# AI-powered malware: How adversaries attack and how to defend

**Threat Intelligence**

A breakdown of how adversaries use AI to write, mutate, and deploy malware, including real-world examples and what behavioral detection needs to catch.

![Nivedhitha author image](https://www.manageengine.com/ems/images/tools/employee/nivedhitha.jpeg)

**Nivedhitha** · Product Specialist, ManageEngine  
Published April 21, 2026 · Updated May 22, 2026 · 9 min read

Writing malware used to require skill. Delivering it convincingly required even more. AI is dismantling both requirements and the attacks showing up on enterprise networks today reflect that.

This article breaks down exactly how attackers are using AI to create, adapt, and deploy malware and what that means for the security tools trying to stop them.

## What does "AI-generated malware" actually mean?

Before getting into attack methods, it helps to be precise about what AI is and isn’t doing in this context.

AI-generated malware doesn’t mean a machine autonomously decided to attack your network. It means attackers are using AI tools primarily large language models (LLMs), generative code tools, and machine learning frameworks to accelerate and enhance specific parts of the [malware development and delivery process](https://www.manageengine.com/malware-protection/articles/malware-attack.html).

**Definition**

AI-generated malware refers to malicious code that was written, modified, or optimised with the assistance of AI tools, rather than being hand-crafted entirely by a human attacker.

The distinction matters because it shapes how defences need to respond. The threat isn’t a single all-powerful AI attacker it’s a pipeline of AI-assisted techniques applied at different stages of an attack.

## Five ways attackers are using AI to build and deploy malware

### 1. Writing functional malware code with LLMs

The most direct application: using AI code generation tools to write malicious scripts.

General-purpose LLMs like ChatGPT, Claude, and their open-source equivalents have guardrails against generating malware outright. But attackers have found consistent workarounds, including jailbreaking prompts, fine-tuning open-source models on malware codebases, or simply asking for "penetration testing" scripts with minimal safety filtering.

**Real-world incident**

In 2023, researchers at Check Point demonstrated that ChatGPT could be prompted to produce a functional infostealer, a type of malware that harvests credentials, browser data, and clipboard contents, using a chain of carefully worded requests that avoided triggering refusals. The code wasn’t polished, but it was functional.

For attackers with limited coding skills, this is transformative. Writing a working keylogger or remote access trojan (RAT) used to require months of learning. With AI assistance, the barrier is now much lower.

**What this enables:**

- Rapid prototyping of novel malware variants
- Lower-skill attackers writing code that would previously have been out of reach
- Faster iteration when defenders detect and block a variant

### 2. Polymorphic malware that rewrites itself

[Polymorphic malware](https://www.manageengine.com/malware-protection/articles/polymorphic-malware.html) isn’t new. It’s been around since the early 1990s. What’s new is how AI makes it significantly more effective.

Traditional polymorphic malware mutated its code using predefined rules, changing enough syntax to avoid [signature-based detection](https://www.manageengine.com/malware-protection/articles/malware-detection.html) while preserving its underlying behavior. AI-driven polymorphism takes this further. LLMs can rewrite malware logic in ways that are semantically equivalent but structurally unrecognizable, generating variations that don’t follow predictable mutation patterns.

**Definition**

Polymorphic malware changes its code structure with each iteration while keeping its core functionality intact, making signature-based detection ineffective against new variants.

**Real-world incident**

In early 2024, security researchers at Cybereason analyzed a sample they attributed to a financially motivated threat group that appeared to use an LLM to rewrite shellcode payloads between deployments. Each variant had different function names, variable structures, and obfuscation logic, but identical execution behavior. Traditional AV flagged none of them on first encounter.

For defenders, the implication is significant: signature-based detection alone can’t keep up. A tool generating dozens of variants per day will exhaust any signature library.

### 3. AI-powered phishing as the delivery mechanism

Malware doesn’t deliver itself. It relies on users clicking links, opening attachments, or being socially engineered into running something they shouldn’t. This is where AI has had arguably its most immediate impact.

LLMs can generate phishing emails that are grammatically perfect, contextually personalized, and psychologically tuned. What used to be detectable by poor grammar and generic templates is now indistinguishable from legitimate communication.

**Spear phishing at scale:** Previously, spear phishing, which involves targeted attacks using personal details about the victim, was resource-intensive. Attackers had to research each target manually. AI tools can now ingest publicly available data (LinkedIn profiles, company websites, press releases) and generate highly personalized lures in seconds.

**Real-world incident**

A 2023 FBI and CISA joint advisory noted a sharp increase in business email compromise (BEC) attacks that appeared to use AI-generated content. Several incidents involved emails that accurately referenced recent company events, used the target’s name and role correctly, and mimicked the communication style of known colleagues, all hallmarks of AI-assisted generation rather than manual crafting.

Malware delivered via phishing, including malicious attachments, credential harvesting links, and drive-by downloads, benefits directly from this improvement in lure quality.

### 4. Automated vulnerability discovery and exploitation

Finding exploitable weaknesses in software is painstaking work. AI is starting to automate significant portions of this process.

