APPLICATION OF GENERATIVE AI MODELS IN THE MALWARE LIFECYCLE

ABSTRACT

The article examines the application of generative AI models across the lifecycle of malicious software (hereinafter referred to as malware). It analyzes the transformation of malware development, modification, and scaling stages under the influence of GANs, VAEs, and LLMs, as well as their role in generating synthetic samples and automating attack processes. Particular attention is given to the dual-use nature of GenAI, as AI technologies enhance both offensive scenarios and detection and response mechanisms. Based on an analysis of contemporary research, a risk-oriented protection methodology is developed and practical recommendations for threat mitigation are proposed.

АННОТАЦИЯ

Статья посвящена исследованию применения генеративных моделей ИИ в жизненном цикле вредоносного программного обеспечения (далее – ВПО). Рассматривается трансформация этапов разработки, модификации и масштабирования ВПО под воздействием GAN, VAE и LLM, а также их роль в генерации синтетических образцов и автоматизации атак. Особое внимание уделяется dual-use природе GenAI, т.к. технологии ИИ усиливают как offensive-сценарии, так и механизмы обнаружения и реагирования. На основе анализа современных исследований разработана риск-ориентированная методика защиты и выработаны рекомендации по защите от угроз.

Ключевые слова: генеративный искусственный интеллект, вредоносное программное обеспечение, жизненный цикл ВПО, GAN, LLM, синтетические данные, zero-day угрозы, риск-ориентированная защита, defensive AI, кибербезопасность.

Keywords: generative artificial intelligence, malware, malware lifecycle, GAN, LLM, synthetic data, zero-day threats, risk-oriented protection, defensive AI, cybersecurity.

Introduction. The exponential development of generative artificial intelligence models (hereinafter referred to as generative AI, or GenAI) over recent years (see Fig. 1) has driven the transformation of digital systems and has particularly affected the field of cybersecurity. According to the systematic review by K. Chlasta, since 2022 there has been a sharp increase in publication activity concerning the application of LLMs and generative methods in cyberspace, reflecting their rapid integration into practical attack and/or defense scenarios. This phenomenon is described by the author as the “dual-use dilemma,” whereby the same technologies simultaneously enhance the protection of information systems and expand the toolkit available to malicious actors [1].

Figure 1. Generative AI market size, USD billion (forecast; compiled by the author based on GMI6094 data)

Similarly, the study by M. Gupta et al. emphasizes that the emergence of publicly accessible LLMs (ChatGPT, DeepSeek, Gemini, etc.) has radically lowered the barrier to entry into cybercrime; in particular, key capabilities include the automation of social engineering, the availability of malicious code generation tools, the creation of phishing scenarios, and the circumvention of neural network ethical constraints through specialized prompts (queries). Consequently, GenAI becomes a catalyst for the scaling of malicious attacks [3]. In particular, the review study by Y. Yigit et al. notes that generative methods are being actively integrated into processes of synthetic malware sample creation, automated vulnerability analysis, and attack emulation, thereby contributing to the emergence of a new phase in the evolution of cyber threats. As a result, the primary focus shifts from traditional signature-based methods to dynamic and learning-based systems [14].

Taken together, the above circumstances determine the relevance and necessity of a systematic study of the role of generative AI models in the malware lifecycle, followed by the identification of potential adversarial application scenarios and the development of a risk-oriented response algorithm.

The objective of the study is the theoretical description of the methods for applying generative AI within the malware lifecycle.

Research Methodology. The present study is theoretical-analytical and methodological in nature and is aimed at systematizing existing scientific perspectives on the role of generative AI models in the malware lifecycle. The empirical basis of the study consists of contemporary scientific publications addressing the dual-use nature of generative AI in cybersecurity, the role of LLMs, GANs, and VAEs in malware generation and detection tasks, the application of GenAI in attack and/or defense scenarios, and the risks associated with LLM exploitation (prompt injection, jailbreaking, data leakage), etc. The research employed methods of theoretical analysis, synthesis, and structural-functional analysis.

Figure 2. Malware lifecycle, compiled by the author

Referring to the scientific literature, one of the fundamental directions in the application of AI within the malware lifecycle is the generation of synthetic malicious software based on variational autoencoders (hereinafter – VAE) and generative adversarial networks (hereinafter – GAN). For example, VAE and WGAN-GP enable the generation of synthetic opcode sequences that reproduce the statistical characteristics of real malware families. Although fully “deceiving” classifiers remains unattainable, WGAN-GP is distinguished by its ability to approximate the distribution of the original data, thereby expanding the potential use of such models at the stages of malware modification and polymorphic evolution [2].

