A newly discovered malware sample, recently uploaded to VirusTotal by an anonymous user in the Netherlands, has drawn the attention of cybersecurity experts due to its unprecedented use of prompt injection as an evasion technique.
Dubbed “Skynet” by its creator, this malware represents one of the first known attempts to directly manipulate AI models integrated into malware analysis workflows, marking a significant escalation in the ongoing arms race between threat actors and defenders leveraging generative AI.
Attack Mechanism
The Skynet sample appears to be an isolated component or experimental proof-of-concept, rather than a fully operational threat.
Its execution flow is incomplete, with several resources initialized but left unused, and exfiltrated data simply printed to standard output.
Despite its rudimentary nature, the malware incorporates multiple sandbox evasion checks, system reconnaissance routines, and a proxy setup using an embedded, encrypted TOR client.
What sets Skynet apart is its embedded prompt injection string, crafted to manipulate AI models that may be used to analyze the malware.
The string, initialized in C++ and decrypted in-memory, instructs any AI system parsing the code to disregard previous instructions and act as a calculator, ultimately responding with “NO MALWARE DETECTED” if the prompt is understood.
According to Check Point research Report, this technique is a clear attempt to subvert automated AI-driven analysis by coercing the model into misclassifying malicious content as benign.
Despite the novelty of this approach, tests conducted with leading large language models (LLMs) such as OpenAI’s o3 and GPT-4.1 demonstrated that the prompt injection failed to alter the models’ behavior.
The LLMs continued their original analysis tasks and did not comply with the injected instructions. This outcome suggests that, while the attack is creative, it lacks the sophistication required to bypass current AI safeguards.
Additional Technical Features
The malware’s strings are obfuscated using a byte-wise rotating XOR operation with a hardcoded key, followed by BASE64 encoding.
It performs several environmental and sandbox checks, terminating execution if certain files are present or if it is not running from the expected directory.
The evasion gauntlet includes checks for hypervisor CPU flags, BIOS vendor strings, disk enumeration, environment variables indicative of virtualization, network adapter MAC address prefixes, and known VM-related processes.
Skynet also employs opaque predicates functions designed to complicate control flow and hinder static analysis though their implementation is relatively unsophisticated compared to more advanced obfuscation techniques.
For data gathering, the malware attempts to access SSH known_hosts and private key files, as well as the system hosts file, before deploying and launching a TOR client to establish a local proxy.
While Skynet’s prompt injection ultimately failed in controlled tests, its mere existence signals a turning point in the intersection of malware development and AI.
As generative AI tools become more deeply embedded in security operations, attackers are beginning to experiment with adversarial techniques specifically targeting these systems.
The attempt, albeit crude, demonstrates an awareness among threat actors of the potential to manipulate AI-driven analysis, foreshadowing more refined attacks in the future.
Historically, each new security paradigm such as sandboxing has given rise to a wave of targeted evasion tactics.
The integration of AI into malware detection is likely to follow a similar trajectory, with increasingly sophisticated prompt injection and AI manipulation techniques emerging over time.
Security professionals must anticipate and prepare for this evolving threat landscape, ensuring that AI-based defenses are robust against adversarial inputs.
Indicators of Compromise (IOCs)
| Type | Value |
|---|---|
| Onion URL | s4k4ceiapwwgcm3mkb6e4diqecpo7kvdnfr5gg7sph7jjppqkvwwqtyd[.]onion |
| Onion URL | zn4zbhx2kx4jtcqexhr5rdfsj4nrkiea4nhqbfvzrtssakjpvdby73qd[.]onion |
| SHA256 Hash | 6cdf54a6854179bf46ad7bc98d0a0c0a6d82c804698d1a52f6aa70ffa5207b02 |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
