2026-05-07 –, IFEN room 2, Workshops and AI Security Village (Building D)
As AV/EDR systems evolve to detect behavioral anomalies, offensive tradecraft must adapt beyond static obfuscation. This talk explores the convergence of Artificial Intelligence and advanced Cryptography in the development of next-generation evasive malware. We will move past traditional packing techniques to examine how lighweight LLMs and cryptographic primitives can be integrated directly into the malware lifecycle.
You will gain insight into:
- AI-Driven Polymorphism: Utilizing embedded or cloud-based AI agents to dynamically rewrite logic and variable structures at runtime, rendering signature-based detection obsolete.
- Cryptographic Context-Awareness: Implementing environmental keying and mathematical "logic locking," where payloads remain cryptographically sealed until specific environmental conditions (verified by AI logic) are met.
- Entropy Reduction: Techniques to make encrypted payloads statistically indistinguishable from benign data or natural language using AI-generated steganography.
This talk bridges the gap between theoretical mathematics and practical weaponization, demonstrating how free, open-source AI models can be weaponized for stealth, and conversely, how defenders can prepare for the age of "thinking" malware.
Modern EDR and XDR solutions have moved the goalposts. Static signatures are a relic of the past; today’s fight is against behavioral telemetry and ML-driven heuristics. To survive on a target host, offensive tradecraft must evolve. This practice-oriented talk demonstrates how the convergence of Artificial Intelligence and non-standard Cryptography creates a "thinking" malware capable of adapting to Windows, Linux, and macOS environments.
We move beyond simple packing to explore a specialized Adversarial Dev Loop. By integrating lightweight LLMs and rare cryptographic primitives (Skipjack, Speck, Mars, Lucifer, Camellia), we demonstrate how to build malware that interviews its environment before revealing its true nature.
What you will learn through live demos and code analysis:
- The AI-Mutator Loop: How to use local AI agents to perform automated source-level polymorphism. I will demonstrate C/C++ code that rewrites its own logic, variable structures, and API resolution patterns for every new "build," making hash-based and static ML detection impossible.
Cross-Platform Residency: A deep dive into modern persistence - from macOS Dylib hijacking and WatchPaths to Linux eBPF-based hooks and Windows service subversion - all protected by Environmental Keying. I will show how payloads remain cryptographically sealed until AI-logic verifies the "DNA" of the target machine.
Rare Crypto vs. Entropy Scanners: Why standard AES/ChaCha20 is a red flag. We will implement "forgotten" algorithms to bypass entropy-based detection and show how to use AI to generate "Natural Language Steganography" - hiding exfiltrated data inside AI-generated text that passes through Deep Packet Inspection (DPI) unnoticed.
Breaking the Sandbox: Real-world examples of AI-driven sandbox detection. We demonstrate implants that exhibit "benign mimicry" when a virtualization artifact is detected, effectively poisoning the training data of automated sandboxes.
This talk isn't about theoretical future threats; it's about the weaponization of free, open-source AI models available today. Whether you are a Red Teamer looking to bypass top-tier EDRs or a Blue Teamer trying to understand the next wave of "smart" malware, you will leave with the C/C++ PoCs and forensic insights needed to operate in the age of the thinking malware.
cybersecurity enthusiast, author, speaker and mathematician. Author of popular books:
MD MZ Malware Development Book (Github, 2022, 2024)
MALWILD: Malware in the Wild Book (Github, 2023)
Malware Development for Ethical Hackers Book: (Packt, 2024)
AIYA Mobile Malware Development Book (Github, 2025)
Malware Development for Ethical Hackers 2nd edition (Packt, 2026, in progress)
Author and tech reviewer at Packt.
Co founder of various cybersecurity research labs, author of many cybersecurity blogs, HVCK magazine
Malpedia contributor
Speaker at BlackHat, DEFCON, Security BSides, Arab Security Conference, Hack.lu, Positive Hack Talks, etc conferences