In the context of limited datasets, particular interest is attributed to the embedding-driven approach, within which generation is performed not directly in the feature space but in an optimized embedding space. Study [5] proposes a combination of autoencoders with pre-trained NLP models (BERT, ELMo) and the application of Cluster-Tangent Diffusion (CT-Diff), a structurally oriented diffusion-based generation method, which preserves the geometry of malware sample distributions and enables the generation of more “structurally plausible” variants.

In addition to the above, it should be noted that LLMs are integrated into the malware lifecycle primarily at the stages of development, variant generation, and automation of auxiliary tasks. The study by N. Rollinson et al. demonstrates that LLMs are capable of generating structured tabular representations of Android malware features. When combined with fine-tuning and prompt engineering, synthetic records can be effectively used to augment detector training datasets. Although fully synthetic training cannot be considered stable, a combined approach (utilizing both real and synthetic data) proves to be sufficiently effective [11]. Thus, from the adversary’s perspective, this creates the opportunity for: first, accelerated generation of new variants of existing families; second, dataset balancing for testing the evasion of ML-based detectors; and third, imitation of behavioral patterns characteristic of various malware families.

Similarly, synthetic data and hybrid LLM models are actively applied at the level of network traffic and obfuscated attacks. The study by M. Naseer et al. rightly notes that the combination of LLMs and synthetic datasets improves model robustness under conditions of obfuscated malicious traffic. Accordingly, the application of generative approaches makes it possible to compensate for the shortage of representative network attack data and to enhance the generalization capability of detectors [7], which, in essence, corresponds to the phases of malware testing for detection, scaling across different network configurations, and adaptation to new signatures and IDS/IPS rules. Consequently, the following structure of AI application within the malware lifecycle is formed (see Fig. 3):

Figure 3. Features of AI application at different phases of the malware lifecycle, compiled by the author

Thus, generative AI transforms the malware lifecycle from a linear process into an iterative model characterized by accelerated variant evolution, since whereas polymorphism was previously achieved through manual code modification, modern GAN, VAE, and diffusion models enable variational generation within a latent feature space, which at minimum significantly reduces development costs and facilitates the scalability of attacks.

At the same time, in order to develop effective protection strategies, it is necessary to take into account the tasks in which the application of generative AI is most promising from the adversary’s perspective. In this context, the most viable scenarios appear to be the following: social engineering and phishing, automation of malware development and maintenance, vulnerability exploitation, attack scaling, and abuse of generative AI. Each of these scenarios will be considered separately.

Thus, in the case of social engineering and phishing, the application of AI is associated with the use of NLP models for generating personalized phishing messages [10]. In general, the functionality of generative AI makes it possible to:

• mass-produce contextually relevant messages tailored to the victim’s profile;
• imitate the communication style of specific organizations or individuals;
• automatically adapt texts to different languages;
• generate spear-phishing and whaling attack scenarios.

At the same time, a distinctive feature of modern LLMs is their ability to bypass basic protective filters through the variability of employed formulations, which qualitatively increases the success rate of social engineering attacks.

In addition, LLMs are actively employed in source code analysis, vulnerability discovery, and patch generation [13]; however, the same functionality may be leveraged in offensive scenarios for the automatic generation of exploit code, modification of payloads for specific architectures, optimization of shellcode and obfuscation methods, as well as the identification of vulnerable API calls. The scale and speed of source code analysis described in the study by Z. Sheng et al. imply the possibility of accelerated discovery of vulnerable software components by malicious actors. Furthermore, GenAI may be used to develop auxiliary infrastructure (delivery scripts, lateral movement tools, etc.) [13].

When working with generative AI, malicious actors gain the ability to automate the analysis of IoT device configurations and, based on this, model various attack scenarios with a focus on specific firmware data and configuration files; subsequently, upon identifying vulnerabilities, their exploitation can be scaled through the deployment of automated scripts. At the same time, analytical tools may be used both for security testing purposes and for real-world attacks [12].

According to the study by M.Q. Li et al., the most relevant threats in the context of AI utilization are those associated with prompt injection, data leakage, model extraction, and jailbreaking, as these techniques enable:

• bypass built-in model restrictions;
• extract confidential data;
• leverage LLMs to generate malicious instructions;
• inject malicious prompts into the data processing pipeline.

Accordingly, GenAI becomes not only a tool for generating attacks but also an object of exploitation itself, thereby giving rise to new classes of threats, namely attacks on AI and attacks with AI.

