Tracing the bloodline of LLM-driven polymorphic malware: do GHOSTs leave footprints?

Wednesday 14 October 14:00 - 14:30, Green room  

Chanbin Jeon, SeungBeom Lim & SuhMahn Hur (SANDS Lab)

Traditional malware tracking relies on code similarity to cluster variants and infer actor lineage. However, the rise of accessible local LLMs introduces a critical blind spot: malware can now be autonomously rewritten to systematically evade these assumptions.

To quantify this threat, we developed GHOST (Generative Heuristic Obfuscation & Semantic Transformation), an end-to-end autonomous mutation pipeline that performs source rewriting, rebuilding, and functional verification. We evaluated GHOST on rebuildable Mirai-family IoT botnets and statically linked binaries, where static triage remains essential. Moving beyond basic API substitution, GHOST leverages LLMs to rewrite algorithms, restructure functions, and modify build strategies. This approach achieved a 95% success rate in generating functional variants and bypassed 22 of 46 capability-based detection rules in a single run. As a result, variants from the same campaign lose their structural resemblance, defeating standard heuristics such as function reuse.

Despite this effective obfuscation, LLM-driven transformations are not random. They introduce consistent, model-specific structural artifacts that persist through compilation. Beyond superficial indicators like dead code insertion or debug-string contamination, we identify deeper patterns in function decomposition and semantic inconsistencies. These persistent artifacts can be captured and clustered using function-level code embeddings, enabling the recovery of relationships between seemingly unrelated samples.

Our findings demonstrate that LLM-based obfuscation simultaneously disrupts human-centric lineage analysis and introduces model-centric fingerprints. In constrained environments such as IoT, where dynamic analysis is limited, these artifacts provide a new foundation for static clustering. This shifts attribution from "who wrote the malware" to "which model generated it."

 

Chanbin-Jeon.jpg

Chanbin Jeon

Chanbin Jeon is a research engineer on the Threat Analysis Team at SANDSLab, specializing in malware analysis and cyber threat intelligence. He began his career in intrusion response and network security at AhnLab's Computer Emergency Response Team (CERT), and has since expanded his expertise into behavioural malware analysis and intelligence generation. His current research focuses on malware analysis and threat intelligence development, with a strong interest in attacker attribution and threat profiling based on real-world incident cases.

 
SeungBeom-Lim.jpg

SeungBeom Lim

SeungBeom Lim is a research engineer on the AI Tech & Development Team at SANDS Lab. He holds an M.Sc. in AI / machine learning and information security from Hoseo University in South Korea. His current research focuses on solving cybersecurity challenges through AI technologies, utilizing both large language models (LLMs) and deep learning architectures. He primarily investigates threats in areas such as network security, botnet detection, and ransomware analysis, aiming to apply advanced AI techniques to real-world security problems and make impactful contributions to the field.

 
 

SuhMahn Hur

SuhMahn Hur is the Team Lead of the Threat Analysis Team at SANDS Lab. He has a strong interest in cyber threat intelligence, malware analysis, and URL analysis. Leveraging his extensive analytical experience, he has developed numerous detection solutions and is also deeply interested in applying artificial intelligence to security technologies. He has worked for several years as an incident response analyst and has developed a platform that significantly reduces incident analysis time by creating artifact collection tools and malware detection agents.

Back to VB2026 Programme page

Back to VB2026 conference page

Register your interest for VB2026

Other VB2026 papers

Threat intelligence-driven clustering: identifying a new cyber-mercenary intrusion set

VB2026 presentation: Threat intelligence-driven clustering: identifying a new cyber-mercenary intrusion set, Maher Yamout and Fatih Şensoy

From hotel account compromise to guest payment fraud: the reservation hijack attack chain

VB2026 presentation: From hotel account compromise to guest payment fraud: the reservation hijack attack chain, Martin Chlumecký and Luis Corrons

Hunting LANDFALL: from overlooked images to state-linked mobile spyware

VB2026 presentation: Hunting LANDFALL: from overlooked images to state-linked mobile spyware, Itay Cohen

Gorbag: Orcs at the border

VB2026 presentation: Gorbag: Orcs at the border, Damien Schaeffer

Defeating indirect branching obfuscations in malware with Hex-Rays Decompiler

VB2026 presentation: Defeating indirect branching obfuscations in malware with Hex-Rays Decompiler, Georgy Kucherin

Discerning the invisible: a heuristic engine for behavioural inference in nation-state covert networks

VB2026 presentation: Discerning the invisible: a heuristic engine for behavioural inference in nation-state covert networks, Madeline Sedgwick

Kimwolf’s claws loom over 1.8 million firewalled Android devices worldwide

VB2026 presentation: Kimwolf’s claws loom over 1.8 million firewalled Android devices worldwide, Alex Turing

Paying the TOLL: how REF3927 turned 571 IIS servers into an SEO fraud network

VB2026 presentation: Paying the TOLL: how REF3927 turned 571 IIS servers into an SEO fraud network, Salim Bitam and Jia Yu Chan

Leveraging Landlock telemetry for Linux detection engineering

VB2026 presentation: Leveraging Landlock telemetry for Linux detection engineering, Guillaume Couchard and Erwan Chevalier

