TY - GEN
T1 - Obfusc8
T2 - 2025 IEEE Secure Development Conference, SecDev 2025
AU - Keum, Kwangyun
AU - Kumar, Dheeraj
AU - Barchuk, Bogdan
AU - Boyapati, Sai Chand
AU - Deopura, Rohit
AU - Rahmati, Amir
N1 - Publisher Copyright:
©2025 IEEE.
PY - 2025
Y1 - 2025
N2 - Cyber-attacks have evolved dramatically over the past decade, becoming more targeted and sophisticated. Attackers now employ various techniques, including phishing, ransomware, and Remote Command Execution (RCE), to exploit vulnerabilities in systems and compromise user accounts. PowerShell scripts have become a popular tool among attackers for compromising systems due to their ability to execute commands directly from memory, enabling fileless malware attacks that are challenging to detect with traditional antivirus solutions. These scripts are especially dangerous as they exploit a trusted and powerful tool to execute commands, evade detection, and gain extensive access to system resources, making them highly effective for fileless attacks, remote code execution, and lateral movement across networks. To defend against these scripts, both enterprises and individuals are increasingly relying on defensive mechanisms, such as Endpoint Detection and Response (EDR) and built-in antivirus solutions like Windows Defender. Circumventing such defenses often involves sophisticated obfuscation techniques requiring extensive domain knowledge. In this paper, we introduce Obfusc8, a framework for obfuscating PowerShell scripts using Large Language Models (LLMs). Obfusc8 utilizes a carefully crafted iterative process to obfuscate PowerShell, employing a diverse set of traditional techniques, including object insertion, case alternation, fragmentation, and noise injection, as well as LLM-based code rewriting. We evaluated the effectiveness of Obfusc8 by obfuscating 25 widely recognized PowerShell scripts. Our results show that Obfusc8 can successfully obfuscate malicious payloads to evade signature-based, heuristic, and ML-based detection mechanisms in widely used antivirus software, demonstrating the susceptibility of built-in antivirus solutions to bypass LLM-powered techniques. The Obfusc8 framework leverages iterative obfuscation and functionality verification, allowing even users with minimal expertise to transform basic payloads into fully functional malware capable of bypassing detection. Obfusc8 highlights the limitations of current antivirus solutions and underscores the urgent need for stronger defenses. Our findings serve not only as a warning for individual users but also as a call to the security community to improve detection mechanisms in the face of rapidly evolving AI-driven threats.
AB - Cyber-attacks have evolved dramatically over the past decade, becoming more targeted and sophisticated. Attackers now employ various techniques, including phishing, ransomware, and Remote Command Execution (RCE), to exploit vulnerabilities in systems and compromise user accounts. PowerShell scripts have become a popular tool among attackers for compromising systems due to their ability to execute commands directly from memory, enabling fileless malware attacks that are challenging to detect with traditional antivirus solutions. These scripts are especially dangerous as they exploit a trusted and powerful tool to execute commands, evade detection, and gain extensive access to system resources, making them highly effective for fileless attacks, remote code execution, and lateral movement across networks. To defend against these scripts, both enterprises and individuals are increasingly relying on defensive mechanisms, such as Endpoint Detection and Response (EDR) and built-in antivirus solutions like Windows Defender. Circumventing such defenses often involves sophisticated obfuscation techniques requiring extensive domain knowledge. In this paper, we introduce Obfusc8, a framework for obfuscating PowerShell scripts using Large Language Models (LLMs). Obfusc8 utilizes a carefully crafted iterative process to obfuscate PowerShell, employing a diverse set of traditional techniques, including object insertion, case alternation, fragmentation, and noise injection, as well as LLM-based code rewriting. We evaluated the effectiveness of Obfusc8 by obfuscating 25 widely recognized PowerShell scripts. Our results show that Obfusc8 can successfully obfuscate malicious payloads to evade signature-based, heuristic, and ML-based detection mechanisms in widely used antivirus software, demonstrating the susceptibility of built-in antivirus solutions to bypass LLM-powered techniques. The Obfusc8 framework leverages iterative obfuscation and functionality verification, allowing even users with minimal expertise to transform basic payloads into fully functional malware capable of bypassing detection. Obfusc8 highlights the limitations of current antivirus solutions and underscores the urgent need for stronger defenses. Our findings serve not only as a warning for individual users but also as a call to the security community to improve detection mechanisms in the face of rapidly evolving AI-driven threats.
UR - https://www.scopus.com/pages/publications/105025202479
U2 - 10.1109/SECDEV66745.2025.00027
DO - 10.1109/SECDEV66745.2025.00027
M3 - Conference contribution
AN - SCOPUS:105025202479
T3 - Proceedings - 2025 IEEE Secure Development Conference, SecDev 2025
SP - 156
EP - 168
BT - Proceedings - 2025 IEEE Secure Development Conference, SecDev 2025
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 14 October 2025 through 16 October 2025
ER -