Accordingly, GenAI becomes not only a tool for generating attacks but also an object of exploitation itself, thereby giving rise to new classes of threats, namely attacks on AI and attacks with AI.

Table 1.

Adversarial tasks in which the application of generative AI proves to be most effective, compiled by the author

Thus, despite the pronounced offensive potential of generative models, their application in cybersecurity also gives rise to new protection mechanisms. In particular, in current practice GenAI serves as a tool for expanding training datasets, detecting previously unknown threats, implementing continuous learning, etc. At the same time, the deployment of AI-driven solutions is accompanied by the emergence of specific risks associated both with the quality of synthetic data and with the vulnerability of the models themselves.

For example, one of the principal challenges in malware detection remains the shortage of representative data, as new families and zero-day threats emerge more rapidly than comprehensive labeled datasets can be constructed. In the study by C. Joshi et al., it is demonstrated that the application of GANs for generating synthetic malware images based on the MaleVis dataset significantly improves the accuracy of a CNN classifier. The 4-Vanilla GAN model increased the diversity of the training dataset and enabled more effective classification compared to training exclusively on real data. According to the authors, generative augmentation is particularly effective under conditions of class imbalance, limited volumes of labeled data, and the need to model variations of polymorphic code. Thus, GenAI compensates for the statistical limitations of datasets and reduces dependence on storing large volumes of real malware samples [4].

At the same time, generative methods acquire particular significance in the detection of previously unknown threats. Synthetically augmented datasets enable models to more effectively recognize unseen malware [4]. However, an additional challenge is posed by catastrophic forgetting, i.e., the degradation of a model’s ability to recognize previously learned classes when trained on new ones. The scientific literature proposes the MalCL system, which employs GAN-based generative replay—a mechanism that reproduces synthetic representative samples of previously learned classes, thereby maintaining classifier stability under conditions of continuous updates to the threat database. This, in turn, enhances the model’s resilience to malware evolution and allows for the abandonment of extensive archival storage [8]. In the long term, this preserves the possibility of developing self-adaptive cybersecurity systems capable of operating in a continuous update mode without significant loss of accuracy.

In addition to the above, generative models are also employed directly within detection architectures. For example, in their study, R.A. Pillai and A. Dhamal describe a generative AI-based system for detecting malicious files and URLs capable of analyzing behavioral and semantic features. According to the authors, the integration of LLMs and generative architectures expands the capabilities for analyzing textual indicators of compromise, interpreting complex chains of actions, and identifying atypical correlations that are inherently inaccessible to signature-based methods [9].

However, the use of GenAI within defensive infrastructures is also associated with risks. Among the most significant are:

1. data poisoning risks, whereby an adversary manipulates the training dataset;
2. model inversion and extraction attacks aimed at retrieving model logic or underlying data;
3. adversarial manipulation techniques that enable the evasion of detectors through specially crafted input data.

An additional threat arises from excessive reliance on synthetic data, as insufficient control may lead to distribution shift and a reduction in the model’s generalization capability. In the context of generative replay, particular importance is placed on preventing model instability and ensuring the quality of synthetic samples [8]. Thus, while GenAI enhances the defensive potential of cybersecurity systems, its deployment must be accompanied by a risk-oriented control framework governing its application. Accordingly, it is necessary to formulate a set of recommendations aimed at preventing contemporary malware threats.

First, it is necessary to consider a set of principles of risk-oriented protection, which include:

1. Asset-centric security, according to which protection is structured based on the assets being protected rather than on abstract threats.
2. Threat modeling for GenAI, i.e., scenario modeling that takes into account the specifics of LLMs and their application contexts (prompt injection, data poisoning, autonomous behavior).
3. Multi-layer defense, within which multiple levels of protection are distinguished — technical, organizational, and regulatory levels.
4. Continuous improvement of protection strategies in response to evolving threats.
5. When applying AI in defense strategies — the consideration of its limitations and the potential consequences of its impact on malware protection mechanisms..

Based on these principles, a risk-oriented protection methodology is proposed (see Fig. 4):

Figure 4. Risk-oriented protection methodology

Based on the proposed methodology and contemporary research, several core recommendations for malware protection can be identified:

1. Transition from a reactive to a proactive protection model through the introduction of threat modeling at the system design stage, continuous threat analysis, and the implementation of standard protection measures.
2. Risk-oriented security management with an emphasis on establishing and maintaining an asset register and managing those assets.
3. Implementation of multi-layer defense with systematic maintenance.
4. Access management and enforcement of the principle of least privilege.

