. Additionally, the team observed attackers embedding malicious code into SVG images, a novel approach to bypass traditional defenses.“Speculation about attackers using artificial intelligence has been widespread, but concrete evidence has been limited until now. This discovery is significant,” says Patrick Schläpfer, Principal Threat Researcher at HP Security Lab. “Attackers typically conceal their methods, so the transparency in this case suggests that an AI assistant helped generate the code. These capabilities lower the entry barrier for threat actors, enabling even users without programming skills to develop infection chains, write scripts, and launch increasingly sophisticated attacks.”

Malware Development "In the Wild"

Cybercriminals are already exploiting generative AI to craft convincing phishing lures. However, until now, there has been little evidence that AI tools were being used to write malicious code. HP’s team identified a campaign targeting French-speaking users, employing both VBScript and JavaScript—code that the researchers believe was generated using AI.The scripts’ structure, comments explaining each line, and the choice of function names and language variables all indicate AI involvement. This attack delivers the AsyncRAT malware, a widely available infostealer that records victims’ keystrokes and screens. This demonstrates how generative AI can lower the technical barriers for cybercriminals, making it easier to launch attacks.

Sophisticated Malvertising Campaigns

ChromeLoader campaigns are becoming increasingly sophisticated, using malvertising for popular search terms to lure users to polished websites offering functional tools like PDF readers and converters. These tools, while seemingly legitimate, hide malicious code within MSI files. Attackers use valid code-signing certificates to bypass Windows security policies and suppress user warnings, increasing the likelihood of infection. Once installed, these fake applications allow attackers to take over the victim’s browser, redirecting search queries to websites under their control.

Hidden Malware in SVG Images

Some attackers are taking a different approach by embedding malware into SVG (Scalable Vector Graphics) files instead of traditional HTML. SVGs, commonly used in graphic design, rely on an XML-based format that can automatically open in browsers. When a victim views an SVG image, any embedded JavaScript is executed, leading to the installation of multiple types of infostealer malware. While the victim thinks they’re merely viewing an image, they are actually interacting with a complex file capable of launching a malware infection.

The Threat Insights Report highlights how attackers are diversifying their methods to evade security tools and policies.

Evasive Email Threats

• HP Sure Click identified that 12% of email threats bypassed one or more email gateway scanners, the same percentage as in the previous quarter.
• Email attachments accounted for 61% of threats, followed by browser downloads (18%) and other vectors like removable media (21%).
• Archives were the most common malware distribution method (39%), with ZIP files representing 26% of those archives.