Executive Summary
In early 2024, security researchers uncovered a Living-off-the-Land (LotL) attack that leveraged Windows' native AI stack to conceal and deploy malware within trusted AI data files. Attackers exploited the inherent trust that many Windows systems grant to files used by the native AI stack, allowing the threat to bypass traditional detection methods. The malicious payloads used fileless techniques, hiding in AI models and exploiting automated processing pipelines to achieve stealthy initial access and lateral movement. The campaign resulted in significant risks of unauthorized access, data theft, and potential disruption to business operations reliant on AI-driven processes.
This incident is a timely reminder of evolving threat tactics using fileless malware and trusted native components. As the adoption of AI and automation accelerates, attackers are adapting by targeting supply chains and leveraging trusted AI data flows to bypass security controls and compliance frameworks.
Why This Matters Now
With the rapid integration of AI into business workflows, attackers are increasingly exploiting trusted native stacks and file formats to deliver malware undetected. The use of LotL techniques with AI data files signals a critical need for organizations to reassess their security controls and compliance posture around emerging technologies.
Attack Path Analysis
Attackers leveraged malware embedded within Windows native AI data files to gain an initial foothold on target systems, bypassing traditional security validation. Following compromise, they escalated privileges by exploiting trusted AI execution stacks for broader access. Next, the adversaries moved laterally within the cloud environment through internal network pathways, aided by insufficient segmentation. They established covert command and control channels using encrypted or native protocols to maintain persistent access. Subsequently, sensitive data was stealthily exfiltrated, potentially over encrypted outbound connections. Finally, adversaries could impact the organization through further malware deployment or business disruption.
Kill Chain Progression
Initial Compromise
Description
Malware was delivered via trusted AI data files, exploiting the trust in Windows native AI stack to achieve execution within the environment.
Related CVEs
CVE-2025-23319
CVSS 8.1An out-of-bounds write vulnerability in Nvidia's Triton Inference Server's Python backend allows remote attackers to execute arbitrary code.
Affected Products:
Nvidia Triton Inference Server – < 25.07
Exploit Status:
no public exploitCVE-2025-23320
CVSS 7.5A shared memory limit exceeding vulnerability in Nvidia's Triton Inference Server's Python backend could allow remote code execution.
Affected Products:
Nvidia Triton Inference Server – < 25.07
Exploit Status:
no public exploitCVE-2025-23334
CVSS 5.9An out-of-bounds vulnerability in Nvidia's Triton Inference Server's Python backend may lead to remote code execution.
Affected Products:
Nvidia Triton Inference Server – < 25.07
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
User Execution: Malicious File
Phishing: Spearphishing Attachment
Signed Binary Proxy Execution
Template Injection
Masquerading: Match Legitimate Name or Location
Deobfuscate/Decode Files or Information
Obfuscated Files or Information
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Malicious Software Prevention Mechanisms
Control ID: 5.2.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 9
CISA ZTMM 2.0 – Continuous Monitoring of Assets and Data
Control ID: Visibility and Analytics: 3.2
NIS2 Directive – Technical and Organizational Measures to Manage Cybersecurity Risks
Control ID: Article 21(2)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
AI-powered malware hiding in Windows native AI stack poses critical threats to software development environments, requiring enhanced zero trust segmentation and threat detection capabilities.
Information Technology/IT
Living-off-the-land attacks exploiting trusted AI data files demand comprehensive multicloud visibility, inline IPS protection, and advanced anomaly detection for IT infrastructure security.
Financial Services
Malware concealed in AI files threatens financial data integrity, necessitating encrypted traffic protection, east-west traffic security, and strict compliance with regulatory frameworks.
Health Care / Life Sciences
Healthcare AI systems vulnerable to stealth malware attacks require robust egress security, threat detection capabilities, and HIPAA-compliant zero trust network segmentation implementations.
Sources
- LotL Attack Hides Malware in Windows Native AI Stackhttps://www.darkreading.com/vulnerabilities-threats/lotl-attack-malware-windows-native-ai-stackVerified
- Security flaws in key Nvidia enterprise tool could have let hackers run malware on Windows and Linux systemshttps://www.techradar.com/pro/security/worrying-nvidia-triton-bugs-let-hackers-run-malware-on-windows-and-linux-systemsVerified
- HP Wolf Security Uncovers Evidence of Attackers Using AI to Generate Malwarehttps://www.hp.com/us-en/newsroom/press-releases/2024/ai-generate-malware.htmlVerified
- Living off the Land (LOTL)https://www.hhs.gov/sites/default/files/living-off-land-attacks-tlpclear.pdfVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, east-west traffic security, egress enforcement, and anomaly-based threat detection would have restricted attacker movement, detected suspicious AI file activity, and prevented covert outbound data flows. Distributed policy enforcement and microsegmentation reduce risk from trusted file types and limit access to sensitive assets within cloud workloads.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: File-based anomalies or unusual process activities could be detected in real time.
Control: Zero Trust Segmentation
Mitigation: Access to privileged roles and sensitive assets is tightly restricted by policy.
Control: East-West Traffic Security
Mitigation: Lateral traversal between workloads is blocked or continuously monitored.
Control: Egress Security & Policy Enforcement
Mitigation: Unauthorized outbound connections and C2 traffic are blocked or detected.
Control: Encrypted Traffic (HPE)
Mitigation: Data exfiltration attempts are monitored and prevented, even over encrypted links.
Rapid response to destructive actions and containment of affected workloads.
Impact at a Glance
Affected Business Functions
- AI Model Deployment
- Data Processing
- System Administration
Estimated downtime: 5 days
Estimated loss: $500,000
Potential exposure of sensitive AI models and associated data due to unauthorized access facilitated by exploited vulnerabilities.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce Zero Trust Segmentation to ensure least-privilege access and minimize attacker movement.
- • Implement continuous east-west traffic monitoring to detect and block lateral threat activity.
- • Enable robust egress filtering and inline inspection to prevent data exfiltration and external C2 communications.
- • Utilize anomaly detection and distributed policy enforcement to identify and contain suspicious behaviors within cloud workloads.
- • Regularly review and restrict trust in file types, including AI data files, by incorporating real-time enforcement controls.
