Introduction

Generative AI (GenAI) and large language models (LLMs) are being rapidly integrated into all aspects of our society, from communication to cybersecurity. Enterprises and vendors are already using GenAI and LLMs to augment their defenses. Attackers are also adopting LLMs, primarily as a force multiplier rather than the one-click super malware often implied in article headlines. From phishing lures to code generation and basic orchestration, GenAI is lowering the skill barrier and speeding up familiar workflows, not unleashing a brand new class of unstoppable, fully autonomous malware.

In practice, most AI malware activity today resides in the early stages of AI maturity, focused on AI-assisted coding & tradecraft, localized content, and experimental orchestration that still relies heavily on humans and traditional tools, even as vendors rush to brand narrow proof of concepts (PoCs) or niche incidents as the first-ever AI attacks. This post cuts through that hype by introducing a simple AI malware Maturity Model (AIM3) to define what truly counts as AI malware, map recent public claims to concrete maturity levels, and give defenders a realistic view of how AI is actually changing attacker economics today and how to prepare for more capable, orchestrated threats that are clearly on the way.

What counts as “AI malware”

We define AI malware as malicious or offensive software whose core development or runtime behavior is dependent on GenAI or LLMs. The malicious software can use LLMs to generate or select commands at runtime, inspect files or environment telemetry for action planning, or orchestrate parts of the attack chain without step-by-step human input. Five types of AI malware meet this description: LLM-Translated, LLM-Generated, LLM-Deployed, LLM-Driven, and LLM-Embedded.

Measuring AI malware maturity with AIM3

Despite the numerous types of AI malware observed over the past few years, there is a lack of consensus regarding the current state of AI malware maturity. Maturity models exist for cybersecurity adoption, such as MITRE’s “AI Maturity Model”, but there's no attacker-centric model that directly measures the sophistication of AI-enabled malware itself and the operational risk it poses to organizations. To address this gap, Recorded Future proposes the five-level AIM3 that’s helping teams determine the sophistication level of AI threats and identify where to focus detection and governance efforts. AIM3 provides defenders with a means to distinguish genuine AI-driven threats from marketing noise.

Levels of Recorded Future’s AI Malware Maturity Model (AIM3)

Level 1 - Experimenting:

Attackers, Researchers, and Academia are creating prototypes, toy examples, and PoCs that leverage GenAI using rudimentary methods. At this stage, individuals are merely exploring the possibilities of GenAI and LLMs for malicious applications vs. operationalizing in a serious manner.

Level 2 - Adopting:

Threat actors incorporate GenAI into familiar workflows such as authoring phishing emails, researching targets, and developing code. While the core operational tasks remain conventional, there is an emphasis on automating and supporting low-order tasks without reinventing traditional tradecraft.

Level 3 - Optimizing:

Attackers are beginning to incorporate AI into their attack chains by leveraging GenAI on-host or via APIs to perform introspection, generate commands, and adapt code in near real-time. This is a shift in focus from bespoke GenAI use to treating GenAI as an integrated part of the attack chain.

Level 4 - Transforming:

AI-native offensive frameworks emerge at this level, combining multi-step planning and tool use with a human-in-the-loop (HITL) approach. These are the early, purposeful attempts at AI-first threat operations, utilizing agentic patterns rather than bolting GenAI onto legacy playbooks.

Level 5 - Scaling:

Threat actors are building agentic systems to manage campaigns end-to-end with no human oversight. Automated decision-making is implemented at scale for the planning, execution, and persistence stages of operations. This level of sophistication represents the upper bound of GenAI capabilities that current experimentation is moving toward.

With AIM3 defined, we can now examine what has actually been reported in the public domain and in research.

What we see in the wild

2023 to 2024 (Early experimentation)

• Malterminal (AIM3: Level 1 - Experimenting) is an early malware prototype that shows an LLM-driven ransomware and remote access tool (RAT) concept with AI primarily used for code generation as a result of a human prompt. This sample was almost certainly non-hostile experimentation, based on the embedded feature that provides an assessment of maliciousness and creates a malware analysis report on the resultant payload.

