Evading Detection with Dynamic AI Mimicry
Darren, Mosam
BSides Seattle 2026 · Day 2 · Track 1
What happens when you take polymorphic AI malware and teach it to blend into the victim's own cloud traffic? Darren and Mosam presented their research on a framework called **LL MALJ** that advances the offensive tradecraft of AI-driven malware by solving the detection gap that caught earlier AI malware families like **LameMug**. The framework uses cloud provider mimicry to evade network anomaly detection while leveraging LLM-powered polymorphism to defeat endpoint signatures.
AI review
Genuine offensive research that builds on real-world AI malware (LameMug/CERT-UA) and advances the tradecraft with cloud provider mimicry to defeat network anomaly detection. The LL MALJ framework demonstrates dual evasion of both EDR and NDR, backed by quantitative telemetry analysis showing near-zero Jaccard similarity between runs and distinctive timing signatures. The research methodology of instrumenting their own offensive tool for defensive telemetry is exactly how red team research should work.