What is the difference between polymorphic and metamorphic malware?

Polymorphic malware encrypts or obfuscates its payload and changes the decryption stub on each infection, so its binary signature differs every time. Metamorphic malware goes further: it rewrites its own functional code structurally, producing a semantically equivalent but syntactically different version without needing encryption. AI-assisted malware adds a new layer to both — using large language model techniques to generate functionally identical code that is semantically novel, making detection by both signature and structure far harder.

Can AI generate working malware from scratch?

AI tools, including jailbroken commercial LLMs and purpose-built underground tools, can generate functional malicious code. Security researchers have demonstrated this with proof-of-concept tools like BlackMamba (2023), which used an LLM to rewrite its own keylogging code in memory at runtime. Underground tools specifically designed to bypass safety guardrails are also available. The barrier to entry for technically capable threat actors has dropped significantly.

Is traditional antivirus still effective against AI malware?

Signature-based antivirus has limited effectiveness against polymorphic and AI-generated malware because the hash and byte signature change with each variant. Heuristic and behavioural detection are more effective but not immune — sophisticated AI malware can probe its environment, detect analysis tools, and alter its behaviour accordingly. Defence-in-depth combining AI-powered EDR, network detection, zero trust controls, and threat hunting is the appropriate response.

What should an SME prioritise to protect against AI malware?

For most SMEs, the highest-value actions are: deploying an AI-powered endpoint detection and response (EDR) tool rather than legacy antivirus; enforcing MFA across all accounts to reduce the credential theft that precedes most malware deployments; patching systematically to remove known vulnerabilities that malware exploits for initial access; and segmenting your network so that a single infected endpoint cannot reach all systems. Formal threat hunting is typically out of reach for smaller organisations, but a managed detection and response (MDR) provider can deliver the equivalent.

AI-Generated and Polymorphic Malware: How Autonomous Threats Are Evading Detection

Key takeaways

AI gives malware writers semantic code rewriting — each variant is functionally identical but structurally novel, defeating signature and hash-based detection
Autonomous malware can probe its environment, detect analysis tools and sandboxes, and modify its behaviour before executing its payload
Underground AI tools designed specifically for malware generation are in active use; the barrier to entry for capable threat actors has dropped
Signature-based antivirus is insufficient against these threats; AI-powered EDR and behavioural network detection are the appropriate technical response
Credential theft is still the most common initial access vector — MFA and privileged access management remain the highest-value defensive controls
Patching speed matters more than ever: AI-assisted exploitation of known vulnerabilities accelerates the time between public disclosure and active attack

From mutation engines to AI code generation

Polymorphic malware first appeared in the early 1990s, with the Dark Avenger Mutation Engine (MtE) demonstrating that a single piece of malware could produce thousands of distinct binary signatures. For decades, the core technique remained the same: encrypt the malicious payload and vary the decryption stub, so each infection looks different to a signature scanner.

Metamorphic malware, which emerged in the late 1990s and early 2000s, went further. Instead of encrypting a static payload, metamorphic malware rewrites its own functional code on each execution — reordering instructions, substituting equivalent operations, inserting junk code — so the binary structure changes while the behaviour stays the same. Tools like the NGVCK (Next Generation Virus Construction Kit) could produce metamorphic variants automatically.

AI changes the ambition of this approach. Large language models can generate semantically equivalent code at a much higher level of abstraction — not just reshuffling assembly instructions but rewriting entire logical blocks in different idioms, using different variable names, different control flow structures, and different API call sequences. The resulting variants are not just structurally different; they are novel in ways that evade both signature detection and many heuristic rules built on known code patterns.

Proof of concept: BlackMamba

In 2023, HYAS researchers demonstrated a proof-of-concept tool called BlackMamba that used a commercial LLM to rewrite its own keylogging payload in memory at runtime. On each execution, the malware called the LLM API to synthesise fresh code, which was then executed directly — meaning no static payload ever existed on disk for an endpoint agent to scan. The threat was successfully demonstrated evading EDR tools from major vendors.

How AI-assisted malware works

Current AI-assisted malware capabilities exist across a spectrum. At one end: threat actors using general-purpose LLMs (sometimes via jailbreaks) to assist with writing specific code components — obfuscation routines, shellcode, phishing lures. At the other: purpose-built autonomous systems that handle target selection, initial access, lateral movement, and payload delivery with minimal human intervention.

Semantic code rewriting

An LLM rewrites the malware's functional logic into a structurally novel but behaviourally identical version before or during execution. Each copy sent to a new target looks unique. Signature databases built on known malware hashes become obsolete against any single actor using this technique, because every infection produces a new hash.

Environment-aware evasion

Sophisticated malware already probes for sandboxes and analysis tools before executing — checking for virtual machine artefacts, specific registry keys, or unusual mouse inactivity patterns. AI can make this probing more adaptive: using the environment's response to infer what type of system it has landed on and choosing an appropriate evasion or payload strategy accordingly.

