A new report from HP Wolf Security reveals how attackers are using generative artificial intelligence to help write malicious code. HP’s threat research team has discovered a sophisticated ChromeLoader campaign spreading through malicious advertising, as well as cybercriminals embedding malicious code in SVG images.
Generative AI aids in malware development
HP researchers identified a campaign targeting French speakers that uses malware believed to have been written with the help of generative AI. The structure of the scripts, comments explaining each line of code, and the choice of function and variable names in the native language are strong indications that the threat actor used generative AI to create the malware.
Patrick Schläpfer, lead threat researcher at HP’s security lab, commented: “Speculation about attackers using AI is widespread, but evidence has been scarce, so this finding is significant. Typically, attackers like to conceal their intentions to avoid revealing their methods, so this behavior indicates that an AI assistant was used to help write their code.”
Increasingly sophisticated malicious advertising campaigns
The report also highlights that ChromeLoader campaigns are becoming larger and more polished. These campaigns use malicious advertising around popular search keywords to direct victims to well-designed websites offering functional tools such as PDF readers and converters.
These seemingly legitimate applications hide malicious code in an MSI file. Valid code signing certificates allow bypassing Windows security policies and user warnings, increasing the likelihood of infection.
Malware hidden in vector images
In an unusual trend, some cybercriminals are shifting from HTML files to vector images to smuggle malware. Vector images, widely used in graphic design, commonly use the XML-based SVG format. As SVG files open automatically in browsers, any embedded JavaScript code is executed when the image is viewed.
Implications for cybersecurity
Dr. Ian Pratt, Global Director of Security for Personal Systems at HP Inc., commented on these findings: “Threat actors are constantly updating their methods, whether using AI to enhance attacks or creating functional yet malicious tools to evade detection. Therefore, businesses must build resilience by closing as many common attack paths as possible.”
The report underscores the need for organizations to adopt a defense-in-depth strategy, including isolating high-risk activities such as opening email attachments or web downloads. These measures help minimize the attack surface and neutralize the risk of infection.