https://feed.craftedsignal.io/tags/llm/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 22 Apr 2026 16:34:10 +0000https://feed.craftedsignal.io/briefs/2024-01-30-llm-command-and-control/Wed, 22 Apr 2026 16:34:10 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-30-llm-command-and-control/This rule detects DNS queries to known Large Language Model (LLM) domains by unsigned binaries or common Windows scripting utilities, indicating potential command and control activity leveraging LLMs for dynamic actions on compromised systems.This detection identifies instances where suspicious processes are communicating with known Large Language Model (LLM) endpoints. The activity suggests potential command and control behavior, where malware or unauthorized scripts leverage LLMs to dynamically execute actions on compromised systems. This behavior emerged in late 2025 and continues to evolve. The rule focuses on detecting DNS queries originating from unsigned binaries or common scripting utilities like PowerShell, mshta.exe, and wscript.exe. The targeting scope includes both Windows and macOS systems. Defenders should be aware of this technique as attackers increasingly integrate LLMs to enhance malware capabilities and evade traditional detection methods.

Attack Chain

1. A user inadvertently executes a malicious script or binary, potentially delivered through social engineering or drive-by download.
2. The malicious script, such as a PowerShell script or JavaScript within mshta.exe, is launched.
3. The script executes code to perform reconnaissance, gathering system information or user credentials.
4. The script constructs a query for a Large Language Model (LLM) endpoint, such as api.openai.com, using a common scripting utility.
5. The DNS query is resolved, and a network connection is established to the LLM API endpoint, bypassing standard network security controls.
6. The malicious script sends data to the LLM API, requesting instructions or performing tasks such as code generation or data exfiltration.
7. The LLM responds with instructions or processed data, which the script then executes on the compromised system.
8. The attacker gains control over the compromised system by leveraging the LLM to perform various malicious activities, like lateral movement or data theft.

Impact

Compromised systems could be remotely controlled via LLM APIs, allowing attackers to perform data exfiltration, lateral movement, or deploy ransomware. Successful exploitation can lead to significant data breaches, financial loss, and reputational damage. The number of victims is currently unknown, but the attack vector affects organizations across all sectors.

Recommendation

• Deploy the Sigma rules in this brief to your SIEM to identify suspicious processes querying LLM endpoints.
• Enable DNS query logging on both Windows and macOS endpoints to provide the necessary data source for the detections.
• Investigate any alerts generated by the Sigma rules, focusing on identifying the parent process and associated network activity.
• Implement application control policies to restrict the execution of unsigned binaries and common scripting utilities from untrusted locations.
• Review and update network firewall rules to restrict outbound connections to known malicious or suspicious domains.
• Monitor process creation events for command-line arguments that indicate the use of scripting engines to perform DNS queries to LLM domains.

]]>mediumadvisorycommand_and_controlmalwarellmhttps://feed.craftedsignal.io/briefs/2026-03-litellm-credential-theft/Wed, 25 Mar 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-litellm-credential-theft/The LiteLLM package was compromised and infected with credential-stealing code through a supply chain attack leveraging the Trivy vulnerability scanner.On March 24, 2026, reports surfaced indicating that the LiteLLM package, a library designed to provide a unified interface for interacting with various large language models, was compromised and injected with malicious code. This compromise occurred through a vulnerability in Trivy, a widely-used open-source vulnerability scanner. The malicious code was designed to steal credentials, potentially including API keys and other sensitive information used to access and manage language models. The scope of the compromise is currently unknown, but given the popularity of both LiteLLM and Trivy, the potential impact could be significant across various sectors using LLMs. This incident highlights the risks associated with supply chain vulnerabilities and the importance of thorough security audits of third-party dependencies.

Attack Chain

1. A vulnerability is exploited within Trivy, potentially during its build or update process.
2. The attacker leverages this vulnerability to inject malicious code into the LiteLLM package during its build or release process.
3. Users download and install the compromised LiteLLM package from the official repository (e.g., PyPI).
4. Upon execution of the infected LiteLLM package, the malicious code is triggered.
5. The malicious code collects credentials, such as API keys, environment variables, or configuration files, from the user’s system or environment.
6. The stolen credentials are exfiltrated to a remote server controlled by the attacker using network protocols like HTTP/S.
7. The attacker uses the stolen credentials to access and control the victim’s accounts, resources, and data related to language model services.
8. The attacker may further exploit the compromised systems for lateral movement, data exfiltration, or other malicious activities.

Impact

The successful compromise of the LiteLLM package can lead to significant damage, including unauthorized access to language model APIs, data breaches, and financial losses. The number of affected users and organizations is currently unknown. Sectors relying heavily on LLMs, such as AI development, research, and various industries integrating AI-powered applications, are particularly vulnerable. If successful, the attack can result in the exposure of sensitive data, disruption of services, and reputational damage.

Recommendation

• Implement integrity checks on all downloaded packages to verify their authenticity and prevent the installation of compromised versions (reference: overview).
• Monitor network traffic for suspicious outbound connections originating from processes associated with the LiteLLM package, looking for connections to unknown or malicious IPs (reference: Attack Chain, step 6).
• Deploy the Sigma rules provided below to detect potential credential theft and exfiltration attempts (reference: rules).
• Implement strict access controls and least privilege principles to limit the impact of compromised credentials (reference: Impact).
• Conduct regular security audits of all third-party dependencies and use software composition analysis tools to identify and remediate vulnerabilities (reference: Overview).

]]>criticaladvisorysupply-chaincredential-theftllmtrivy