(Un)Packing and (De)Obfuscating with AI assistance

Nowadays, nearly all malware is packed and/or obfuscated. AI doesn’t help (yet) for packers: we tried this on a Linux/Prometei botnet sample from February 2025, and the AI would have wasted time reversing the inner logics of the packer if we hadn’t helped it out.

To be fair, unpacking is a difficult task that current disassemblers like IDA Pro or Ghidra can’t do either. It’s something an AV analyst has to perform beforehand and then supply the unpacked binary for further analysis.

As for obfuscation, the news is far better. While AI would probably fail and require human assistance for complicated obfuscation, it works reasonably well over standard obfuscation and junk code. This is a significant advancement for the antivirus industry. In the example below, the AI successfully analyzed the obfuscation algorithm of Linux/Ladvix.E and implemented a working de-obfuscator.^[3]

Dealing with New Frameworks and Languages with AI

Another technique which has been trending in the malware scene for a few years is the use of specific frameworks (e.g, Flutter [4]) or high-level languages (Go, Rust). Currently, AI struggles with Flutter and Rust malware, which is not surprising because the field is still new. Human researchers struggle to find solutions, too! We tried AI-assistance over the “Flutter assembly” of Android/SpyLoan: it was totally helpless, didn’t map function names or strings, etc. However, when we proceed in a smarter way and produce the Blutter^[5] output for the malware, then AI is able to reconstruct very readable Dart code.

AI is quite successful with the older Delphi language. We assume the reason is that LLMs were trained with Delphi and Pascal material. Despite being old, Delphi is still strangely used to implement Linux/Filecoder.BR!tr (aka Trigona) ransomware (sample from April 2025).

For example, Ghidra meticulously decompiles the main function of the ransomware. We can immediately identify Delphi function names (e.g SYSTEM_RANDOM), followed by their types (LONGINT, LONGINT), and inner memory management functions (FPC_ANSISTR_DECR_REF).

The former are interesting because they correspond to code that the malware author explicitly called. The latter are not interesting for malware analysis as they are inserted by the compiler (Free Pascal Compiler, in this case) to handle Ansi strings.

When asked to decompile the same function, the AI smartly removes those inner calls and produces source code that is way easier to read than what Ghidra gave.

Conclusion

The anti-virus world has always been a cat-and-mouse game. While AI is close to defeating standard string and code obfuscation, malware authors are likely to adapt by using more complex obfuscation. Similarly, malware authors can harden reverse engineering by using recent frameworks and languages. So, where’s the progress, might you argue?

The main difference is that, for once, the antivirus industry has a new tool that helps it more than the adversary. We are forcing malware authors to use more complex obfuscation and newer frameworks and languages. Rust is more secure than C? Sure! But they have to make the effort to learn how to use Rust, use new libraries, cope with bugs, etc. And while they do that, our LLMs can update and train on those novelties even faster. Yes, it’s the first time in 20 years where time and tools are in our favor.

Fortinet Protections

Fortinet customers are already protected from all malware mentioned in this article through our AntiVirus as follows: FortiGuard Labs detects the sample with the following AV signatures:

Linux/Ladvix.E, Linux/Prometei.B, Adware/SpyLoan!Android, Linux/Filecoder.BR!tr

The FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient, and FortiEDR. Fortinet EPP customers running current AntiVirus updates are also protected.

IOCs

943e1539d07eaffa4799661812c54bb67ea3f97c5609067688d70c87ab2f0ba4 – Linux/Ladvix.E
cc7ab872ed9c25d4346b4c58c5ef8ea48c2d7b256f20fe2f0912572208df5c1a – Linux/Prometei.B
c65298b6cd5a1769c747a0c7fb589ffa12fdf832b64787283953eaa57b65bc1c – Adware/SpyLoan!Android
c08a752138a6f0b332dfec981f20ec414ad367b7384389e0c59466b8e10655ec – Linux/Filecoder.BR!tr

References

[1] https://www.hp.com/us-en/newsroom/press-releases/2024/ai-generate-malware.html

[2] https://arxiv.org/html/2504.07574

[3] https://asciinema.org/a/724126 Asciinema video of Linux/Ladvix deobfuscation

[4] https://www.fortiguard.com/events/5552/virus-bulletin-2024-android-flutter-malware

[5] https://github.com/worawit/blutter