EXECUTIVE SUMMARY:
A novel malware strain, referred to as Shadow AI, has been observed that cleverly disguises its command-and-control (C2) traffic as legitimate LLM API requests. By routing communications through a chat-completions endpoint that mimics normal AI service behavior, Shadow AI can hide malicious activity within what appears to be routine outbound AI traffic. This technique exploits the adoption of AI in modern organizations, giving attackers a stealthy and highly evasive channel.
The malware initially tries to reach a fallback IP address, but if that fails, it communicates via an HTTP endpoint that mimics a typical LLM chat-generation API call. However, its request schema is abnormal: rather than carrying expected fields like model, messages, or Authorization, it transmits what appears to be a Base64-encoded string. Upon decoding and XOR decryption, this string reveals reconnaissance commands and instructions. The response from the C2 is likewise encoded, then decrypted on the client side, allowing the attacker to issue a variety of remote access trojan (RAT) commands. Embedded within the malware are three .NET binaries which set up a proxy toolkit, enabling the adversary to pivot or exfiltrate data. Additionally, there's a legitimate-signed executable that loads a malicious DLL, which in turn gives the attacker persistent C2 capabilities. This malicious infrastructure is hosted on serverless cloud functions, making it highly scalable and difficult to distinguish from benign LLM API traffic.
By routing C2 and data exfiltration through an LLM-style API, the attackers leverage both the ubiquity of AI services and the trust we place in them. This technique offers stealth, resilience, and scalability, all while blending seamlessly into normal enterprise traffic. The emerging trend underscores a critical need: organizations must monitor and validate outbound API calls to LLM endpoints, scrutinize request formats for anomalies, and enforce segmentation to limit exposure. Without such proactive measures, these shadow-AI channels could become a potent vector for future attacks.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Resource Development | T1583.006 | Acquire Infrastructure | Web Services |
| Execution | T1059.003 | Command and Scripting Interpreter | Windows Command Shell |
| Persistence | T1574.001 | Hijack Execution Flow | DLL |
| Discovery | T1082 | System Information Discovery | — |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| T1095 | Non-Application Layer Protocol | — | |
| T1573.001 | Encrypted Channel | Symmetric Cryptography | |
| T1105 | Ingress Tool Transfer | — | |
| T1090.003 | Proxy | Multi-hop Proxy |
MBC MAPPING:
| Objective | Behavior ID | Behavior |
| Anti-Behavioral Analysis | B0001 | Debugger Detection |
| Anti-Static Analysis | B0032 | Executable Code Obfuscation |
| Collection | E1056 | Input Capture |
| Command and Control | B0030 | C2 Communication |
| Defense Evasion | F0001 | Software Packing |
| Discovery | B0013 | Analysis Tool Discovery |
| Execution | B0011 | Remote Commands |
| Exfiltration | E1020 | Automated Exfiltration |
| Persistence | F0012 | Registry Run Keys / Startup Folder |
REFERENCES:
The following reports contain further technical details: