CybserSecurity News

Tag: Gen Digital

The Infinite Variant: How “Promptmorphism” Uses AI to Shatter Traditional Malware Detection

Malefactors are increasingly harnessing large language models to rapidly rewrite malicious code. This stratagem, christened “promptmorphism,” facilitates the virtually infinite synthesis of novel initial-stage loaders. Such a tactical maneuver profoundly confounds the detection of malicious campaigns, given that orthodox defensive architectures predominantly seek recurring signatures and structural homology betwixt files.

The fundamental mechanics of the kinetic strike remain unaltered. The inaugural component of the kill chain ignites upon the host, executes a sequence of environmental validations, and subsequently downloads the primary malicious payload. However, this loader is presently regarded as a profoundly disposable instrument. Operating under the behest of the campaign’s architect, the large language model ceaselessly generates nascent iterations of the identical underlying code. Each discrete iteration diverges subtly in its architecture, the nomenclature of its functions, the sequential choreography of its API invocations, and its execution logic, despite its terminal objective remaining steadfastly identical.

The analytical vanguard of Gen Digital’s Threat Research Team delineates their observations regarding the “Loader-as-a-Service” ecosystem, wherein a singular delivery stratum undergoes perpetual mutation and is patronized by disparate hacker syndicates. Through such a digital conduit, venomous architectures akin to Wincir and Stealc have been profusely disseminated. Forensic dissection illuminates that whilst the operational logic of the inaugural phase remains uniform, its digital packaging undergoes metamorphosis literally every few days.

Across disparate variants, the payload was sequestered within the executable artifact in a cryptographically sealed state; subsequently, an iteration emerged utilizing hexadecimal encoding, whilst later, the payload was fractured into a multitude of shards, meticulously reassembled only upon the precipice of execution. In yet another iteration, the telemetry was translocated into a supplementary sector of the Portable Executable (PE) file, or woven directly into the x64 executable code. Within one specific exemplar, the architects went so far as to completely transmute the cryptographic algorithm, wielding ChaCha in lieu of AES.

This paradigm diverges starkly from orthodox polymorphism. Historically, digital marauders predominantly altered the superficial presentation of the code—layering it with packers, cryptographic seals, or labyrinthine obfuscation. Promptmorphism, conversely, mandates a comprehensive, foundational architectural restructuring of the code itself. The large language model possesses the fortitude to synthesize identical functionality through an entirely disparate architectural pathway, thereby drastically degrading byte-level homology and profoundly complicating the automated clustering of malicious artifacts.

Nevertheless, this technology does not render these venomous architectures utterly invulnerable. The blistering celerity of this code rewriting frequently spawns architectural errors, degrades operational stability, and inadvertently injects superfluous functionalities. Consequently, the vanguard of specialists counsels a strategic pivot: focus ought to be directed away from the superficial visage of the loader and towards the overarching behavioral choreography of the entire campaign—encompassing the network infrastructure, the sequence of external invocations, the mechanisms governing the acquisition of the secondary stage, and the idiosyncrasies of its proliferation.

The architects of the dossier perceive promptmorphism as a glaring harbinger of the relentless hyper-industrialization of malicious operations. The automated synthesis of an infinite multitude of first-stage variants empowers assailants to exquisitely monopolize temporal advantage, whilst defensive architectures agonize over tethering disparate artifacts together to forge resilient rules of detection.

March 17, 2026
The Invisible Roommate: How the GhostPairing Scam Steals Your WhatsApp Without a Password

Researchers at Gen have reported a new WhatsApp account-takeover technique dubbed GhostPairing. The attack appears mundane and arouses little suspicion, yet it ultimately grants attackers full access to a victim’s chats, media files, and contacts—without cracking passwords or intercepting SMS messages.

The campaign was first observed in the Czech Republic, where compromised accounts began sending brief messages to familiar contacts. These messages typically referred to a supposed photo and included a link presented as a Facebook-style preview. Clicking it led to a simple page styled with Facebook’s branding, prompting the user to “confirm” an action before viewing the content.

In reality, these sites had no affiliation with Facebook. They relied on photo- and post-themed domain names and acted as intermediaries to WhatsApp’s legitimate infrastructure. Victims were guided through the process of linking a new device, which was disguised as a routine verification step. In one variant, a QR code was displayed; in another, users were shown a numeric code and instructed to enter it in the app.

The defining feature of the attack is that the victim personally authorizes the connection of an unauthorized device. Using WhatsApp’s phone-number pairing function, the site submits the number to WhatsApp, retrieves a pairing code, and displays it to the victim with instructions to enter it in the application. As a result, the attacker’s browser is added as a linked device and gains the same privileges as a standard WhatsApp Web session.

From that point on, the attacker can read past and incoming messages, view and download media, harvest sensitive information, and distribute new lures in the account holder’s name. Meanwhile, the primary phone continues to function normally, and the presence of the additional device often goes unnoticed unless the user checks the list of linked sessions in settings.

The scheme spreads by exploiting interpersonal trust. Once attackers compromise a single account, they send the same short messages to that user’s contacts and group chats. The brevity and lack of explanation lower suspicion, allowing the attack to propagate rapidly.

