Clue-Driven Reverse Engineering by LLM in Real-World Malware Analysis
Black Hat USA 2025 · Day 1 · Briefings
CyCraft's research team developed Celebi (also referred to as CelerBS), an LLM-driven automated malware reverse engineering system that detects hallucinations before they propagate by monitoring attention heads and token probability distributions. Applied to real APT41 malware with 800+ stripped functions and obfuscated Windows API calls, the system outperforms conventional bottom-up approaches on a per-token-cost basis — and also proves resilient against prompt injection attacks embedded in malware designed to fool AI-based analysts. ---
AI review
CyCraft actually did the engineering work instead of just wiring GPT-4 to IDA and calling it a product. Attention-head monitoring for hallucination detection is a legitimately novel contribution, and the prompt injection countermeasure angle gives it a second act most LLM-RE talks don't have.