Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

PoC: ONNX living-off-the-land malware delivery via Windows AI model loading

Technical Analysis
First reported
Last updated
Happening score
H score 31
1 unique sources, 1 articles

Summary

Hide ▲

A researcher demonstrated a proof-of-concept that turns ONNX model loading into a stealthy malware delivery path, increasing the chance that malicious payloads can evade EDR and antivirus controls. The technique abuses the Windows Machine Learning API and trusted Windows components so a malicious model can resemble benign AI inference.

Related Happenings

APT28 Windows Shell LNK campaign targeting Ukraine and E.U. nations

Campaign
First: 28.04.2026 08:50 Last: 28.04.2026 08:50 Sources 1

About this happening: A **December 2025** **APT28** campaign targeted **Ukraine** and **E.U. nations** with a **malicious Windows Shortcut (LNK)** chain that bypassed **Microsoft Defender SmartScreen**...

Open Happening

External Microsoft Teams helpdesk-impersonation campaign

Campaign
First: 20.04.2026 18:11 Last: 20.04.2026 18:11 Sources 1

About this happening: A **campaign** abusing **external Microsoft Teams collaboration** is letting attackers impersonate **IT/helpdesk staff**, gain remote access, and stage **targeted data exfiltratio...

Open Happening

WhatsApp-delivered VBS Windows infection campaign

Campaign
First: 01.04.2026 14:49 Last: 01.04.2026 14:49 Sources 1

About this happening: A **new WhatsApp-delivered campaign** is spreading malicious **VBS files** that launch a **multi-stage Windows infection chain**, raising the risk of persistence and remote access...

Open Happening

DRILLAPP JavaScript backdoor through Microsoft Edge

Malware Activity
First: 16.03.2026 11:07 Last: 16.03.2026 11:07 Sources 1

About this happening: Observed in **February 2026**, the **DRILLAPP** backdoor now runs through **Microsoft Edge**, giving it **file access** plus access to the **microphone**, **webcam**, and **screen...

Open Happening

A0Backdoor malware deployed through signed MSI sideloading and DNS MX C2

Malware Activity
First: 10.03.2026 00:50 Last: 10.03.2026 00:50 Sources 1

About this happening: The **A0Backdoor** malware was deployed on **Windows endpoints** through **digitally signed MSI installers** and **DLL sideloading**, giving the operators a stealthier path to exe...

Open Happening

Timeline

  1. 30.10.2025 21:47 2 articles · 6mo ago

    PoC demonstrates ONNX model loading as a malware delivery vector on Windows

    Technical Analysis Update

    Security researcher hxr1 demonstrated a proof-of-concept living-off-the-land attack that hides malware in ONNX model files and uses the Windows Machine Learning (ML) application programming interface (API) and Microsoft-signed DLLs to make execution look like benign AI inference. The technique can bypass EDR and antivirus defenses, and suggested countermeasures include monitoring who loads models, what data is extracted, where extracted data is passed, plus static analysis with YARA rules and application controls like AppLocker.

    Show sources
    Open in new tab