MalTerminal LLM-enabled malware analysis
Technical Analysis
Summary
Hide ▲
Show ▼
Researchers identified MalTerminal as the earliest known LLM-enabled malware, showing how a Windows sample can generate ransomware code or a reverse shell at runtime. The discovery matters because it demonstrates a shift toward malicious logic generated on demand, which complicates static detection and sandbox analysis. The sample appears to predate early November 2023, and there is no evidence of in-the-wild deployment. The findings suggest defenders may need to account for malware that uses OpenAI GPT-4 as part of its execution flow.
Related Happenings
Fast16 Lua-based network worm
Malware Activity
First: 27.04.2026 16:09
Last: 27.04.2026 16:09
Sources 1
About this happening:
Researchers identified **fast16**, a previously undocumented **Lua-based network worm** that can silently corrupt high-precision calculations and threaten legacy scientific and en...
Fast16 Lua-based network worm
Malware ActivityAbout this happening: Researchers identified **fast16**, a previously undocumented **Lua-based network worm** that can silently corrupt high-precision calculations and threaten legacy scientific and en...
Fast16 malware framework technical analysis of svcmgmt.exe and fast16.sys
Technical Analysis
First: 27.04.2026 12:10
Last: 27.04.2026 12:10
Sources 1
About this happening:
Researchers uncovered **Fast16**, a **2005-era** malware framework that shows how a **Lua-based** implant could sabotage software years before **Stuxnet**. The analysis matters be...
Fast16 malware framework technical analysis of svcmgmt.exe and fast16.sys
Technical AnalysisAbout this happening: Researchers uncovered **Fast16**, a **2005-era** malware framework that shows how a **Lua-based** implant could sabotage software years before **Stuxnet**. The analysis matters be...
The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up
Threat Actor Meta
First: 21.04.2026 17:00
Last: 21.04.2026 17:00
Sources 1
About this happening:
**The Gentlemen ransomware gang** is using a **legitimate vulnerable driver** to defeat enterprise defenses, weaponizing **ThrottleStop.sys** as **ThrottleBlood.sys** to kill **AV...
The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up
Threat Actor MetaAbout this happening: **The Gentlemen ransomware gang** is using a **legitimate vulnerable driver** to defeat enterprise defenses, weaponizing **ThrottleStop.sys** as **ThrottleBlood.sys** to kill **AV...
Russia-linked DRILLAPP campaign targeting Ukrainian entities
Campaign
First: 16.03.2026 11:07
Last: 16.03.2026 11:07
Sources 1
About this happening:
A **Russia-linked** campaign is targeting **Ukrainian entities** with the **DRILLAPP** browser backdoor, expanding a covert operation that uses **judicial** and **charity-themed l...
Russia-linked DRILLAPP campaign targeting Ukrainian entities
CampaignAbout this happening: A **Russia-linked** campaign is targeting **Ukrainian entities** with the **DRILLAPP** browser backdoor, expanding a covert operation that uses **judicial** and **charity-themed l...
Steaelite Windows RAT with FUD and multi-function capabilities
Malware Activity
First: 27.02.2026 12:06
Last: 27.02.2026 12:06
Sources 1
About this happening:
The **Steaelite** Windows RAT is being marketed as a **fully undetectable** tool for **Windows 10 and 11**, giving operators browser-based control over infected machines and enabl...
Steaelite Windows RAT with FUD and multi-function capabilities
Malware ActivityAbout this happening: The **Steaelite** Windows RAT is being marketed as a **fully undetectable** tool for **Windows 10 and 11**, giving operators browser-based control over infected machines and enabl...
Timeline
-
20.09.2025 08:48 2 articles · 8mo ago
SentinelOne SentinelLABS identifies MalTerminal as an LLM-enabled malware sample
Technical Analysis UpdateSentinelOne SentinelLABS presented MalTerminal at LABScon 2025 and described it as the earliest known LLM-enabled malware sample, a Windows executable that uses OpenAI GPT-4 to dynamically generate ransomware code or a reverse shell. The analysis also notes related Python scripts that prompt a choice between "ransomware" and "reverse shell", a defensive tool called FalconShield, and no evidence that MalTerminal was ever deployed in the wild, leaving open the possibility that it was a proof-of-concept malware or red team tool. Researchers further inferred that the sample was written before the OpenAI chat completions API endpoint was deprecated in early November 2023.
Show sources
- Researchers Uncover GPT-4-Powered MalTerminal Malware Creating Ransomware, Reverse Shell — thehackernews.com — 20.09.2025 08:48
- Researchers Uncover GPT-4-Powered MalTerminal Malware Creating Ransomware, Reverse Shell — thehackernews.com — 20.09.2025 08:48