Early- to mid-2025 (AI-invoking malware appears)

• FRUITSHELL (AIM3: Level 2 - Adopting) is a PowerShell reverse shell script for penetration testers that contains hard-coded prompt instructions for attempting to bypass LLM-based analysis. The LLM awareness in the development process puts this example in the Adopting Level.
• PROMPTFLUX (AIM3: Level 1 - Experimenting) is a malware dropper written in VBScript that uses Google Gemini to rewrite its own source code and run the new payload for persistence. This sample, labeled as experimental by Google, is one of the first instances of worm-like features using AI.
• Lamehug a.k.a PROMPTSTEAL (AIM3: Level 3 - Optimizing) is an LLM-driven information stealer sample that invokes the HuggingFace API to generate reconnaissance commands. Discovered by CERT-UA, Lamehug is attributed to APT28 with moderate confidence, potentially marking the first use of AI malware in state-sponsored cyber operations. APT28 leveraging AI in their attack chain puts this at Optimizing Level.
• HexStrike-AI (AIM3: Level 3 - Optimizing) is an open-source penetration testing framework powered by model context protocols (MCPs) connected to traditional red team tooling. One of the first public red teaming frameworks to leverage GenAI by deploying multiple AI agents to drive traditional tools such as nmap. The LLM invocation and agent use puts this at Optimizing Level.
• Amazon Q Dev (AIM3: Level 2 - Adopting) for Visual Studio Code extension version 1.84.0 contained malicious prompt-injected instructions to delete local and cloud environments. Despite syntax errors preventing the code from executing properly, this example still obtained a CVE (CVE-2025-8217) due to the embedded malicious code. This is at Adopting Level due to the LLM being aware, but with an erroneous implementation.
• Cyberspike’s Villager (AIM3: Level 3 - Optimizing) is an AI-native penetration testing framework developed by the China-based red team project, Cyberspike. It attempts to be an AI-first successor to Cobalt Strike, integrating DeepseekAI and Kali Linux to automate red team workflows. Much like HexStrike-AI, Villager employs traditional red team tooling, including AsyncRAT (a remote access tool) and Mimikatz (a credential harvester), during its operation. The LLM invocation and agent use put this at the Optimizing Level.

Late-2025 (AI-driven implementations find success)

• OSSTUN (AIM3: Level 2 - Adopting) is a command and control (C2) framework that Google observed being developed alongside other tools by the state-sponsored threat actor RedGolf (also known as APT41), using Gemini. RedGolf LLM awareness in the development process placed this example in the Adopting Level.
• PromptLock (AIM3: Level 1 - Experimenting) is touted as the first AI-powered ransomware that utilizes an LLM to comprehend local files and craft customized ransomware notes. Shortly after discovery, it was identified as a PoC artifact for an academic paper, putting it at Experimenting Level.
• S1ngularity a.k.a QUIETVAULT (AIM3: Level 3 - Optimizing) is a set of malicious versions of a widely used package system, Nx, that was published to the Node.js npm registry. The package leveraged AI to exploit vulnerable GitHub Actions, stealing credentials and then exfiltrating the data to an exposed repository within the victim's GitHub account. The successful use of LLMs in their attack chain puts this at the Optimizing Level.
• Anthropic (AIM3: Level 4 - Transforming) detailed and disrupted what they claim as the first reported AI-orchestrated cyber-espionage attack. In this case, Anthropic was able to attribute this activity to Chinese state actors who jailbroke Claude Code. The threat actors then leveraged Claude Code’s agentic capabilities to perform a variety of actions across the cyber kill chain, representing the only observed example from the AIM3 Transforming Level. However, the Anthropic report received criticism for its fully orchestrated claim, noting that the campaigns still required 10% human intervention at some decision points, which prevented it from reaching the Scaling AIM3 level.

