Telephone: 1-844-NETIZEN
Tel: 1-844-NETIZEN
Email: team (at) Netizen.net
slider

Netizen: Monday Security Brief (9/29/2024)

Posted on 29 Sep 2025 at https://www.Netizen.net/news Source Link: https://blog.netizen.net

Today’s Topics:

  • Microsoft Warns of AI-Crafted Phishing Campaign Using Malicious SVG Files
  • Researchers Identify MalTerminal, Earliest Known GPT-4-Enabled Malware
  • How can Netizen help?

Microsoft Warns of AI-Crafted Phishing Campaign Using Malicious SVG Files

Microsoft has raised the alarm about a phishing campaign targeting U.S. organizations that appears to use large language model (LLM)-generated code to conceal its payloads. The activity, detected on August 28, 2025, demonstrates how attackers are increasingly incorporating artificial intelligence into phishing and obfuscation tactics.

According to Microsoft Threat Intelligence, the campaign uses compromised business email accounts to distribute phishing messages disguised as file-sharing notifications. The lure leads recipients to believe they are opening a PDF document, when in reality the attachment is a Scalable Vector Graphics (SVG) file.

SVG files are appealing to attackers because they are scriptable and text-based, allowing JavaScript or other dynamic content to be embedded directly. This makes them capable of bypassing common email security filters. Features such as hidden elements, encoded attributes, and delayed execution further complicate detection.

In this campaign, once the SVG is opened, the victim is redirected to a fake CAPTCHA page and eventually to a spoofed login portal designed to harvest credentials. The code within the file was structured to resemble a legitimate business analytics dashboard and heavily used business terminology, such as “operations,” “growth,” and “risk”, to disguise malicious functionality. Microsoft noted that the complexity and verbosity of the code strongly suggested LLM involvement.

The phishing emails also employed a self-addressing tactic, where the sender and recipient fields matched and true targets were hidden in the BCC line, a method to sidestep basic heuristics.

Though Microsoft successfully blocked the attack chain, it cautioned that the methods on display are likely to reappear. “Similar techniques are increasingly being leveraged by a range of threat actors,” the company said, pointing to a trend of AI being used to make phishing lures more convincing and malware code more difficult to analyze.

The disclosure arrives as other researchers are reporting more advanced phishing campaigns. Forcepoint recently detailed an attack sequence that used malicious .XLAM attachments to deploy XWorm RAT, employing reflective DLL injection and heavy obfuscation. Cofense also observed phishing lures tied to copyright infringement notices and spoofed Social Security Administration messages, which delivered information stealers via Telegram and obfuscated Python payloads.

For security teams, the lesson is clear: AI is accelerating phishing innovation. Traditional detection methods, especially those that rely on static analysis, may no longer be sufficient against campaigns where attackers deliberately mimic legitimate business code structures.

Researchers Identify MalTerminal, Earliest Known GPT-4-Enabled Malware

Cybersecurity researchers at SentinelOne have uncovered what may be the earliest known example of malware embedding large language model (LLM) functionality. The malware, codenamed MalTerminal, was first presented at LABScon 2025 and represents a shift in how adversaries are experimenting with AI inside malicious tools.

According to SentinelLabs, MalTerminal uses OpenAI’s GPT-4 to dynamically generate either ransomware code or a reverse shell at runtime. Although there is no evidence the malware has been deployed in real-world attacks, researchers note that its existence marks an important milestone in the development of LLM-enabled malware.

The sample included a Windows executable as well as several Python scripts, some of which prompted users to choose between “ransomware” and “reverse shell” payloads. It also contained a defensive tool called FalconShield designed to analyze Python files by asking GPT to identify and explain malicious code. Researchers believe the presence of OpenAI’s now-deprecated chat completions API, retired in November 2023, indicates MalTerminal was created before that date—making it the earliest identified LLM-enabled malware to date.

SentinelOne warned that embedding LLMs directly into malware introduces a qualitative shift in tradecraft. Rather than relying solely on pre-written payloads, future LLM-enabled malware could dynamically generate malicious logic, complicating detection and response efforts for defenders.

The findings add to growing concerns about adversaries using AI to refine phishing operations. StrongestLayer researchers recently documented a campaign that embedded hidden prompts inside phishing emails to bypass AI-driven security scanners.

The emails, which posed as billing discrepancy notifications, used concealed HTML prompts with styling set to remain invisible. These instructions effectively tricked AI-based filters into marking the messages as safe business communication. When victims opened the HTML attachment, the chain exploited the Follina vulnerability (CVE-2022-30190) to execute additional payloads, disable Microsoft Defender Antivirus, and establish persistence.

The attack also leveraged “LLM poisoning” by embedding misleading comments in the source code, further evading automated analysis. StrongestLayer’s CTO described the tactic as “turning our own defenses into unwitting accomplices.”

Separately, Trend Micro researchers have observed increased use of AI-powered site builders such as Lovable, Netlify, and Vercel to host phishing content. Since January 2025, attackers have used these platforms to deploy fake CAPTCHA pages, tricking users into completing a challenge before being redirected to credential-harvesting sites. Automated scanners, meanwhile, typically only detect the CAPTCHA page and miss the malicious redirection.

Researchers described this abuse of legitimate AI-powered services as a “double-edged sword,” noting that attackers can now host convincing phishing campaigns at speed and minimal cost while benefiting from the credibility of well-known platforms.

How Can Netizen Help?

Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

News and Updates

Sign up to get the latest news and threat briefs:

Get in Touch

Telephone: 1-844-NETIZEN
Email: Team (at) Netizen.net
Office Locations:
Allentown, PA (Headquarters)
 Arlington, VA (DC Region)
 Charleston, SC (Southeast Region)

Connect With Us

    Facebook
    Twitter
    LinkedIn
    Instagram
    GitHub

Copyright © Netizen Corporation. All Rights Reserved.