Source linked

Spyware Devs Poison AI Triage with Fake Nuke Warnings

schneier.com@threat_watch3 hours ago·Cybersecurity·0 comments

Malware now opens with a JavaScript comment about nuclear weapons to trigger refusal in naive LLM-based scanners, while the real payload waits safely below.

schneiercybersecuritymalwareanti analysisprompt injectionai triage

A malware developer is now stuffing JavaScript comments with fake system instructions about nuclear and biological weapons - all to get AI-based triage tools to refuse or misclassify the file before they ever hit the real payload.

The trick is brutally simple. The _index.js file starts with a large block comment containing policy-triggering content (think “weapons of mass destruction” style text). Because it’s inside a /* */ comment, JavaScript engines skip it entirely - the runtime never sees it. The real spyware comes after, wrapped in a try{eval(...)} with a character-code array and a ROT-style substitution function.

Why This Targets LLM-First Pipelines

Many modern malware triage systems feed the first portion of a suspicious file to a language model for quick classification. If you’re an analyst using a copilot that dumps the opening bytes into an LLM without isolating the comment as untrusted data, that forbidden text can trigger refusal behavior, prompt confusion, or context pollution. The scanner bails before it ever sees the eval loop.

This isn’t a magic bypass against static detection. Bruce Schneier’s post makes that clear: YARA rules, entropy checks, AST parsing, string extraction, deobfuscation, and behavioral rules still work fine. The attack is specifically against naive LLM-first triage - the kind that treats every token in the file as trustworthy context for the model.

What It Means for AI-Mediated Analysis

The malware author is exploiting a blind spot that security tools introduced themselves: if you let an LLM read arbitrary attacker-controlled bytes without sanitization, you’re asking for prompt injection by another name. The fix isn’t hard - strip comments, truncate at a known boundary, or verify that the LLM processes isolated tokens rather than raw file text.

Schneier’s observation should push every security team using AI triage to audit exactly how their pipeline handles file beginnings. If your scanner’s first step is “feed first 2KB to GPT-4,” you’re already vulnerable to this trick.

Source: Embedding Forbidden Text in Spyware to Discourage AI Analysis
Domain: schneier.com

Read original source ->

External source stays available while the OJO article and comment thread stay local.

More in Cybersecurity

view topic
CloakLM Obfuscates GPU Memory to Foil Model Theft from PCIe Snooping

Attackers can reconstruct entire DNNs from passive PCIe observation or HBM dumps because model weights sit in large, contiguous memory regions. CloakLM breaks that regularity with software-only shuffling and page...

CAREATTACK Edits Retriever Weights to Inject Malicious Knowledge Into RAG Systems

A new model-centric attack edits a retriever's closed-form parameters directly, boosting malicious passages over benign ones without crafting detectable synthetic text.

TIGER Attack Inverts Transformer Gradients via Embedding-Subspace Optimization

TIGER is the first gradient inversion attack to reconstruct client inputs from transformer gradients under differential privacy, bypassing prior brittleness with a continuous optimization approach.

TopVenues Freezes Cybersecurity Literature at 99.86% Coverage and 16.5x Precision Gain

A new open-source corpus tool fixes the moving target of literature review denominators, revealing that 29.2% of top conference papers first appear as arXiv preprints with a median 5-month lead.

Comments load interactively on the live page.