Conclusion. Thus, the study of the role of generative AI models in the malware lifecycle makes it possible to emphasize that GenAI transforms both the offensive and defensive aspects of cybersecurity, lowers the overall barrier to entry into cybercrime, accelerates the development and scaling of attacks, and complicates threat detection. At the same time, generative methods enhance the effectiveness of fileless malware detection, enable the generation of synthetic data, and support the continuous learning of defensive systems. The developed risk-oriented response methodology, based on asset identification and threat scenario modeling, makes it possible to manage GenAI-related risks as a system. Accordingly, generative technologies serve not only as a factor in threat escalation but also as a driver in shaping next-generation cybersecurity architectures.

References:

1. Chlasta, K. The Dual Use Dilemma of Generative Artificial Intelligence in Cybersecurity: Navigating the Explosive Growth in Offensive and Defensive Applications // Security and Defence Quarterly. 2025. Vol. 52. No. 4.
2. Choi, A., Giang, A., Jumani, S., Luong, D., Di Troia, F. Synthetic Malware Using Deep Variational Autoencoders and Generative Adversarial Networks // EAI Endorsed Transactions on Internet of Things. 2024. Vol. 10. DOI: 10.4108/eetiot.6566.
3. Gupta, M., Akiri, C., Aryal, K., Parker, E., Praharaj, L. From ChatGPT to ThreatGPT: Impact of Generative AI in Cybersecurity and Privacy // IEEE Access. 2023. Vol. 11. P. 80218–80245. DOI: 10.1109/ACCESS.2023.3300381.
4. Joshi, C., Kumar, J., Kumawat, G. Detection of Unseen Malware Threats Using Generative Adversarial Networks and Deep Learning Models // Scientific Reports. 2025. Vol. 15. Article 34804. DOI: 10.1038/s41598-025-18811-3.
5. Kapoor, G., Nadipalli, S., Di Troia, F. Embedding Driven Synthetic Malware Generation with Autoencoders and Cluster Tangent Diffusion // Applied Sciences. 2025. Vol. 15. Article 11791. DOI: 10.3390/app152111791.
6. Li, M. Q., Fung, B. C. M. Security Concerns for Large Language Models: A Survey // Journal of Information Security and Applications. 2025. Vol. 95. Article 104284. DOI: 10.1016/j.jisa.2025.104284.
7. Naseer, M., Ullah, F., Ijaz, S., Naeem, H., Alsirhani, A., Alwakid, G. N., Alomari, A. Obfuscated Malware Detection and Classification in Network Traffic Leveraging Hybrid Large Language Models and Synthetic Data // Sensors. 2025. Vol. 25. Article 202. DOI: 10.3390/s25010202.
8. Park, J., Ji, A., Park, M., Rahman, M. S., Oh, S. E. MalCL: Leveraging GAN Based Generative Replay to Combat Catastrophic Forgetting in Malware Classification // Proceedings of the Thirty Ninth AAAI Conference on Artificial Intelligence. 2025. DOI: 10.48550/arXiv.2501.01110.
9. Pillai, R. A., Dhamal, A. Revolutionizing Cybersecurity: A Generative AI Powered Malicious File and URL Detection System // International Journal of Innovative Science and Research Technology. 2025. Vol. 10. No. 12. P. 2107–2117. DOI: 10.38124/ijisrt/25dec1341.
10. Popescul, D., Radu, L. D. AI in Phishing Detection: A Bibliometric Review // Frontiers in Artificial Intelligence. 2025. Vol. 8. DOI: 10.3389/frai.2025.1496580.
11. Rollinson, N., Polatidis, N. LLM Generated Samples for Android Malware Detection // Digital. 2026. Vol. 6. No. 5. DOI: 10.3390/digital6010005.
12. Sammangi, H., Jagatha, A., Liu, J. Harnessing Generative AI and Large Language Models for Revolutionizing Cybersecurity in the Internet of Things: Ethical and Privacy Implications // Engineering Open Access. 2025. Vol. 3. No. 6. P. 01–12.
13. Sheng, Z., Chen, Z., Gu, S., Huang, H., Gu, G., Huang, J. LLMs in Software Security: A Survey of Vulnerability Detection Techniques and Insights. 2025. 33 p. DOI: 10.1145/nnnnnnn.nnnnnnn.
14. Yigit, Y., Buchanan, W. J., Tehrani, M. G., Maglaras, L. Review of Generative AI Methods in Cybersecurity // arXiv. 2024. DOI: 10.48550/arXiv.2403.08701.