ChatGT May Create Deadly Polymorphic Malware That Evades EDR

From handling simple inquiries to instantly generating written works and even developing original software programs, including malware, ChatGPT proves to be an all-encompassing solution. 

However, this advancement also introduces the potential for a dangerous new cyber threat.

Traditional security solutions such as EDRs harness multi-layered data intelligence systems to combat the highly sophisticated threats prevalent in recent times. 

Despite the claims made by most automated controls to detect and prevent irregular or novel behavior patterns, the actual implementation rarely aligns with these claims.

While apart from this, the availability of AI-generated, polymorphic malware in the hands of malicious threat actors will worsen the situation.

Creation of BlackMamba

The cybersecurity analysts at Hyas have created a simple proof of concept (PoC) to demonstrate the potential capabilities of AI-based malware.

This PoC utilizes a powerful language model to generate polymorphic keylogger functionality in real-time, dynamically altering the harmless code during runtime.

Most notably, this implementation eliminates the need for command-and-control infrastructure to deploy and verify the capabilities of the malicious keylogger.

In disclosing the significant risk associated with this malware variant, experts have dubbed their proof of concept (PoC) as “BlackMamba,” a venomous snake that highlights the severity of the threat.

By leveraging a legit executable, BlackMamba establishes communication during the runtime with an API from OpenAI. This enables it to retrieve the necessary synthesized malicious code for capturing the keystrokes of the infected user.

The subsequent step involves the execution of the code employing Python’s exec() function within the benign program’s environment, and here the code that is executed is generated dynamically.

While here, the malicious polymorphic portion remains solely in memory, safeguarding its integrity.

BlackMamba can re-synthesize its keylogging capability with every execution, resulting in a genuinely polymorphic malicious component within this malware.

BlackMamba successfully evaded detection in numerous assessments against a highly regarded EDR, the name of which is intentionally not disclosed.


When a device fell victim to an infection, it became crucial for experts to devise a strategy for data recovery. Experts chose MS Teams as a platform that the threat actors could manipulate to serve as a channel for data exfiltration.

When breaching a system’s security, an exfiltration channel is a gateway. Through this gateway, a threat actor stealthily extracts and dispatches data to an external location from the compromised system.

Here below, we have mentioned the types of data or sensitive information that BlackMamba collects:-

  • Usernames
  • Passwords
  • Credit card numbers
  • Other personal data
  • Other confidential data

Later all these collected data were sold by the threat actors on the dark web or forums. Even threat actors also use these stolen data to perform several illicit activities.

Developers can leverage the power of Auto-py-to-exe, an open-source Python package, to seamlessly convert their Python scripts into standalone executable files that are suitable for various operating systems like:-

  • Windows
  • macOS
  • Linux

The initial step for the malware author in utilizing auto-py-to-exe involves creating their Python-based malware code and importing any required libraries or modules.

When the victim initiates the execution of the executable file, the malware starts into action, executing on their system and carrying out a multitude of malicious operations.

Stop Advanced Email Threats That Target Your Business Email – Try AI-Powered Email Security

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.