As one of the folks involved in this I can echo it wasn't super advanced at all, and some of the malware contained errors (double TLS header network coms). The challenge the LLM use introduced was quantity to keep on top of - thankfully it was simple enough we could write quick automations to triage
November 14, 2025 at 5:09 PM
As one of the folks involved in this I can echo it wasn't super advanced at all, and some of the malware contained errors (double TLS header network coms). The challenge the LLM use introduced was quantity to keep on top of - thankfully it was simple enough we could write quick automations to triage
It's not a revolutionary change, but it will have an impact that will drive more automation in response I think.
November 9, 2025 at 10:29 AM
It's not a revolutionary change, but it will have an impact that will drive more automation in response I think.
It will increase the pace & variations in some operations, but at the cost of their quality/effectiveness. We observed an actor using it earlier this year & the nonsensical nature raised the opportunities for detection/prevention - but the quantity of it was definitely a challenge to be on top of
November 9, 2025 at 10:29 AM
It will increase the pace & variations in some operations, but at the cost of their quality/effectiveness. We observed an actor using it earlier this year & the nonsensical nature raised the opportunities for detection/prevention - but the quantity of it was definitely a challenge to be on top of
It can tell you some forensic artifacts that can exist due to execution (e.g. for .NET) and it can also tell you what possible systems it can run on in the environment you're investigating.
For clarity this isn't an argument that inclusion of this is right in reporting, other info could be better.
For clarity this isn't an argument that inclusion of this is right in reporting, other info could be better.
May 14, 2025 at 7:50 PM
It can tell you some forensic artifacts that can exist due to execution (e.g. for .NET) and it can also tell you what possible systems it can run on in the environment you're investigating.
For clarity this isn't an argument that inclusion of this is right in reporting, other info could be better.
For clarity this isn't an argument that inclusion of this is right in reporting, other info could be better.