We are either at the dawn of AI-driven malware that rewrites itself on the fly, or we are seeing vendors and threat actors exaggerate its capabilities. Recent Google and MIT Sloan reports reignited claims of autonomous attacks and polymorphic AI malware capable of evading defenders at machine speed. Headlines spread rapidly across security feeds, trade publications, and underground forums as vendors promoted AI-enhanced defenses.
Beneath the noise, the reality is far less dramatic. Yes, attackers are experimenting with LLMs. Yes, AI can aid malware development or produce superficial polymorphism. And yes, CISOs should pay attention. But the narrative that AI automatically produces sophisticated malware or fundamentally breaks defenses is misleading. The gap between AI’s theoretical potential and its practical utility remains large. For security leaders, the key is understanding realistic threats today, exaggerated vendor claims, and the near-future risks that deserve planning.
What even is polymorphic malware?
Polymorphic malware refers to malicious software that changes its code structure automatically while keeping the same core functionality. Its purpose is to evade signature-based detection by ensuring no two samples are identical at the binary level.
The concept is by no means new. Before AI, attackers used encryption, packing, junk code insertion, instruction reordering, and mutation engines to generate millions of variants from a single malware family. Modern endpoint platforms rely more on behavioral analysis than static signatures.
In practice, most so-called AI-driven polymorphism amounts to swapping a deterministic mutation engine for a probabilistic one powered by a large language model. In theory, this could introduce more variability. Realistically, though, it offers no clear advantage over existing techniques.
Marcus Hutchins, malware analyst and threat intelligence researcher, calls AI polymorphic malware “a really fun novelty research project,” but not something that offers attackers a decisive advantage. He notes that non-AI techniques are predictable, cheap, and reliable, whereas AI-based approaches require local models or third-party API access and can introduce operational risk. Hutchins also pointed to examples like Google’s “Thinking Robot” malware snippet, which queried the Gemini AI engine to generate code to evade antivirus. In reality, the snippet merely prompted AI to produce a small code fragment with no defined function or guarantee of working in an actual malware chain.
“It doesn’t specify what the code block should do, or how it’s going to evade an antivirus. It’s just working under the assumption that Gemini just instinctively knows how to evade antiviruses (it doesn’t). There’s also no entropy to ensure the ‘self-modifying’ code differs from previous versions, or any guardrails to ensure it actually works. The function was also commented out and not even in use,” Hutchens wrote in a post deleted from LinkedIn.
As the researcher observes, evasion alone is strategically meaningless unless it can reliably support a functioning malicious capability. Mature threat actors value reliability over novelty, and traditional polymorphism already meets that need.
What real advances is AI providing for attackers?
AI’s true impact today isn’t autonomous malware, but speed, scale, and accessibility when it comes to generating malicious payloads. Think of large language models serving as development assistants: debugging code, translating samples between languages, rewriting and optimizing scripts, and generating boilerplate loaders or stagers. This lowers technical barriers for less experienced actors and shortens iteration cycles for skilled ones.
Social engineering has also improved. Phishing campaigns are cleaner, more convincing, and highly scalable. AI rapidly generates region-specific lures, industry-appropriate pretexts, and polished messages, removing the grammatical red flags that defenders once relied on. Business email compromise attacks that already depend on deception rather than technical sophistication particularly benefit from this shift.
Generative AI tools can produce superficial variations in malware code by renaming variables or slightly rearranging structures. This occasionally bypasses basic static scanning, but rarely defeats modern behavioral detection, and often introduces instability that is unacceptable for well-resourced criminal operations. For established threat actor groups that require uptime and dependable performance, this unpredictability becomes a disadvantage.
The net effect isn’t improved sophistication, but a rise in accessibility: more actors, even inexperienced ones, can now produce “good enough” malware.
Earlier this year, a crude ransomware strain appeared in the Visual Studio marketplace as a test extension. John Tuckner of Secure Annex dubbed it “AI slop” ransomware that was poorly written, unstable, and operationally unadvanced. The sample highlighted how easily AI-assisted code can be bundled and distributed, not its ingenuity.
“Ransomware has appeared in the VS Marketplace and makes me worry,” Tuckner posted on X. “Clearly created through AI, it makes many mistakes like including decryption tools in extension. If this makes it into the marketplace through [sic], what impact would anything more sophisticated cause?”
