{"id":227797,"date":"2026-03-18T14:48:01","date_gmt":"2026-03-18T21:48:01","guid":{"rendered":"https:\/\/www.mcafee.com\/blogs\/?p=227797"},"modified":"2026-03-24T16:33:06","modified_gmt":"2026-03-24T23:33:06","slug":"new-research-hackers-are-using-ai-written-code-to-spread-malware","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/internet-security\/new-research-hackers-are-using-ai-written-code-to-spread-malware\/","title":{"rendered":"New Research: Hackers Are Using AI-Written Code to Spread Malware"},"content":{"rendered":"

McAfee Labs has uncovered a widespread malware campaign hiding inside fake downloads for things like game mods, AI tools, drivers, and trading utilities.<\/span>\u00a0<\/span><\/p>\n

In January 2026, researchers\u00a0observed\u00a0443 malicious ZIP files\u00a0impersonating software people might actively search for online<\/a>.\u00a0Across those files, McAfee\u00a0identified\u00a048 malicious WinUpdateHelper.dll variants\u00a0used to infect devices. The campaign was spread through a mix of file-hosting and content delivery services, including\u00a0Discord, SourceForge,\u00a0FOSSHub, and\u00a0mydofiles[.]com.<\/span>\u00a0<\/span><\/p>\n

What makes this campaign especially notable is that some parts of it appear to have been built with help from\u00a0<\/span>large language models (LLMs)<\/span><\/b>. McAfee researchers found signs that certain scripts\u00a0likely used\u00a0AI-generated code, which may have helped the attackers create and scale the campaign faster.<\/span>\u00a0<\/span><\/p>\n

That\u00a0<\/span>does\u00a0<\/span><\/i>not\u00a0<\/span><\/i>mean AI created the whole operation on its own. But it does suggest AI may be helping cybercriminals lower the effort needed to build malware and launch attacks.<\/span>\u00a0<\/span><\/p>\n

Want the full research? Dive in here.<\/span>\u00a0<\/span><\/a><\/p>\n

We break down the top takeaways below.<\/span>\u00a0<\/span><\/p>\n

What McAfee Found<\/span>\u00a0<\/span><\/h2>\n\n\n\n\n\n\n\n\n\n\n
Finding<\/span><\/b>\u00a0<\/span><\/td>\nWhat it means<\/span><\/b>\u00a0<\/span><\/td>\n<\/tr>\n
443 malicious ZIP files<\/span>\u00a0<\/span><\/td>\nAttackers created many different fake downloads to reach more victims<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
48 malicious DLL variants<\/span>\u00a0<\/span><\/td>\nThe campaign used multiple versions of the malware, not just one file<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
1,700+ file names observed<\/span>\u00a0<\/span><\/td>\nThe same threat was repackaged under many different names to look convincing<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
17 distinct kill chains<\/span>\u00a0<\/span><\/td>\nResearchers found multiple attack flows, but they followed a similar overall pattern<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
Hosted on familiar platforms<\/span>\u00a0<\/span><\/td>\nThe malware was distributed through services users may recognize, including Discord and SourceForge<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
AI-assisted code suspected<\/span>\u00a0<\/span><\/td>\nSome scripts\u00a0contained\u00a0explanatory comments and patterns that strongly suggest LLM\u00a0assistance<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
Cryptomining\u00a0and\u00a0additional\u00a0malware observed<\/span>\u00a0<\/span><\/td>\nInfected devices could be used to mine cryptocurrency or receive more malicious payloads<\/span>\u00a0<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

What Is \u201cAI-Written Malware\u201d?<\/span>\u00a0<\/span><\/h2>\n

In this case, \u201cAI-written malware\u201d\u00a0<\/span>does\u00a0not\u00a0<\/span><\/i>mean<\/span>\u00a0<\/span>an AI system independently invented and launched the attack.<\/span>\u00a0<\/span><\/p>\n

Instead,\u00a0<\/span>McAfee Labs found evidence that the attackers\u00a0very\u00a0likely\u00a0used\u00a0AI tools to help generate some of the code<\/span><\/b>\u00a0used in the campaign, especially in certain PowerShell scripts.<\/span>\u00a0<\/span><\/p>\n

Put simply:<\/span>\u00a0<\/span><\/p>\n\n\n\n\n\n\n
Term<\/span><\/b>\u00a0<\/span><\/td>\nPlain-English meaning<\/span><\/b>\u00a0<\/span><\/td>\n<\/tr>\n
Large language model (LLM)<\/span>\u00a0<\/span><\/td>\nAn AI system that can generate text and code based on prompts<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
AI-assisted malware<\/span>\u00a0<\/span><\/td>\nMalware where attackers appear to have used AI tools to help write or structure parts of the code<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
Vibe coding<\/span>\u00a0<\/span><\/td>\nA style of coding where someone describes what they want and an AI does much of the writing<\/span>\u00a0<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

