Prompts as Code & Embedded Keys | The Hunt for LLM-Enabled Malware

Sept. 25, 2025, 2:43 p.m.

Description

This research explores the challenges posed by LLM-enabled malware, which can generate malicious logic at runtime. The study identifies characteristics of such malware, including embedded API keys and specific prompt structures. Notable cases like PromptLock and APT28's LameHug are examined. The researchers developed hunting strategies based on API key detection and prompt analysis, leading to the discovery of new samples, including 'MalTerminal'. The implications for defenders are discussed, highlighting both the adaptability and potential brittleness of LLM-enabled malware. The research also uncovered various offensive tools leveraging LLMs for operational capabilities.

External References

https://www.sentinelone.com/labs/prompts-as-code-embedded-keys-the-hunt-for-llm-enabled-malware
https://otx.alienvault.com/pulse/68d5097ace5dc1d6a0b8f9d0
Tags
threat hunting
lamehug
promptlock
2025-09-25
rkor
llm-enabled malware
offensive tools
api keys
malterminal
prompts

Date

  • Created: Sept. 25, 2025, 9:20 a.m.
  • Published: Sept. 25, 2025, 9:20 a.m.
  • Modified: Sept. 25, 2025, 2:43 p.m.

Indicators

  • e88a7b9ad5d175383d466c5ad7ebd7683d60654d2fa2aca40e2c4eb9e955c927
  • e24fe0dd0bf8d3943d9c4282f172746af6b0787539b371e6626bdb86605ccd70
  • dc9f49044d16abfda299184af13aa88ab2c0fda9ca7999adcdbd44e3c037a8b1
  • d6af1c9f5ce407e53ec73c8e7187ed804fb4f80cf8dbd6722fc69e15e135db2e
  • d1b48715ace58ee3bfb7af34066491263b885bd865863032820dccfe184614ad
  • cf4d430d0760d59e2fa925792f9e2b62d335eaf4d664d02bff16dd1b522a462a
  • c86a5fcefbf039a72bd8ad5dc70bcb67e9c005f40a7bacd2f76c793f85e9a061
  • c5ae843e1c7769803ca70a9d5b5574870f365fb139016134e5dd3cb1b1a65f5f
  • c1a80983779d8408a9c303d403999a9aef8c2f0fe63f8b5ca658862f66f3db16
  • bdb33bbb4ea11884b15f67e5c974136e6294aa87459cdc276ac2eea85b1deaa3
  • bb2836148527744b11671347d73ca798aca9954c6875082f9e1176d7b52b720f
  • b49aa9efd41f82b34a7811a7894f0ebf04e1d9aab0b622e0083b78f54fe8b466
  • b43e7d481c4fdc9217e17908f3a4efa351a1dab867ca902883205fe7d1aab5e7
  • b3fcba809984eaffc5b88a1bcded28ac50e71965e61a66dd959792f7750b9e87
  • b2bda70318af89b9e82751eb852ece626e2928b94ac6af6e6c7031b3d016ebd2
  • ae6ed1721d37477494f3f755c124d53a7dd3e24e98c20f3a1372f45cc8130989
  • a32a3751dfd4d7a0a66b7ecbd9bacb5087076377d486afdf05d3de3cb7555501
  • a67465075c91bb15b81e1f898f2b773196d3711d8e1fb321a9d6647958be436b
  • a30930dfb655aa39c571c163ada65ba4dec30600df3bf548cc48bedd0e841416
  • 943d3537730e41e0a6fe8048885a07ea2017847558a916f88c2c9afe32851fe6
  • 854b559bae2ce8700edd75808267cfb5f60d61ff451f0cf8ec1d689334ac8d0b
  • 8013b23cb78407675f323d54b6b8dfb2a61fb40fb13309337f5b662dbd812a5d
  • 7bbb06479a2e554e450beb2875ea19237068aa1055a4d56215f4e9a2317f8ce6
  • 766c356d6a4b00078a0293460c5967764fcd788da8c1cd1df708695f3a15b777
  • 75b4ad99f33d1adbc0d71a9da937759e6e5788ad0f8a2c76a34690ef1c49ebf5
  • 68ca559bf6654c7ca96c10abb4a011af1f4da0e6d28b43186d1d48d2f936684c
  • 5f6bfdd430a23afdc518857dfff25a29d85ead441dfa0ee363f4e73f240c89f4
  • 5ab16a59b12c7c5539d9e22a090ba6c7942fbc5ab8abbc5dffa6b6de6e0f2fc6
  • 4ddbc14d8b6a301122c0ac6e22aef6340f45a3a6830bcdacf868c755a7162216
  • 4c73717d933f6b53c40ed1b211143df8d011800897be1ceb5d4a2af39c9d4ccc
  • 3afbb9fe6bab2cad83c52a3f1a12e0ce979fe260c55ab22a43c18035ff7d7f38
  • 384e8f3d300205546fb8c9b9224011b3b3cb71adc994180ff55e1e6416f65715
  • 3082156a26534377a8a8228f44620a5bb00440b37b0cf7666c63c542232260f2
  • 2eb18873273e157a7244bb165d53ea3637c76087eea84b0ab635d04417ffbe1b
  • 2755e1ec1e4c3c0cd94ebe43bd66391f05282b6020b2177ee3b939fdd33216f6
  • 165eaf8183f693f644a8a24d2ec138cd4f8d9fd040e8bafc1b021a0f973692dd
  • 1612ab799df51a7f1169d3f47ea129356b42c8ad81286d05b0256f80c17d4089
  • 1458b6dc98a878f237bfb3c3f354ea6e12d76e340cefe55d6a1c9c7eb64c9aee
  • 09bf891b7b35b2081d3ebca8de715da07a70151227ab55aec1da26eb769c006f
Download all indicators here!

Attack Patterns

  • Rkor
  • MalTerminal
  • PromptLock
  • LameHug
  • APT28