Earlier this month, the Karnataka government announced that of the 20,092 cases of cybercrime it registered in 2024, only 1,284 had been solved. One of the challenges that the state is facing, according to officials, is polymorphic malware.
It is infecting never before. It is much worse than malware. Simply put, malware is software designed for malicious purposes. The term is used to describe everything, from an information-stealing virus that silently removes sensitive data from your phone to ransomware that encrypts all your data and holds it to ransom.
Earlier, hackers used basic techniques to change the signature of their malware, such as inserting random bits of code or renaming files inside the malware to disguise its true purpose. As these methods become known, adaptions were made to spot and neutralize them. In 2017, for example, the WannaCry ransomware attack crippled hundreds of thousands of computers worldwide, locking users out of their own systems and demanding ransom payments in cryptocurrency.
This attack exploited a weakness in Windows, but its behavior was predictable as it ran on the same code in every device it infected, eventually allowing it to be stopped by a security researcher who found a “kill switch.” – a way to disable its damage. Polymorphic malware, instead of relying on fixed code, rewrites itself every time it infects a new system, making it almost impossible for traditional security tools to recognize it.
Think of it like a spy who is also a master of disguise, blending in with the population of the country it infiltrates and is only detected long after the spy has bombed a target. An early example of polymorphic malware was seen in March 2023 in the form of the updated version of the NullMixer, a known malware which targeted organizations in North America, Italy, and France. It installed multiple harmful programs, like banking Trojans and spyware, all at once and the new version was even more dangerous because it could change to fit the specific systems it infected.
Researchers found that attackers tricked IT staff into installing the malware through fake search results and video tutorials. In one month, the malware infected over 8,000 systems, stealing data to sell on the dark web. Polymorphic malware is scary not only because of its shape-shifting capabilities, but also because of the technology that powers it.
Polymorphic malware is written using AI, the same AI that powers Large Language Models like ChatGPT. A research paper published by cybersecurity research firm Cyber-Ark in 2023 by its researchers Eran Shimony and Omer Tsarfati detailed how they had used ChatGPT to write polymorphic malware.
“The concept of creating polymorphic malware using ChatGPT may seem daunting, but in reality, its implementation is relatively straightforward,” they wrote in their report titled Chatting Our Way Into Creating A Polymorphic Malware. Last year, cybersecurity researchers discovered GhostGPT, the bad cousin of ChatGPT that writes phishing emails and malware codes with equal ease. Then came DeepSeek, the Chinese AI model that took the world by storm.
Within a month of its release, a team of cybersecurity researchers ran an experiment on it. They entered 50 prompts seeking its assistance for a wide range of unethical and illegal activities, from planning misinformation campaigns to creating malware – and achieved a 100 percent success rate. In other words, the more advanced AI gets, the more dangerous polymorphic malware becomes.
While security companies like Microsoft, Intel, and Google are constantly updating their malware detection tools, individuals need to take proactive measures to stay safe. Its capabilities aside, polymorphic malware still relies on the concept of “user interaction” to enter a device. This means it can only infect your device if you click a link, open a file or download an attachment that the malware is hiding in. If that discount offer or free gift sounds too good to be true, it is!
The writer is Assistant Vice President and Security Awareness Strategist at CyberFrat, an organization that centers on Risk Management, Cybersecurity, and Emerging Technologies
