BlackMamba Research Whitepaper

While endpoint detection and response (EDR) and other automated security controls are essential components of a modern security stack, they are not foolproof. Threat actors can combine normally highly detected behaviors in an unusual combination to evade detections, especially when artificial intelligence is driving cyberattacks. With the emergence of sophisticated data intelligence systems like large language models (LLM), the risks become even more severe.

The BlackMamba proof-of-concept shows that LLMs can be exploited to synthesize polymorphic keylogger functionality on-the-fly, making it difficult for EDR to intervene. This PoC exploits a large language model to synthesize polymorphic keylogger functionality on-the-fly, dynamically modifying the benign code at runtime and all without any command-and-control infrastructure to deliver or verify the malicious keylogger functionality. This technique runs unimpeded by EDR intervention.

We call this PoC BlackMamba.