This matters because it can make malware development faster, easier, and more scalable for attackers.<\/span>\u00a0<\/span><\/p>\n

\"Figure
Figure 1: Attack Vector<\/em><\/figcaption><\/figure>\n

 <\/p>\n

How The Fake Download Attack Works<\/span>\u00a0<\/span><\/h2>\n

The attack begins when someone searches for software online and downloads what looks like the tool they wanted.<\/span>\u00a0<\/span><\/p>\n

That tool might appear to be a game mod, AI voice changer, emulator, trading utility, VPN, or driver. But behind the scenes, the ZIP archive includes malicious components that start the infection.<\/span>\u00a0<\/span><\/p>\n\n\n\n\n\n\n\n\n\n\n
Step<\/span><\/b>\u00a0<\/span><\/td>\nWhat happens<\/span><\/b>\u00a0<\/span><\/td>\n<\/tr>\n
1. A user downloads a fake file<\/span>\u00a0<\/span><\/td>\nThe ZIP archive is disguised as something useful or desirable, such as a mod menu, AI tool, or driver<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
2. The file appears normal at first<\/span>\u00a0<\/span><\/td>\nIn some cases, the package includes a legitimate\u00a0executable\u00a0so it feels more convincing<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
3. A malicious DLL is loaded<\/span>\u00a0<\/span><\/td>\nA hidden malicious file, often WinUpdateHelper.dll, starts the real attack<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
4. The user is distracted<\/span>\u00a0<\/span><\/td>\nThe malware may display a fake \u201cmissing dependency\u201d message and redirect the user to install unrelated software<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
5. A PowerShell script is pulled from a remote server<\/span>\u00a0<\/span><\/td>\nWhile the user is distracted, the malware contacts a command-and-control server and runs\u00a0additional\u00a0code<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
6. More malware is installed<\/span>\u00a0<\/span><\/td>\nDepending on the sample, the device may receive coin miners, infostealers, or remote access tools<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
7. The infected device is abused for profit<\/span>\u00a0<\/span><\/td>\nIn many cases, attackers use the victim\u2019s system resources to mine cryptocurrency in the background<\/span>\u00a0<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

What Kinds of Files Were Used as Bait<\/span>\u00a0<\/span><\/h2>\n

McAfee found that the attackers cast a very wide net. The malicious ZIP files impersonated many types of software, including:<\/span>\u00a0<\/span><\/p>\n\n\n\n\n\n\n\n\n
Bait category<\/span><\/b>\u00a0<\/span><\/td>\nExamples<\/span><\/b>\u00a0<\/span><\/td>\n<\/tr>\n
Gaming tools<\/span>\u00a0<\/span><\/td>\ngame mods, cheats, executors, Roblox-related tools<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
AI-themed tools<\/span>\u00a0<\/span><\/td>\nAI image generators, AI voice changers, AI-branded downloads<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
System utilities<\/span>\u00a0<\/span><\/td>\ngraphics drivers, USB drivers, emulators, VPNs<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
Trading or finance tools<\/span>\u00a0<\/span><\/td>\nstock-market utilities and related downloads<\/span>\u00a0<\/span><\/td>\n<\/tr>\n
Fake security or malware tools<\/span>\u00a0<\/span><\/td>\nfake stealers,\u00a0decryptors, and other risky-looking utilities<\/span>\u00a0<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

That broad range is part of what made the campaign effective. It was designed to catch people already looking for shortcuts, unofficial tools, or hard-to-find software.<\/span>\u00a0<\/span><\/p>\n

Why\u00a0McAfee\u00a0Researchers Believe AI Was Used<\/span>\u00a0<\/span><\/h2>\n

One of the strongest clues came from the comments inside some of the attack scripts.<\/span>\u00a0<\/span><\/p>\n

McAfee researchers found explanatory comments that looked more like AI-generated instructions than the kind of shorthand attackers usually leave for themselves. In one example, a comment referred to downloading a file from\u00a0<\/span>\u201cyour GitHub URL,\u201d<\/span><\/b>\u00a0which suggests the code may have come from a generated template and was not fully cleaned up before use.<\/span>\u00a0<\/span><\/p>\n

These details do not prove every part of the campaign was AI-made. But they do support McAfee\u2019s assessment that\u00a0<\/span>certain components were\u00a0likely generated\u00a0with help from large language models<\/span><\/b>.<\/span>\u00a0<\/span><\/p>\n

What Happens on an Infected Device<\/span>\u00a0<\/span><\/h2>\n

In many cases, the malware was used to turn victims\u2019 computers into quiet crypto-mining machines.<\/span>\u00a0<\/span><\/p>\n

McAfee\u00a0observed\u00a0mining activity involving several cryptocurrencies, including:<\/span>\u00a0<\/span><\/p>\n