Targeting the elderly: from spoofing to persistence

VB2026 presentation: Targeting the elderly: from spoofing to persistence, Axelle Apvrille

The invisible warzone: competing botnets fighting over your smart TV

VB2026 presentation: The invisible warzone: competing botnets fighting over your smart TV, Asher Davila, Chris Navarrete & Doel Santos

Mac&Cheese: cooking up the Digit Stealer recipe

VB2026 presentation: Mac&Cheese: cooking up the Digit Stealer recipe, Kseniia Yamburh & Joan Garcia

How real-world malware disables EDR systems

VB2026 presentation: How real-world malware disables EDR systems, Holger Unterbrink

Newsjacking the world: tracking three months of uncovered APT operations disguised as global headlines

VB2026 presentation: Newsjacking the world: tracking three months of uncovered APT operations disguised as global headlines, Darrel Virtusio & Subhajeet Singha

Polling is the vulnerability: a case for event-driven cloud detection

VB2026 paper: Polling is the vulnerability: a case for event-driven cloud detection, Santiago Abastante

The edge is the enemy: hunting Chinese router relay networks

VB2025 presentation: The edge is the enemy: hunting Chinese router relay networks, Ryan Sherstobitoff

Unravelling Lumma Stealer’s protection stack: pushing static deobfuscation to its practical limit

VB2026 presentation: Unraveling Lumma Stealer’s protection stack: pushing static deobfuscation to its practical limit, Yuki Umemura

AI in malware: evolution and predicting the future of AI-driven attacks

VB2026 presentation: AI in malware: evolution and predicting the future of AI-driven attacks, Eli Smadja

The cyber saga: deconstructing the DPRK’s global synthetic IT workforce ecosystem

VB2026 presentation: The cyber saga: deconstructing the DPRK’s global synthetic IT workforce ecosystem, Anastasia Tikhonova

Tracing the bloodline of LLM-driven polymorphic malware: do GHOSTs leave footprints?

VB2026 presentation: Tracing the bloodline of LLM-driven polymorphic malware: do GHOSTs leave footprints? Chanbin Jeon, SeungBeom Lim & SuhMahn Hur

How LOLRMM, LOLDrivers and CertGraveyard map the attacker's favourite kill chain

VB2026 presentation: How LOLRMM, LOLDrivers and CertGraveyard map the attacker's favourite kill chain, Jose Enrique Hernandez & Nasreddine Bencherchali

Agent detection and response: safety on a token budget

VB2026 presentation: Agent detection and response: safety on a token budget, Václav Belák, Jakub Křoustek & Tomáš Ďuriš

Malwaremorphosis - breaking down a global multi-layer malvertising operation

VB2026 presentation: Malwaremorphosis - breaking down a global multi-layer malvertising operation, Ionuț Baltariu

I will find you and I will flag you: hunting malicious packages at scale

VB2026 presentation: I will find you and I will flag you: hunting malicious packages at scale, Christophe Tafani-Dereeper

Otter encyclopaedia: deep analysis of Otter family

VB2026 presentation: Otter encyclopaedia: deep analysis of Otter family, Rintaro Koike, Yuta Sawabe & Masaya Motoda

Break the silence: tracking Silent Lynx through exposed infrastructure

VB2026 presentation: Break the silence: tracking Silent Lynx through exposed infrastructure, Julian Ferdinand Vögele & Chi-en (Ashley) Shen

Operation FalseProof: PoC that bites back

VB2026 presentation: Operation FalseProof: PoC that bites back, Jiho Kim & Minyeop Choi

Transparency wars: exposing hidden biases in testing

VB2026 presentation: Transparency wars: exposing hidden biases in testing, Righard Zwienenberg & Luis Corrons

Snap, trigger, steal: SnappyClient and the art of trigger-based intrusions

VB2026 presentation: Snap, trigger, steal: SnappyClient and the art of trigger-based intrusions, Muhammed Irfan V A, Avinash Kumar & Nirmal Singh

Reverse engineering a multi-stage implant targeted Vietnamese organizations

VB2026 presentation: Reverse engineering a multi-stage implant targeted Vietnamese organizations, Minh Anh Luong

When malware talks back: real-time interaction with a threat actor during the analysis of Kiss Loader

VB2026 presentation: When malware talks back: real-time interaction with a threat actor during the analysis of Kiss Loader, Marvin Castillo & Arvin Jay Bandong

Free games, costly consequences: unravelling PiviGames’ hidden treasure malware

VB2026 presentation: Free games, costly consequences: unravelling PiviGames’ hidden treasure malware, John Rey Dador

Khmer Shadow: uncovering a targeted cyber espionage campaign against Cambodian military intelligence

VB2026 presentation: Khmer Shadow: uncovering a targeted cyber espionage campaign against Cambodian military intelligence, Subhajeet Singha

Practical ransomware detection on macOS (via math, not AI)

VB2026 presentation: Practical ransomware detection on macOS (via math, not AI), Patrick Wardle

From exclusive to widespread: the shifting exploitation dynamics of (zero-day) vulnerabilities before and after their (public) disclosure

