<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Large Language Model Services - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/large-language-model-services/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 15:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/large-language-model-services/feed.xml" rel="self" type="application/rss+xml"/><item><title>Malware Leveraging Large Language Model Endpoints for Command and Control</title><link>https://feed.craftedsignal.io/briefs/2024-01-llm-command-control/</link><pubDate>Wed, 03 Jan 2024 15:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-llm-command-control/</guid><description>This rule detects DNS queries to known Large Language Model (LLM) domains originating from unsigned binaries or common Windows scripting utilities, indicating potential malware command and control activity.</description><content:encoded><![CDATA[<p>This detection identifies suspicious network connections to known Large Language Model (LLM) APIs and chat portals. It focuses on detecting anomalous processes, such as scripting utilities or unsigned executables, making DNS requests to these LLM services. The assumption is that malware may be attempting to leverage LLMs to perform dynamic actions, such as receiving instructions or exfiltrating data via the LLM service. This behavior began appearing in threat intelligence reports in late 2025 and continues to evolve. The detection aims to catch malware abusing legitimate LLM services for command and control, blending in with normal network traffic. This detection helps identify command and control using LLMs, which can dynamically adapt malware behavior, making traditional signature-based detections less effective.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker compromises a system through an initial access vector, such as exploiting a vulnerability or using social engineering.</li>
<li>The attacker deploys a malicious script (e.g., PowerShell, JavaScript) or an unsigned executable onto the compromised host.</li>
<li>The malicious script or executable performs a DNS query to resolve a known LLM API endpoint (e.g., api.openai.com, api.anthropic.com).</li>
<li>The script or executable establishes a network connection to the resolved LLM API endpoint using HTTP/HTTPS.</li>
<li>The malicious actor sends a command to the compromised system through the LLM API, disguised as a normal user request.</li>
<li>The compromised system receives the command from the LLM API and executes it. This might involve actions such as data exfiltration, lateral movement, or deploying further payloads.</li>
<li>The system sends the results of the executed command back to the attacker through the LLM API.</li>
<li>This bidirectional communication repeats, allowing the attacker to maintain persistent command and control over the compromised system via the LLM service.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation allows attackers to execute arbitrary commands on compromised systems, potentially leading to data theft, system disruption, or further propagation within the network. Given the increasing reliance on LLMs, this attack vector could affect a wide range of organizations and industries. The compromised system effectively becomes part of a botnet controlled via LLM infrastructure, making attribution and takedown more difficult. The use of LLMs can also make the attack more difficult to detect, as the network traffic blends in with legitimate LLM usage.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;Detect DNS Queries to Common LLM Endpoints by Scripting Utilities&quot; to your SIEM and tune for your environment, focusing on process names and command-line arguments.</li>
<li>Monitor DNS query logs for connections to the LLM domains listed in the IOC table originating from unusual or unsigned processes.</li>
<li>Investigate any alerts generated by the Sigma rules, paying close attention to the process execution chain and any associated network activity.</li>
<li>Implement network segmentation to limit the impact of compromised systems and restrict outbound connections to trusted LLM services.</li>
<li>Enable process-creation logging, including command-line arguments, to activate the rules above.</li>
<li>Block the C2 domains listed in the IOC table at the DNS resolver.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>command_and_control</category><category>llm</category><category>malware</category><category>windows</category><category>macos</category></item></channel></rss>