noodls browser compatibility check

The security settings of your browser are blocking the execution of scripts.

To use noodls, javascript support must be enabled. Please change your browser's security settings to enable javascript.

If you have changed your browser's security settings, you can click here.

related announcements

News

NPS - National Park Service

Swimmer death at Assateague Island National Seashore
CBP - U.S. Customs and Border[...]

CBP agriculture specialists issue $300 penalty for prohibited items at[...]
Wyoming Department of[...]

Public Notices: Anschutz Exploration Corporation (F029489/A0018230)

Technology

Fortinet Inc.

07/10/2025 | Press release | Distributed by Public on 07/10/2025 07:13

Catching Smarter Mice with Even Smarter Cats

From the beginning, the antivirus world has been a cat-and-mouse game, where malware authors and antivirus engineers constantly adapt their code to bypass or catch each other. Artificial Intelligence is bringing the game to the next level, with malware authors using AI to improve their malware[1] and anti-virus engineers using AI to assist them with reverse engineering[2].

(Un)Packing and (De)Obfuscating with AI assistance

Nowadays, nearly all malware is packed and/or obfuscated. AI doesn't help (yet) for packers: we tried this on a Linux/Prometei botnet sample from February 2025, and the AI would have wasted time reversing the inner logics of the packer if we hadn't helped it out.

Figure 1: We asked AI (via Radare2's r2ai plugin) to locate the main function of the malware. It instead located the main function of the packer. While it correctly identified a decompression routine-an expected component of the packer-it was unable to automatically unpack the binary or locate the actual malicious payload.

To be fair, unpacking is a difficult task that current disassemblers like IDA Pro or Ghidra can't do either. It's something an AV analyst has to perform beforehand and then supply the unpacked binary for further analysis.

As for obfuscation, the news is far better. While AI would probably fail and require human assistance for complicated obfuscation, it works reasonably well over standard obfuscation and junk code. This is a significant advancement for the antivirus industry. In the example below, the AI successfully analyzed the obfuscation algorithm of Linux/Ladvix.E and implemented a working de-obfuscator.^[3]

Figure 2: Radare2 disassembler communicates with Claude 3.7 Sonnet, produces a de-obfuscator, and de-obfuscates the malware string to "/etc/cron.hourly/0".

Dealing with New Frameworks and Languages with AI

Another technique which has been trending in the malware scene for a few years is the use of specific frameworks (e.g, Flutter [4]) or high-level languages (Go, Rust). Currently, AI struggles with Flutter and Rust malware, which is not surprising because the field is still new. Human researchers struggle to find solutions, too! We tried AI-assistance over the "Flutter assembly" of Android/SpyLoan: it was totally helpless, didn't map function names or strings, etc. However, when we proceed in a smarter way and produce the Blutter^[5] output for the malware, then AI is able to reconstruct very readable Dart code.

Figure 3: This is a reconstructed main function of the SpyLoan malware, based on the commented assembly generated by Blutter. The Dart code is easy to understand for an antivirus engineer.

AI is quite successful with the older Delphi language. We assume the reason is that LLMs were trained with Delphi and Pascal material. Despite being old, Delphi is still strangely used to implement Linux/Filecoder.BR!tr (aka Trigona) ransomware (sample from April 2025).

For example, Ghidra meticulously decompiles the main function of the ransomware. We can immediately identify Delphi function names (e.g SYSTEM_RANDOM), followed by their types (LONGINT, LONGINT), and inner memory management functions (FPC_ANSISTR_DECR_REF).

Figure 4: Part of the main function of Linux/Filecoder, as decompiled by Ghidra.

The former are interesting because they correspond to code that the malware author explicitly called. The latter are not interesting for malware analysis as they are inserted by the compiler (Free Pascal Compiler, in this case) to handle Ansi strings.

When asked to decompile the same function, the AI smartly removes those inner calls and produces source code that is way easier to read than what Ghidra gave.

Figure 5: Same part of Linux/Filecoder, decompiled with r2 + r2ai plugin

Conclusion

The anti-virus world has always been a cat-and-mouse game. While AI is close to defeating standard string and code obfuscation, malware authors are likely to adapt by using more complex obfuscation. Similarly, malware authors can harden reverse engineering by using recent frameworks and languages. So, where's the progress, might you argue?

The main difference is that, for once, the antivirus industry has a new tool that helps it more than the adversary. We are forcing malware authors to use more complex obfuscation and newer frameworks and languages. Rust is more secure than C? Sure! But they have to make the effort to learn how to use Rust, use new libraries, cope with bugs, etc. And while they do that, our LLMs can update and train on those novelties even faster. Yes, it's the first time in 20 years where time and tools are in our favor.

Fortinet Protections

Fortinet customers are already protected from all malware mentioned in this article through our AntiVirus as follows: FortiGuard Labs detects the sample with the following AV signatures:

Linux/Ladvix.E, Linux/Prometei.B, Adware/SpyLoan!Android, Linux/Filecoder.BR!tr

The FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient, and FortiEDR. Fortinet EPP customers running current AntiVirus updates are also protected.

IOCs

943e1539d07eaffa4799661812c54bb67ea3f97c5609067688d70c87ab2f0ba4 - Linux/Ladvix.E
cc7ab872ed9c25d4346b4c58c5ef8ea48c2d7b256f20fe2f0912572208df5c1a - Linux/Prometei.B
c65298b6cd5a1769c747a0c7fb589ffa12fdf832b64787283953eaa57b65bc1c - Adware/SpyLoan!Android
c08a752138a6f0b332dfec981f20ec414ad367b7384389e0c59466b8e10655ec - Linux/Filecoder.BR!tr

References

[1] https://www.hp.com/us-en/newsroom/press-releases/2024/ai-generate-malware.html

[2] https://arxiv.org/html/2504.07574

[3] https://asciinema.org/a/724126 Asciinema video of Linux/Ladvix deobfuscation

[4] https://www.fortiguard.com/events/5552/virus-bulletin-2024-android-flutter-malware

[5] https://github.com/worawit/blutter

Fortinet Inc. published this content on July 10, 2025, and is solely responsible for the information contained herein. Distributed via Public Technologies (PUBT), unedited and unaltered, on July 10, 2025 at 13:13 UTC. If you believe the information included in the content is inaccurate or outdated and requires editing or removal, please contact us at support@pubt.io

Back

View original format