This new PowerShell malware looks like it was written by AI

This group recently started targeting German organizations with an email phishing campaign delivering the Rhadamanthys malware. In the campaign, they impersonated the German retail company Metro, and sent messages related to invoices. The emails would carry a password-protected ZIP file which, if executed, triggered PowerShell to run a remote PowerShell script.

"Typical output"

This script decoded the Rhadamanthys malware stored in a variable, and loaded it directly into memory. It was also this script that the researchers believe could have been written by generative AI. 

Apparently, the PowerShell script included a pound sign followed by grammatically correct and hyper specific comments above each component of the script, which is a “typical output of LLM-generated coding content”.

This doesn’t change anything when it comes to defenses, the researchers further explained. The mechanisms against these threats remain the same.

TA547 has been active for a few years now, usually delivering the NetSupport RAT. However, the group was also observed dropping StealC and Lumma Stealer. They mostly target firms in Germany, Austria, and Switzerland, with Spain, and the U.S., being notable mentions. 

Ever since their inception, security researchers warned about generative AI tools and their place in every hacker’s tech stack. To tackle the idea, the tools’ developers placed roadblocks, preventing the creation of malicious content. However crooks have so far been successful in working around these solutions.

More from TechRadar Pro

• The evolution of cybersecurity in the age of generative AI
• Here's a list of the best firewalls around today
• These are the best endpoint security tools right now