Inflated AI claims draw industry pushback
The gap between marketing-driven AI narratives and practitioner skepticism is clear. A recent Anthropic report claimed a “highly sophisticated AI-led espionage campaign” targeting technology companies and government agencies. While some viewed this as proof that generative AI is embedded in nation-state cyber operations, experts were skeptical.
Veteran security researcher Kevin Beaumont criticized the report for lacking operational substance and providing no new indicators of compromise. BBC cyber correspondent Joe Tidy noted that activity likely reflected familiar campaigns, not a new AI-driven threat. Another researcher, Daniel Card emphasized that AI accelerates workflows but does not think, reason, or innovate autonomously.
Across these discussions, one pattern remains consistent: AI hype collapses under technical scrutiny.
Why AI polymorphic malware hasn’t taken over
If AI can accelerate development and generate endless variations of code, why has genuinely effective AI polymorphic malware not become commonplace? The reasons are practical rather than philosophical.
Traditional polymorphism works well: Commodity packers and crypters generate huge variant volumes cheaply and predictably. Operators see little benefit in switching to probabilistic AI generation that may break functionality.
Behavioral detection reduces benefits: Even if binaries differ, malware must still perform malicious actions (e.g. C2 communication, privilege escalation, credential theft, and lateral movement) which produce telemetry independent of code structure. Modern EDR, NDR, and XDR platforms detect this behavior reliably.
AI reliability issues: Large language models hallucinate, misuse libraries, or implement cryptography incorrectly. Code may appear plausible but fail under real-world conditions. As stated earlier, for criminal groups, instability is a serious operational risk.
Infrastructure exposure: Local models can leave forensic traces and third-party APIs risk abuse detection and logging. These risks further deter disciplined threat actors.
Most successful adversaries may still use AI for support tasks like research, phishing, translation, automation but not completely trust it with generating core payloads for their offensive operations.
What CISOs and defenders should watch out for
The real danger isn’t underestimating AI but misunderstanding its risk. Autonomous self-rewriting malware isn’t the immediate threat. Instead, attackers operate faster and at greater scale:
Automation and propagation. Recurrent malware campaigns like Shai-Hulud illustrate how attackers can use automation to dramatically increase efficiency, blast radius and the extent of disruption, without introducing novel technical logic. (This recurring campaign used automation, not necessarily AI). In later iterations, automated propagation spread the malware rapidly across environments and downstream dependencies, even though the payloads remained identical. This meant defenders could still rely on stable indicators such as hashes, static exfiltration URLs, and YARA rules, but they had far less time to react before impact cascaded across registries, build systems, and developer environments. The risk shift was not smarter malware, but faster, wider execution at machine speed.
Rapid variant iterations. Building on the previous point, AI can shorten the time between concept and deployment. Malware families can cycle during a single incident, increasing the value of behavioral detection, memory analysis, and retroactive hunting.
Social engineering at scale. AI-generated phishing, pretexting, and tailored messages improve quality and reach. Identity infrastructure (credentials, MFA, access workflows) remains a key attack surface. Defenders should focus on email security, user behavior analytics, and authentication resilience.
Volume and noise. More actors can produce “good enough” malware, raising the number of low-quality but operationally usable threats. Automation and prioritization in SOC operations are becoming even more essential to prevent response teams from being overwhelmed with noise and burnout.
Vendor skepticism. Marketing claims of AI-specific protection don’t guarantee superior detection. CISOs should demand transparent testing, real-world datasets, validated false-positive rates, and proof that protections promised by “novel” products extend beyond lab conditions.
AI is reshaping cybercrime, but not in the cinematic way some vendors suggest. Its impact lies in speed, scale, and accessibility rather than self-modifying malware that breaks existing defenses. Mature threat actors still rely on proven techniques. Polymorphism isn’t new, behavioral detection remains effective, and identity remains the primary entry point for attackers. Today’s “AI malware” is better understood as AI-assisted development rather than autonomous innovation.
For CISOs, the key takeaway is a compression of time and effort for attackers. The advantage shifts to those who can automate, iterate faster, and maintain visibility and control. Preparing for this reality means doubling down on behavioral monitoring, identity security, and response automation.
Right now, speculative self-aware malware is less of a risk than the real-world efficiency gains AI provides to attackers: faster campaign tempo, greater scale, and a lower barrier to entry for capable abuse. The hype is louder, but the operational impact of that acceleration is where leadership judgment now matters most.
No Responses