Hype vs. reality - what’s true, what’s exaggerated

With a few years of “AI malware” headlines behind us, some patterns are clear. Most public activity sits well below the fully autonomous, Hollywood-style threats often implied by marketing.

Where the activity really is (AIM3 Levels 1–3)

Mapped to AIM3, the picture is clear: the vast majority of examples sit at Levels 1–3 (Experimenting through Optimizing), with a single contested Level 4 case and no verified Level 5 activity. Families like PromptLock, PROMPTFLUX, and MalTerminal look more like PoC exercises rather than in-the-wild malware. The Anthropic case is the single and highly contested example of Level 4 (Transforming) maturity, but even this initial example was not fully autonomous.

Seen through that lens, a few things snap into focus: fully embedded models are still theoretical, many first-ever AI malware claims rest on thin or experimental evidence, and the real inflection point to watch is not brute autonomy but steadily improving AI-driven orchestration. In other words, the data tells us where the hype is running ahead of reality and where the next genuine shifts in attacker capability are likely to appear.

BYOAI and embedded models: still hypothetical in the wild

Most of the published implementations of AI malware call cloud or remote LLMs, not locally embedded models. Even in known malicious instances, such as Lamehug, families invoke remote services, like the HuggingFace API, for LLM calls at runtime. In some cases, the payload may use locally available LLM services that make these remote calls on its behalf; however, no observed sample currently features a Bring Your Own AI (BYOAI) capability. This is effectively our LLM-Embedded category: AI malware that ships its own model to run locally on the host.

The first-ever AI malware problem

Between July and November 2025, four “first-ever” reports emerged involving Malterminal, Lamehug, PromptLock, and the Anthropic cyberattack, which claimed different aspects of the AI malware landscape. After reporting, many of these claims were subject to scrutiny by the research community as academic, experimental, or underwhelming. Although these examples represent a clear incremental evolution of scripting and automation, vendors seem quick to make stronger claims than can be independently verified in the field.

Outlook

AI malware is still in its early stages of maturity, primarily situated at the experimental to optimization levels of the AIM3 framework. What we are seeing today is AI-assisted tradecraft that mirrors traditional TTPs; a natural result of increased AI adoption, which is being observed in several other industries as well.

That said, the direction AI adoption is taking is clear. The progression from straightforward AI-generated content to AI-invoking malware and red team orchestration frameworks is a sign that more capable and autonomous operations are on the horizon. The contested Anthropic disruption is one of the first examples of this and serves as an early warning sign for defenders.

All roads lead to AI orchestration

The trajectory of AI activity clearly leads toward AI orchestration, but not yet fully scaled AI operations. Frameworks like HexStrike-AI and CyberSpike’s Villager, although still niche today, point to attacker playbooks where orchestration and AI-driven tool use become the norm. The timeline of AI malware observations shows a clear progression: starting with simple AI-generated code, moving to on-host command generation and orchestration, and culminating in agentic, multi-step operations. If these frameworks continue to mature, they are likely to require less human intervention over time.

To see how Recorded Future can help your team track malware along the AI maturity scale, watch this 3-minute video on investigating LAMEHUG malware (AIM3).

Defenses

• Defenders should establish centralized monitoring and logging for GenAI and LLM use (both internal and external) to understand where GenAI is being leveraged within their environment and detect anomalies.
• Reduce your attack surface by enforcing policy-based access to approved LLM providers and blocking non-approved services, plugins, tools, and model hubs that can be leveraged by LLM-generated, LLM-deployed, or LLM-driven malicious activity.
• Assume AI is being used in existing threat actor tradecraft and double down on fundamental controls, so even if attackers move faster with GenAI, their operations are still caught by traditional defenses.
• Recorded Future Malware Intelligence allows you to monitor the current threat landscape for AI-based threats. Users of Recorded Future can search for malware or unusual patterns used in AI tools to assess any potential risks.