The report’s authors note that GhostPairing relies entirely on legitimate service features and requires no theft of secrets. The risk is amplified by the fact that linked devices retain access until manually removed. They suggest that clearer warnings during device linking, more detailed notifications about new sessions, and limits on mass pairing attempts could help mitigate the threat.

Although this case involves WhatsApp, the underlying attack model extends beyond any single application. Any service that relies on rapid pairing via codes or confirmations on a primary device may be susceptible to similar abuse. GhostPairing serves as a cautionary example of how the combination of social engineering and legitimate functionality can enable subtle, long-lasting account compromise.

December 18, 2025
Midnight Ransomware: Critical Flaw Found, Files Can Be Decrypted for Free

The Norton team, part of Gen Digital, has discovered a critical vulnerability in a new ransomware strain known as Midnight. This malicious program was built upon the leaked source code of Babuk, which surfaced online in 2021. The developers of Midnight sought to enhance its encryption mechanism but inadvertently weakened it—enabling researchers to create a free decryption tool capable of restoring encrypted files.

The original intent behind Midnight’s development was to improve the speed and reliability of encryption. However, alterations in the implementation introduced flaws in the handling of RSA keys, ultimately allowing for partial data recovery—an insight that formed the foundation of Norton’s solution. The publicly available utility enables victims to recover their files without paying a ransom, thereby mitigating financial and operational damage.

Midnight inherits Babuk’s architectural framework and employs hybrid encryption, combining the ChaCha20 and RSA algorithms. Notably, it selectively encrypts file fragments based on size to accelerate processing while preserving its destructive impact. The latest variants target virtually all file types except for executables with the extensions .exe, .dll, and .msi.

On infected systems, encrypted files typically bear the extensions .Midnight or .endpoint, which may also appear within the file contents themselves. Alongside them, ransom instructions are dropped in text documents titled How To Restore Your Files.txt. In some cases, auxiliary log files—such as Report.Midnight or debug.endpoint—are also created.

Norton has released a decryptor compatible with both 32-bit and 64-bit versions of Windows. The tool automatically locates encrypted files, recommends creating backups, and then initiates the recovery process. The company advises users not to disable the backup option, as it helps prevent data loss in case of unexpected errors.

Midnight serves as yet another example of how reusing leaked source code from notorious malware can spawn not only new threats but also critical design flaws that render them vulnerable. Norton’s free decryptor represents a rare instance where victims have the opportunity to regain access to their data without financial loss.

November 9, 2025
The End of FunkSec: Free Decryptor Released for Ransomware Victims After AI-Assisted Group Goes Dormant

In late 2024, a new ransomware strain named FunkSec emerged on the cybercrime scene. It quickly drew attention due to its aggressive tactics and unconventional implementation. Within a short span, dozens of organizations across the United States, India, and Brazil fell victim—spanning sectors such as technology, government administration, and education. What set this ransomware apart was its construction in the Rust programming language and its apparent use of artificial intelligence tools during development.

However, the activity of the group claiming responsibility—alleging 172 victims—proved to be short-lived. According to data from FunkSec’s data leak site, the last post referencing a new victim was dated March 18, 2025—over five months ago—indicating that the group has effectively ceased operations.

What makes the conclusion of the FunkSec saga all the more remarkable is its unexpectedly benign ending: victims can now regain access to their encrypted data entirely free of charge. According to Gen Digital researcher Ladislav Jezula, after the group’s disappearance, security experts decided to publicly release a decryption tool that had originally been developed for the company’s internal clients. The utility is now available through the No More Ransom platform, which helps ransomware victims recover their files without succumbing to ransom demands.

Experts at Check Point believe that FunkSec was orchestrated by low-skilled actors who sought notoriety and public attention more than actual financial gain. Supporting this assessment is the group’s penchant for publishing stolen data in a fashion reminiscent of past hacktivist campaigns, as well as technical analysis of the malware itself—revealing the fingerprints of AI-assisted development.

FunkSec was coded in Rust—a language increasingly favored by modern malware authors for its high performance and ability to evade traditional antivirus signatures. For encryption, it employed the orion-rs library (version 0.17.7), utilizing the Chacha20 and Poly1305 algorithms. Each file was segmented into 128-byte blocks, appended with 48 bytes of metadata, resulting in an overall file size increase of approximately 37%. This method ensured robust encryption while maintaining the integrity of essential parameters such as keys, nonces, and block sizes.

Gen Digital has not disclosed the precise method by which the decryption tool was developed. It remains unclear whether a flaw in the cryptographic implementation was uncovered or whether the keys were obtained through alternative means. However, users are advised to confirm that their files were indeed encrypted by FunkSec—hallmarks of infection include the “.funksec” extension and the presence of distinctive metadata blocks.

Before deploying the decryption tool, experts recommend backing up all encrypted files. This precaution is crucial in the event that the decryption process corrupts data or fails to complete properly. While the tool is intended for broad use, it does not guarantee full recovery—particularly in cases where infections involved additional file alterations.

The FunkSec story serves as a vivid illustration that even relatively unskilled attackers can inflict considerable damage when they blend trending technologies with bold rhetoric. Yet it is often this very inexperience—and the craving for infamy—that becomes their Achilles’ heel, leaving digital footprints that eventually lead to the development of countermeasures, and in some cases, even their apprehension.

August 4, 2025