Let me be blunt: if your threat model doesn’t include AI-assisted malware development, you are already behind. Not theoretically behind — actually, operationally, right-now behind.
This week, IBM X-Force confirmed that Interlock ransomware operators deployed a new malware strain called Slopoly — and the evidence strongly suggests it was written with generative AI tooling. This isn’t a proof-of-concept demo from a Black Hat talk. This is ransomware-as-a-service crews using LLMs as co-developers. The barrier to sophisticated malware just dropped to whoever can string together a decent prompt chain.
Meanwhile, in the LLM security research space, prompt injection now appears in over 73% of production AI deployments, and new jailbreak techniques are being catalogued faster than defenses can ship. The attack surface isn’t just growing — it’s mutating.
Here are the 7 LLM-powered attack techniques that matter right now, ranked by how badly they’re going to hurt defenders who aren’t paying attention.
1. AI-Generated Malware Is Already in the Wild (Meet Slopoly)
The Interlock ransomware gang is not a research group. They’re a financially motivated criminal operation that has been actively exploiting Cisco Secure Firewall Management Center zero-days (CVE-2026-20131) since January — weeks before Cisco patched it in early March.
Their latest tool, Slopoly, shows code patterns and structural choices that X-Force analysts attribute to LLM-assisted development. What does that mean in practice? Faster iteration, more consistent error handling, cleaner obfuscation layering, and the ability to spin up new variants without a senior developer on the team.
The uncomfortable truth: LLMs are a force multiplier for mid-tier threat actors. You no longer need to be elite to write elite-quality malware. You need to be persistent and know how to prompt.
2. Prompt Injection: The #1 Vulnerability Nobody Is Patching Fast Enough
Prompt injection — where attacker-supplied data hijacks an LLM’s behavior — is the SQL injection of the AI era. And like SQLi in 2005, everyone knows it’s a problem and nobody’s moving fast enough.
Direct prompt injection is what most people think of: trick the model via user input. But indirect prompt injection is the sneaky one — embedding malicious instructions in external content (PDFs, emails, web pages) that an AI agent consumes on your behalf. Your AI assistant reads a malicious document. The document contains instructions. The assistant executes them.
This is already being weaponized against enterprise AI deployments. If your org has rolled out Copilot, Claude, or any agentic workflow that ingests external data, you have an indirect prompt injection attack surface right now.
The fix? Input sanitization at the agent layer, strict tool permissions, output filtering, and treating every external data source as untrusted. Most teams are doing zero of these things.
3. Many-Shot Jailbreaking: Patience as an Attack Vector
This one deserves more attention than it gets. Many-shot jailbreaking exploits the long context windows that modern LLMs advertise as a feature.
The technique: feed the model dozens or hundreds of examples of “compliant” fictional scenarios that gradually normalize the harmful behavior you want. By the time you inject the actual malicious query, the model has been conditioned by its own context to treat it as normal.
This is particularly nasty because:
- It works against models with robust safety training
- It’s hard to detect at the infrastructure level (it just looks like a long conversation)
- It scales with context window size — the bigger the model’s memory, the more conditioning room you have
Red teamers should be testing their AI deployments with many-shot scenarios. Most aren’t.
4. Skill-Inject: The Supply Chain Attack for AI Agents
Here’s a new one that most defenders haven’t heard of yet: Skill-Inject.
As AI agents proliferate — systems that can browse the web, write code, send emails, and execute workflows — they consume “skills” or “tools” defined by third-party packages. Skill-Inject embeds malicious instructions within these skill files, essentially poisoning the agent’s capabilities at the plugin layer.
Think of it like a malicious npm package, but instead of compromising a Node.js runtime, you’re compromising an autonomous AI agent with access to your inbox, your files, and your APIs.
The attack surface: any organization deploying AI agents that load external skills or tools without rigorous sandboxing. That’s most of them.
5. Automated Exploit Development: The Patch Window Is Shrinking to Hours
The Langflow vulnerability (CVE-2026-33017) was exploited within 20 hours of public disclosure. Twenty hours. That’s not a human manually reading a CVE, writing a PoC, and launching an attack. That’s automation — almost certainly LLM-assisted automation.
The old model: CVE drops → researchers write PoC → criminals adapt PoC → attacks begin (days to weeks). The new model: CVE drops → LLM analyzes patch diff → generates exploit → attacks begin (hours).
This fundamentally breaks the traditional patch prioritization game. “We’ll patch this next cycle” is no longer a viable risk tolerance for critical systems. If a CVE is public and your system is exposed, assume active exploitation within a day.
6. Polymorphic AI Malware: Signature Detection Is Officially Dead
Two new RATs — Moonrise and Karsto — were discovered in February 2026 with zero detections on VirusTotal. Zero. Against one of the largest multi-engine scanning platforms in the world.
This is the logical endpoint of AI-assisted malware development: polymorphic code that rewrites itself on each deployment, generating unique signatures that no static detection engine has ever seen. Combine this with LLM-generated variants that maintain functional behavior while randomizing syntax, and you’ve got a signature-detection apocalypse.
The blue team response can’t be “add more signatures.” It has to be behavioral detection, memory analysis, and network telemetry. Anyone still betting the farm on EDR signature matching needs a harsh conversation with their board.
7. The Zombie ZIP Bonus: AV Bypass Is Also Getting Trivial
While we’re here — shoutout to the Zombie ZIP technique (CVE-2026-0866), which bypasses roughly 95% of AV products during initial scan by manipulating ZIP file headers to lie about compression status.
It requires a custom loader to actually execute, which limits its standalone impact. But pair it with an LLM-generated payload and a Skill-Inject delivery mechanism? You’ve got an end-to-end evasion pipeline that a competent threat actor with access to modern AI tools could plausibly assemble in a weekend.
What This All Means: Three Uncomfortable Takeaways
1. The skill gap between attackers and defenders is closing — in the wrong direction.
LLMs are a bigger force multiplier for offense than defense right now. Offense is creative, iterative, and benefits from automation. Defense is reactive, consensus-driven, and constrained by bureaucracy. AI amplifies the attacker’s natural advantage.
2. Your AI deployments are part of your attack surface now.
If you’ve rolled out any LLM-powered tooling — agents, copilots, chat interfaces — without a dedicated AI security review, you have uncharted exposure. Treat AI systems with the same paranoia you’d apply to a public-facing web application.
3. Speed is the new perimeter.
Patch windows, response times, detection latency — these are all shrinking. The organizations that survive the next generation of attacks will be the ones that have invested in automation on the defensive side too. Not to match AI with AI necessarily, but to compress the human-in-the-loop delay to near zero for the most critical response actions.
Practical Takeaways for Red Teamers and Blue Teams
- Red teamers: Start incorporating prompt injection and many-shot jailbreak testing into your scope when clients have AI deployments. This is table stakes now.
- Blue teams: Audit every AI tool your org uses. Map what external data it consumes, what tools it can invoke, and what permissions it runs with. Assume it’s a target.
- Everyone: Track CVE weaponization timing. If a critical CVE drops on Monday, treat Tuesday as your deadline for exposed systems — not your next patch cycle.
- Threat intel folks: The Slopoly/Interlock campaign is worth deep-diving. The AI-assisted malware development pattern will be replicated by other groups in Q2. This is the new normal.
The era of “AI as a feature” is over. We’re in the era of “AI as infrastructure” — for both attackers and defenders. The ones who adapt first win.
Stay paranoid. Patch faster. And start red-teaming your AI.
