Hackers Exploit AI Tool Flaws to Deploy Malicious AI-Generated Payloads

A recent investigation by the Sysdig Threat Research Team (TRT) has revealed a significant security incident targeting Open WebUI, a widely adopted extensible, self-hosted interface for large language models (LLMs).

The breach was facilitated by a misconfigured instance of Open WebUI, inadvertently exposed to the internet with administrative privileges and no authentication controls, allowing an attacker to upload and execute malicious AI-generated Python code.

The attacker leveraged Open WebUI’s plugin architecture, which permits users to upload Python scripts as “Tools” to expand LLM capabilities.

Exploiting this, the threat actor uploaded a heavily obfuscated Python payload, utilizing a 64-fold Base64 and zlib compressed “pyklump” scheme, before executing it on both Linux and Windows systems.

Analysis by Sysdig detected code patterns indicative of AI-assisted development, increasing the efficiency and stealth of the attack.

Multi-Stage Payloads

Upon execution, the Python script performed several malicious actions, chiefly downloading and launching cryptominer binaries (T-Rex and XMRig) via proxy URLs to evade network-based scanners.

The script stored itself in hidden directories under .config for persistence and created a masqueraded systemd service (“ptorch_updater”) to maintain control over the infected host.

It further compiled and loaded custom shared objects at runtime namely, “processhider” and “argvhider” via LD_PRELOAD to obscure cryptominer processes and their command-line arguments from common system utilities and monitoring tools.

This level of defense evasion underscores the increasingly sophisticated tactics used by attackers to maintain operational security.

Credential Theft

The attack path for Windows hosts mirrored the Linux strategy initially but quickly pivoted to a more complex, multi-stage malware deployment.

The malicious script downloaded and installed the Microsoft JDK, subsequently fetching a JAR file (“application-ref.jar”) from an external command-and-control server.

This JAR functioned as a loader, unpacking additional resources including DLLs and a secondary malicious JAR onto the victim system.

Key components exhibited features such as sandbox evasion, XOR encoding, named pipe communication, and the ability to load native agent libraries via manipulated JVM parameters.

Notably, the infostealer modules exhibited targets for Chrome extension credential theft and Discord token hijacking.

All victim data, including system and credential details, was exfiltrated using a Discord webhook as the command-and-control channel.

Sysdig’s real-time runtime security platform flagged the attack at multiple phases, detecting suspicious behaviors such as custom shared object injection, cryptomining protocol traffic, and abnormal DNS lookups.

The deployed payloads were found to use both cryptomining profits and credential theft to maximize the attacker’s financial incentive.

Despite advanced evasion, behavioral monitoring and signature-based (YARA) detections proved effective in identifying and stopping the threat.

This breach highlights the critical risk posed by misconfigured AI infrastructure, especially when administrative interfaces lack proper access controls.

As attackers increasingly adopt AI-generated and assisted payloads, defenders must prioritize runtime behavioral analysis and enforce strict configuration hygiene to mitigate similar high-impact threats.

Indicators of Compromise (IOC)