Find notable cyber news and cases, enriched with sources, timelines, and signals.

PoC: ONNX living-off-the-land malware delivery via Windows AI model loading

Technical Analysis
First reported
Last updated
Happening score
H score 25
1 unique sources, 1 articles

Summary

Hide ▲

A researcher demonstrated a proof-of-concept that turns ONNX model loading into a stealthy malware delivery path, increasing the chance that malicious payloads can evade EDR and antivirus controls. The technique abuses the Windows Machine Learning API and trusted Windows components so a malicious model can resemble benign AI inference.

Related Happenings

JustAskJacky fake AI assistant malware campaign

Campaign
H score33 First: 04.06.2026 17:00 Last: 04.06.2026 17:00 Sources 1

About this happening: The **JustAskJacky** campaign is distributing a fake **AI assistant** that installs a **backdoor**, turning trusted-looking software into a malware delivery path. The operation us...

AI-assisted EDR-evasion malware development lab

Malware Activity
H score12 First: 02.06.2026 14:00 Last: 02.06.2026 14:00 Sources 1

About this happening: A threat actor is using **AI coding tools** to build and refine **EDR-evasion malware**, accelerating the creation of custom loaders that can bypass endpoint defenses. The lab tes...

APT28 Windows Shell LNK campaign targeting Ukraine and E.U. nations

Campaign
H score39 First: 28.04.2026 08:50 Last: 28.04.2026 08:50 Sources 1

About this happening: A **December 2025** **APT28** campaign targeted **Ukraine** and **E.U. nations** with a **malicious Windows Shortcut (LNK)** chain that bypassed **Microsoft Defender SmartScreen**...

External Microsoft Teams helpdesk-impersonation campaign

Campaign
H score32 First: 20.04.2026 18:11 Last: 20.04.2026 18:11 Sources 1

About this happening: A **campaign** abusing **external Microsoft Teams collaboration** is letting attackers impersonate **IT/helpdesk staff**, gain remote access, and stage **targeted data exfiltratio...

WhatsApp-delivered VBS Windows infection campaign

Campaign
H score34 First: 01.04.2026 14:49 Last: 01.04.2026 14:49 Sources 1

About this happening: A **new WhatsApp-delivered campaign** is spreading malicious **VBS files** that launch a **multi-stage Windows infection chain**, raising the risk of persistence and remote access...

Timeline

  1. 30.10.2025 21:47 2 articles · 8mo ago

    PoC demonstrates ONNX model loading as a malware delivery vector on Windows

    Technical Analysis Update

    Security researcher hxr1 demonstrated a proof-of-concept living-off-the-land attack that hides malware in ONNX model files and uses the Windows Machine Learning (ML) application programming interface (API) and Microsoft-signed DLLs to make execution look like benign AI inference. The technique can bypass EDR and antivirus defenses, and suggested countermeasures include monitoring who loads models, what data is extracted, where extracted data is passed, plus static analysis with YARA rules and application controls like AppLocker.

    Show sources