Next-Gen Stealth: Malware Hides C2 Traffic as Fake LLM API Requests on Tencent Cloud
Ddos 
The Akamai Hunt team has uncovered a new malware strain that hides its command-and-control (C2) traffic behind what appears to be legitimate large language model (LLM) API requests, signaling a disturbing evolution in attacker tradecraft as organizations increasingly integrate AI technologies.
This approach allows malicious communication to blend in with the growing volume of LLM-related API calls—making detection dramatically more challenging for defenders.
Traditional malware often uses suspicious protocols or endpoints that security tools are trained to detect. But as AI chat interfaces and automation agents explode in popularity across enterprises, attackers are now camouflaging malicious traffic amid that noise.
Instead of relying on typical C2 schemas, the newly discovered malware sends a Base64-like encoded string to a fake LLM chat-completions API, bypassing the usual Authorization, model, or messages fields that legitimate LLM requests require.
This unconventional payload is then decoded and XOR-decrypted server-side, enabling the attacker to deliver instructions without resembling traditional malware traffic.
The malware attempts a direct socket connection to 39.97.57[.]244, and when that fails, it switches to an HTTP C2 endpoint designed to appear like an OpenAI-compatible API:
Akamai notes the significance of this: “the attackers chose to expose this specific endpoint to look more legitimate for defenders and network administrators, as the use of this API endpoint is becoming increasingly common with the rise of AI agents, integrations, and automation tools.”
The endpoint is hosted on Tencent Cloud Serverless Cloud Functions, giving the attacker:
- elastic scaling,
- geographic distribution,
- and the appearance of standard cloud automation traffic.
This makes attribution and detection far more difficult.
Although the malware mimics LLM traffic, it is not using the cloud function to generate AI responses. Instead, the fake chat-completions API serves as a RAT command gateway.
Once decoded, the C2 response contains instructions that grant full control over the victim’s machine. Akamai writes: “The malware supports several instructions, categorizing this malware as a remote access trojan (RAT) with full remote control over the victim.”
One example is the $HunterInfo instruction, which scans for configuration files of remote access tools such as ToDesk and exfiltrates them using the same XOR/Base64 pipeline.
Akamai’s researchers found three embedded .NET payloads encoded inside the malware. These components form a SOCKS5/HTTP proxy toolkit used to forward attacker traffic through the victim’s network, making the infected device an ideal pivot point.
The Hunt team also tied the malware to a suspicious RAR archive found on VirusTotal. The archive contains:
- a malicious LNK file disguised as “个人简历.lnk” (“Résumé”),
- nested directories containing .doc files with binary payloads instead of documents,
- and a multi-stage loader that eventually abuses a signed binary from Sangfor Technologies.
The report explains: “svchost.exe is actually ‘SangforPromote.exe’, a verified, signed file… When given the argument -InstallLsp and a DLL, the legitimate file loads the DLL.”
This DLL, named “360”, decrypts the next stage (sc) and communicates with—the same two C2 addresses used by the RAT—confirming all toolsets are part of a single malware ecosystem.
This malware is not the first to abuse LLM APIs, but its technique is more subtle than previous cases such as LameHug, PromptLock, or the SesameOp backdoor.
Akamai highlights the wider trend: “This is yet another example of how attackers are evolving their attack methodologies quickly, which reinforces the need for organizations to prepare for these modern threats.”
By hiding C2 behind API patterns used by OpenAI, OpenRouter, or Hugging Face—services now deeply integrated into business workflows—attackers are exploiting a new blind spot in modern network security.
Related Posts:
- Tencent Cloud’s Misconfiguration Exposed Internal Source Code and Credentials
- Hacker Leaks 1.4 Billion Tencent Records: Mobile, Email, and QQ IDs Exposed
- BMW models have been exposed to security flaws that can be remotely attacked by hackers
- AI’s Dark Side: Hackers Harnessing ChatGPT and LLMs for Malicious Attacks
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
