First per-app firewall that catches AI-powered worms
AI-augmented malware now queries ChatGPT, Claude, and Gemini during live attacks to generate reconnaissance commands and evade detection. NetInsightPro identifies non-browser processes making LLM API calls, flags autonomous lateral movement in the 60-second window after an LLM response, and escalates when the same threat pattern appears across 3 or more hosts in your network.
Available on Pro and Enterprise tiers. Phase 2 MVP — detection and telemetry. Admin UI tab in Phase 3 (roadmap).
From lab to confirmed deployment
AI-augmented malware crossed from theoretical research into confirmed state-sponsored use in 2025. CrowdStrike documented an 89% surge in AI-enabled adversary operations in their 2026 Global Threat Report.[5]
First demonstrated self-replicating worm targeting GenAI ecosystems. Exploited RAG database poisoning and adversarial prompt embedding to propagate across ChatGPT-4, Gemini Pro, and LLaVA.
First confirmed in-the-wild malware that queries a live LLM (Hugging Face, Qwen2.5) during active attacks to generate Windows reconnaissance commands, then exfiltrates documents via SSH to attacker C2.
Backdoor using the OpenAI Assistants API as its C2 channel. A .NET DLL polls an attacker-controlled OpenAI account for encrypted commands — traffic is standard HTTPS to api.openai.com, indistinguishable from legitimate developer use by TLS inspection.
Phase 2 MVP: three detection heuristics
NetInsightPro's existing per-app egress telemetry creates a unique detection surface. Phase 2 ships three heuristics with the best signal-to-noise ratio — chosen for low false-positive rates after allowlist calibration.
LLM API egress from non-browser processes
Alerts when any process not in the tenant allowlist establishes connections to known LLM API endpoints (api.openai.com, api.anthropic.com, generativelanguage.googleapis.com, Hugging Face, Mistral, Cohere). Non-developer processes calling these endpoints is the foundational indicator for both LLM-as-C2 (SesameOp pattern) and LLM-assisted reconnaissance (PROMPTSTEAL pattern).
Post-LLM lateral move detection
Flags when the same process (or a child it spawns) initiates an SSH, SMB, or Kubernetes API connection to a host outside the device baseline within 60 seconds of receiving an LLM API response. This is the signal of LLM-orchestrated reconnaissance — the LAMEHUG/PROMPTSTEAL pattern where malware receives LLM-generated commands and immediately attempts lateral movement.
Cross-host process hash replication
Escalates when the same process binary hash appears making LLM API calls on 3 or more distinct devices within a tenant in a 5-minute window, and that hash was not previously in the tenant baseline. This is the clearest worm propagation signal — novel binary spreading to multiple hosts and calling out to AI APIs.
Full heuristic specifications including H3 (byte asymmetry), H4 (process lineage), H5 (post-LLM lateral move), and H6 (local LLM port access) are in the Phase 3–5 roadmap. False-positive estimates are pre-calibration; allowlist tuning reduces rates significantly within 14 days per tenant.
Detection without reading your prompts.
AI threat detection works at the network metadata layer. NetInsightPro never sees prompt text or LLM response content. Detection is based entirely on behavioral signals: which process is connecting, to which endpoint, at what interval, and at what byte volume.
Payload entropy capture (Heuristic H3) is opt-in per-tenant and off by default. Every tenant can opt out entirely from AI threat telemetry via a single AppConfig key.
- No raw prompt text or LLM response content is ever stored, logged, or transmitted — only network metadata (endpoint hostnames, byte counts, timing intervals)
- Process metadata is limited to process name and a one-way lineage hash — full command-line arguments are explicitly excluded
- Payload entropy capture (Heuristic H3) is opt-in per-tenant, default off
- Per-tenant opt-out: AppConfig key ai_threat_telemetry_enabled (default on) — when set to false, no AI threat heuristic events are collected or stored
- No cross-tenant aggregation of threat data — correlation runs within the tenant stack only
- GDPR Art. 5 data minimisation and storage limitation: AI threat anomaly rows retained 90 days (same as existing TenantAnomalies)
Included on Pro and Enterprise.
Pro
Early Access- H1: LLM API egress alerting on your device
- H5: Post-LLM lateral move detection (60s window)
- H7: Worm hash-replication signal (5-min window)
- Per-tenant opt-out available
- AI threat telemetry in your device flow history
Enterprise
Early Access- Everything in Pro
- Cross-host H7 worm signal across your fleet
- AI threat anomaly rows in admin DDB (Phase 2)
- Admin UI AI Threats tab (Phase 3 — roadmap)
- ai_worm_guard block policy template (Phase 4 — roadmap)
- SIEM forwarding of ai_category threat values (OCSF)
Phase 2 is live. Phases 3–5 are coming.
Phase 2 MVP shipped detection telemetry and backend visibility. We are being explicit about what is live versus what is in the roadmap so you can plan deployments accurately.
- H1: LLM API egress from non-allowlisted processes
- H5: Post-LLM lateral move detection (60s window)
- H7: Cross-host binary replication (worm signal, 5-min window)
- New ai_category telemetry values emitted by agent
- Backend DynamoDB visibility for detected events
- Admin console AI Threats tab (/admin/tenants/{id}/ai-threats)
- Tenant-facing anomaly detail view with heuristic breakdown
- SIEM integration guide for new ai_category values
- H2 polling-anomaly + H4 process-lineage heuristics
- Mobile AI Threats screen
- Enterprise ai_worm_guard policy template (block mode, explicit opt-in)
- Developer allowlist self-service UI
- Community IOC feed integration (URLhaus AI category, MISP AI-worm tags)
- Known C2 domain matching for LLM-abusing malware families
- Automated IOC-to-block-rule propagation for Enterprise
References
- Cohen, S., Bitton, R., Nassi, B. "Here Comes the AI Worm: Unleashing Zero-click Worms that Target GenAI-Powered Applications." arXiv:2403.02817, March 2024 (revised January 2025). Cornell Tech.
- CERT-UA / Splunk Threat Research. "LAMEHUG's LLM-Driven Cyber Intrusion." Splunk Security Blog, July 2025.
- Google Threat Intelligence Group (GTIG). "GTIG AI Threat Tracker: Advances in Threat Actor Usage of AI Tools." Google Cloud Blog, 2025. Covers PROMPTSTEAL, PROMPTFLUX, APT28 attribution.
- Microsoft Security Blog. "SesameOp: Novel backdoor uses OpenAI Assistants API for command and control." November 3, 2025.
- CrowdStrike. "2026 CrowdStrike Global Threat Report: AI Accelerates Adversaries and Reshapes the Attack Surface." February 2026.
Talk to us about AI-worm detection.
Tell us your fleet size, SIEM, and IdP. We will walk you through the Phase 2 heuristics, the allowlist calibration process, and the Phase 3 admin UI timeline. No spam. One business day turnaround.
Pro and Enterprise tiers · Early access · Phase 2 MVP shipped