Malware is nothing new. For decades, attackers have used it to disrupt businesses, steal data, and take control of systems. What has changed is the way it’s built and delivered. With the rise of generative AI, malware has been supercharged. No longer is it limited to static code or crude phishing lures. Malicious AI now enables attackers to create malware that adapts, learns, and blends seamlessly into the environments we trust most.

Unfortunately, the danger doesn’t stop at email. Modern business relies on third-party cloud tools—such as Slack, Zoom, ServiceNow, and Google Workspace—platforms that employees use daily and instinctively trust. Cybercriminals know this, and with AI on their side, they can exploit that trust to infiltrate these applications quickly and quietly.

Malware has always evolved alongside technology. Early variants were crude—file-based viruses that spread through infected disks or email attachments. As defenses adapted, attackers turned to worms and trojans that spread rapidly across networks. Ransomware soon followed, locking down entire organizations until payments were made.

Then came fileless malware. Instead of dropping files to disk, these attacks lived in memory and leveraged legitimate system tools, leaving almost no trace behind. Campaigns like XFiles, which used a phishing email and a repurposed Cloudflare Turnstile widget to deliver a fileless payload, proved that attackers could bypass signature-based defenses by removing the “file” from malware altogether.

Now, generative AI has ushered in a new chapter.

AI has broken out of a single threat vector, fueling every facet of malware creation faster than ever before.

Threat groups are already taking advantage, using AI to power sophisticated ransomware attacks. One group, GTG-5004, used Anthropic’s Claude to build modular ransomware with advanced encryption and stealth features, while another, GTG-2002, automated the entire extortion process—from targeting victims to generating ransom notes—impacting at least 17 organizations in critical sectors. Academic research has shown how inexpensive this process can be for cybercriminals. NYU’s PromptLocker prototype demonstrated that large language models could run a full ransomware attack for as little as $0.70 per attempt using commercial APIs.

Beyond ransomware, attackers are finding other creative new ways to exploit AI tools. Trend Micro has described a practice called “vibe-coding”, where criminals use AI to interpret threat intelligence and rebuild malware techniques without needing advanced expertise. Additionally, CloudSEK’s ClickFix goes a step further, showing how malicious instructions could be hidden in documents and activated by AI-powered summarization tools.

Cybercriminals are also experimenting with stealthier attack methods. A new Koske cryptomining malware was discovered hidden in panda-themed images, targeting misconfigured servers and using rootkits to persist across cloud environments.

AI-driven malware isn’t just more sophisticated, it’s more accessible. Tasks that once required advanced coding skills are now within reach for less-skilled attackers using open-source or commercial AI tools. This democratization of cybercrime means we’ll see more attacks, launched by more actors, with higher levels of polish and effectiveness.

The cost of entry has never been lower, and the payoff for attackers has never been higher. Polymorphic malware that rewrites itself, phishing campaigns written in flawless business language, and stealthy loaders embedded in everyday file formats are no longer hypothetical—they’re here.

Stopping AI-powered malware requires equally intelligent defenses. Traditional security tools that chase known threats aren’t enough in a world where attacks constantly adapt and disguise themselves. What’s needed instead is a behavior-based approach—one that builds a baseline of normal activity across people, vendors, and applications, and uses deviations from that baseline to uncover hidden threats.

By analyzing identity and context at scale, these defenses can detect anomalies that would otherwise slip past—whether that’s a suspicious Dropbox link, an unusual Zoom invite, or a phishing email carrying a fileless payload. API-based integrations further extend protection across the cloud, ensuring that threats are stopped consistently, from email to SaaS platforms to collaboration tools.

Malware will continue to grow smarter, stealthier, and more scalable with AI. We can expect new tactics that exploit AI-powered summarization tools, embed malicious code in everyday documents, or even automate full attack chains without human input.

Organizations cannot afford to rely on outdated defenses. They need security that evolves as quickly as the threats they face. Abnormal provides that capability—leveraging behavior-based detection to protect against the most advanced malware in the age of AI.

In a world where malicious AI writes its own attacks, the only way forward is to detect what looks normal—and stop what isn’t.

Interested in learning more about Abnormal's behavioral AI detection? Schedule a demo today!