VB2026 presentation: From exclusive to widespread: the shifting exploitation dynamics of (zero-day) vulnerabilities before and after their (public) disclosure, Kerstin Zettl-Schabath & Kritika Roy

The other side of the front: hunting Paper Werewolf's operations against Russia

VB2026 presentation: The other side of the front: hunting Paper Werewolf's operations against Russia, Nicole Fishbein

Meet ARES - an agentic reverse engineer that decrypts sophisticated ransomware encrypted files

VB2026 presentation: Meet ARES - an agentic reverse engineer that decrypts sophisticated ransomware encrypted files, Raviv Rachmiel

Disrupting the threat actor mythos: data-based insights into targeting, tooling, and the limits of AI in cybercrime

VB2026 presentation: Disrupting the threat actor mythos: data-based insights into targeting, tooling, and the limits of AI in cybercrime, Selena Larson & Daniel Blackford

Deadline as bait: a comparative analysis of tax-themed smishing campaigns targeting Spain and Portugal

VB2026 presentation: Deadline as bait: a comparative analysis of tax-themed smishing campaigns targeting Spain and Portugal, Natasha Márquez & Ghyorka Kpee

When wipers leave backups: an analysis of ArgonWiper’s encryption workflow

VB2026 presentation: When wipers leave backups: an analysis of ArgonWiper’s encryption workflow, Hyuna Lee & Hyoje Jo

Notoriously reluctant: continuing conversations with FBI and private sector defenders about disrupting cybercriminals through collaboration

VB2026 presentation: Notoriously reluctant: continuing conversations with FBI and private sector defenders about disrupting cybercriminals through collaboration, Sara Eberle & DeLynn Bettencourt Hammell

From dead malware to living adversaries: AI-powered digital twins for adaptive APT modelling

VB2026 presentation: From dead malware to living adversaries: AI-powered digital twins for adaptive APT modelling, Alexander Adamov & Anders Carlsson

The silent threat in your enterprise: SAP security

VB2026 presentation: The silent threat in your enterprise: SAP security, Anita Cwynar

BEAST: binary emulation and analysis simulation technology for advanced malware analysis and anti-forensic countermeasures

VB2026 presentation: BEAST: binary emulation and analysis simulation technology for advanced malware analysis and anti-forensic countermeasures, Bramwell Brizendine, Alexander Wood, Jared Sheldon & William Lochte

Spec-driven malware: turning markdown into threats

VB2026 presentation: Spec-driven malware: turning markdown into threats, Sven Rath

The invisible candidate: tracking the evolution of 'Un-tracked' GRITCASPIAN

VB2026 presentation: The invisible candidate: tracking the evolution of 'Un-tracked' GRITCASPIAN, Asli Koksal

DPRK-aligned threat operations: tradecraft, tooling, and detection patterns

VB2026 presentation: DPRK-aligned threat operations: tradecraft, tooling, and detection patterns, Wonkyeom Kim

Workshop: Collaborative attack modelling across CTI, Red Team, and SOC (MITRE)

VB2026 workshop: Collaborative attack modelling across CTI, Red Team, and SOC (MITRE)

TIPS: The next chapter

VB2026 TIPS presentation: The next chapter, Jiri Sejtko

TIPS: Collaboration in action: turning shared threat intelligence into coordinated defence

VB2026 TIPS presentation: Collaboration in action: turning shared threat intelligence into coordinated defence, Tuna Dabak

TIPS: From signal to shield: rapid collaboration to defend critical infrastructure during crisis

VB2026 TIPS presentation: From signal to shield: rapid collaboration to defend critical infrastructure during crisis, Madeline Sedgwick

TIPS: Harmonizing AI agents and human analysts in CTI - are CTI agents friends or rivals to junior analysts?

VB2026 TIPS presentation: Harmonizing AI agents and human analysts in CTI - are CTI agents friends or rivals to junior analysts? Takahiro Kakumaru

TIPS: Stairway to resilience: cybersecurity in good times, bad times, and everything between

VB2026 TIPS presentation: Stairway to resilience: cybersecurity in good times, bad times, and everything between Selena Larson, Jeannette Jarvis, Kathi Whitbey, Jeanette Miller Osborne

TIPS: Defending (against) the human layer: IoB in the real world

VB2026 TIPS presentation: Defending (against) the human layer: IoB in the real world Righard Zwienenberg, Kathi Whitbey, Samir Mody & Mienke

TIPS: STIX in action: proposed industry collaboration on sharing DigSig metadata

VB2026 TIPS presentation: STIX in action: proposed industry collaboration on sharing DigSig metadata, Samir Mody

TIPS: Ghosts in the chat: tracking GhostPairing from trusted message to linked-device takeover 

VB2026 TIPS presentation: Ghosts in the chat: tracking GhostPairing from trusted message to linked-device takeover, Michal Salat

TIPS: The art of fighting back

VB2026 TIPS presentation: The art of fighting back, Gabor Szappanos

TIPS: Wartime intelligence collection and collaboration

VB2026 TIPS presentation: Wartime intelligence collection and collaboration, Sergey Shykevich

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.