Autonomous target selection and lateral movement

Early-stage AI-assisted reconnaissance tools can scan an environment, identify high-value targets (domain controllers, finance systems, credential stores), and prioritise movement paths with minimal human direction. This compresses the attacker's dwell time inside a network and reduces the window available for defenders to detect and interrupt the attack chain.

AI-generated phishing and initial access

Credential theft remains the most common initial access vector. AI produces highly personalised spear-phishing content at scale — pulling from LinkedIn, company websites, and public filings to craft messages that are contextually specific to the target. The grammatical tells and generic phrasing that training recognised as phishing indicators are no longer present.

Underground AI tools for malware generation

The commodification of AI malware capabilities is visible in the underground market. Tools specifically designed to bypass the safety guardrails of commercial LLMs and assist in malware creation have appeared on dark web forums. WormGPT, which emerged in mid-2023, was marketed as a jailbroken LLM with no ethical restrictions — capable of generating malware code, business email compromise content, and exploit scripts. FraudGPT followed shortly after, with similar positioning.

These tools do not require their buyers to be skilled programmers. They lower the floor for what a moderately capable threat actor can produce — particularly for phishing content, initial-access scripts, and social engineering support. The most sophisticated AI malware capabilities — true autonomous code rewriting, environment-adaptive evasion — still require technical depth to implement. But the gap between script kiddies and sophisticated actors is narrowing.

The democratisation of AI tools does not primarily give unsophisticated attackers sophisticated capabilities. It gives sophisticated attackers speed, scale, and the ability to personalise attacks far beyond what was previously economical.

450k+

new malware samples registered per day on average, per AV-TEST Institute data

3 sec

of audio needed for commercial voice-cloning tools to replicate a person's voice — also relevant for social engineering

94%

of malware is delivered via email, according to Verizon DBIR — AI-polished phishing raises the hit rate on every link in that chain

Why traditional defences struggle

Signature-based antivirus works by matching files and processes against a database of known-bad patterns. It is fast and cheap to run but structurally ineffective against malware that generates a unique signature per infection. The fundamental problem is not one of database coverage; it is architectural. Signatures describe what has already been seen.

Heuristic and behavioural detection improve on this by looking for suspicious patterns of behaviour rather than specific code. But sophisticated malware delays its malicious behaviour until it has assessed the environment and is confident it is not being analysed. It may sleep for extended periods, execute only on specific dates, or require a specific user action before activating — all techniques that cause automated sandboxes to miss the malicious behaviour during analysis.

Machine learning-based detection models, which look for anomalous patterns in code structure and runtime behaviour, are the strongest current defence against novel malware. But they are not immune: adversarial examples — inputs engineered to look normal to an ML model while being malicious — are a documented attack category, and AI malware writers can in principle optimise their code against known detection models.

What to do

Deploy AI-powered endpoint detection and response

Move from legacy signature-based antivirus to an endpoint detection and response (EDR) or extended detection and response (XDR) platform that uses machine learning for behavioural analysis. Modern EDR tools look at process behaviour, memory activity, network connections, and file system changes over time — not just point-in-time file scans. This approach is substantially more effective against novel and polymorphic threats. For organisations without an in-house security operations capability, a managed detection and response (MDR) provider packages the tooling with the human analysis layer.

Harden initial access

The majority of malware deployments — including ransomware — begin with stolen credentials or phished users. MFA on every account with external access, phishing-resistant authentication (passkeys or hardware tokens) for privileged accounts, and a well-implemented email security gateway that scans for suspicious links and attachments are higher-value controls than any endpoint agent. Attackers who have valid credentials can bypass many detection systems entirely.

Patch systematically and quickly

AI-assisted vulnerability exploitation shortens the window between a CVE being published and threat actors deploying working exploits. An organisation that takes 30 days to patch a critical vulnerability is giving attackers a larger window than it did two years ago. Prioritise patch deployment for internet-facing systems and anything running known-exploited vulnerabilities (CISA's KEV catalogue is a good operational reference).

Segment your network

Autonomous lateral movement is only useful to an attacker if the infected endpoint can reach other systems. Network segmentation — separating production systems, administrative interfaces, backup infrastructure, and user workstations into isolated zones with controlled traffic paths — limits what a compromised endpoint can access. A device in the finance network segment should not be able to initiate connections to manufacturing control systems or the backup server.

Add a network detection layer

Behavioural network detection (NDR) tools monitor traffic patterns within your network and identify anomalies that endpoint agents miss — particularly when malware is living off the land (using legitimate system tools rather than custom executables). Unexpected internal scanning, unusual data volumes moving to staging directories, or connections to new external hosts at odd hours are all signals that endpoint-only defences will not catch.

Run threat hunting exercises

Threat hunting is the proactive search for attacker activity that has not triggered alerts. AI malware that deliberately evades automated detection is precisely the class of threat that threat hunting is designed to find. For most SMEs this is best delivered via a managed provider, but even periodic manual review of endpoint telemetry against threat intelligence indicators of compromise adds detection value that passive tooling does not.

Our cybersecurity team helps organisations assess their current detection capability, select and deploy EDR/MDR tooling, and design network segmentation that reflects their actual risk profile. Speak to us if you want a practical assessment of your exposure to this class of threat.