Fuzzing, the technique of bombarding an application with unexpected inputs to find crashes and vulnerabilities, has traditionally been computationally expensive and slow. AI-assisted fuzzing tools can learn which inputs are most likely to expose weaknesses, dramatically accelerating the discovery process.

More concerning is the use of LLMs to analyze public vulnerability disclosures and automatically generate proof-of-concept exploit code. When a CVE drops, the window between publication and weaponization used to be days or weeks. AI-assisted exploit development is compressing that window.

**Definition**

Exploit code is software specifically written to take advantage of a vulnerability in another program, typically to gain unauthorized access or execute arbitrary commands.

**Traditional vs. AI-assisted vulnerability exploitation**

| Stage | Traditional approach | AI-assisted approach |
|---|---|---|
| Vulnerability discovery | Manual code review / basic fuzzing | AI-guided fuzzing, automated code analysis |
| Time to working exploit | Days to weeks | Hours to days |
| Skill required | High (experienced exploit developer) | Moderate (guided by AI tooling) |
| Scale | Limited by human capacity | Near-unlimited iteration |
| Detection evasion | Manual obfuscation | AI-generated obfuscation variations |

### 5. Evasion techniques trained on defender behavior

Perhaps the most sophisticated application is using machine learning to help malware evade detection systems by training against those systems directly.

Security researchers have documented a technique called adversarial ML attacks on AV: attackers modify malware samples in small ways, tweaking byte patterns, adding benign-looking code sections, adjusting timing behavior, and test them against publicly available [malware scanners](https://www.manageengine.com/malware-protection/articles/malware-detection.html). Over many iterations, the malware "learns" which modifications cause it to be flagged and which don’t.

This is essentially using the defender’s own detection logic as a training signal to make malware harder to catch.

**Real-world incident**

A 2022 paper from researchers at the University of Maryland demonstrated that by applying adversarial perturbations to malware binaries, changes invisible to a human analyst but meaningful to an ML classifier, they could reduce detection rates by commercial antivirus products from over 90% to under 20% without altering the malware’s functional behavior.

## The threat landscape in practice: who is using these techniques?

It’s worth being clear about who is actually deploying AI-assisted malware today, because the picture is more nuanced than "every attacker has an AI superweapon."

**Cybercrime-as-a-service operators** are using AI primarily for phishing content generation and polymorphic payload generation. The commoditization of these capabilities, sold on dark web forums as services, means even low-skill attackers benefit.

**Script kiddies and opportunistic attackers** are using jailbroken LLMs and public tools to generate basic malware. The quality is lower, but the volume is higher.

The net effect: the overall volume of attacks is increasing, the average quality of attack artifacts is improving, and the minimum skill floor to launch a meaningful attack is dropping.

## What AI-generated malware means for your defenses

Signature-based detection struggles against AI-generated threats for a straightforward reason: if every variant looks different, there’s no stable signature to match.

Effective defense against AI-assisted malware requires a shift toward [behavior-based detection](https://www.manageengine.com/malware-protection/real-time-threat-detection.html), monitoring what code does rather than what it looks like.

## Key defensive capabilities that matter:

- **Behavioral analysis:** Flagging processes that attempt suspicious system calls, spawn unusual child processes, or exfiltrate data, regardless of their code signature
- **Heuristic detection:** Identifying code patterns and structures associated with malicious intent, even in previously unseen samples
- **Real-time threat intelligence:** Keeping pace with newly emerging variants through continuously updated threat feeds
- **Endpoint-level monitoring:** Catching malware at execution time, when behavior becomes observable, rather than relying solely on [pre-execution scanning](https://www.manageengine.com/malware-protection/malware-scanning-and-forensic.html)

## To sum it up

AI hasn’t invented new categories of malware. Infostealers, RATs, polymorphic viruses, and exploit-based attacks all predate LLMs. What AI has done is make these attacks faster to develop, harder to detect, and accessible to a broader range of attackers.

For security teams, the practical response is to audit whether current tools are equipped for behavior-based detection, not just signature matching. The threat landscape isn’t waiting for defenders to catch up.

## Frequently asked questions

### Can AI create malware completely on its own?

Not autonomously, not yet. Current AI tools assist human attackers in writing, adapting, and deploying malware, but the attack campaigns still require human direction. That said, the level of assistance is significant enough to substantially lower the skill and time required.

### Is AI-generated malware detectable?

Yes, but not with traditional signature-based methods. Behavior-based detection, anomaly detection, and heuristic analysis are more reliable against AI-generated variants because they focus on what malware does, not what it looks like.

### What types of malware are most commonly AI-assisted?

Current evidence points to infostealers, RATs (remote access trojans), and polymorphic payload loaders as the most common AI-assisted malware types. Phishing-delivered malware, where AI improves the lure rather than the payload, is also widespread.

### Does my antivirus protect me against AI-generated malware?

Traditional antivirus products relying primarily on signature matching will have gaps. Solutions with behavioral detection, machine learning-based analysis, and real-time threat intelligence are better positioned to catch novel AI-generated variants.

### How is AI used defensively against AI-generated malware?

Defensive AI analyzes behavioral patterns across large datasets to identify anomalies that would be invisible to rule-based systems. The same ML techniques that help attackers evade detection can be used by defenders to detect evasion attempts. The arms race is bidirectional.