Key Takeaways:
- Researchers used reinforcement learning on the open-source Qwen 2.5 model to train AI-generated malware that successfully bypassed Microsoft Defender 8% of the time.
- The project took three months and about $1,500 in cloud compute to complete, highlighting accessibility.
- Other tested models, including those from Anthropic and DeepSeek, had significantly lower evasion success rates (under 1%).
- The technique involves a feedback loop where the LLM learns from Defender’s detection responses and adapts its malware outputs accordingly.
- While not immediately weaponizable, the research raises concerns about how easily AI tools can be repurposed to undermine endpoint protection.
A team of security researchers has demonstrated how an open-source large language model, Qwen 2.5, can be trained to create malware capable of slipping past Microsoft Defender’s antivirus protections in roughly 8% of test cases. The findings add to a growing body of research suggesting that AI, while a powerful tool for defenders, may also be used to develop increasingly evasive threats.
The project—conducted by cybersecurity firm Outflank—was completed over a span of three months using reinforcement learning, an approach that allowed the model to evolve its attack strategy in response to real-time feedback. By querying Microsoft Defender’s response to generated code samples, the system learned to produce executables that were more likely to avoid detection.
The researchers built a sandboxed environment where the AI model iteratively created malware, tested it against Defender, and adjusted its outputs based on whether the software was flagged. When a piece of malware avoided detection, that result reinforced the model’s training loop.
After months of training and several iterations, the Qwen 2.5 model succeeded in generating evasive malware 8% of the time—a rate that significantly outpaced other models included in the experiment. Models from Anthropic and DeepSeek achieved evasion rates below 1%, demonstrating the comparative effectiveness of an open-source, reinforcement-tuned approach.
What makes this development particularly concerning is the relatively modest amount of resources used to pull it off. The team reportedly spent around $1,500 in cloud compute, putting the technique well within reach of determined adversaries with technical knowledge and modest funding.
Though the researchers stressed that the current approach is far from plug-and-play, and not something that can be deployed immediately by non-experts, it illustrates a trend: AI is beginning to stress-test the limits of traditional cybersecurity defenses.
Microsoft Defender is a widely used endpoint protection tool, embedded in enterprise and consumer systems across the globe. An 8% evasion rate doesn’t imply system failure, but it does point to a gap that could be exploited, particularly in targeted attacks where even one successful infiltration can have significant consequences.
The broader implication is clear: cybersecurity is entering a new phase in which machine learning models on both sides—attackers and defenders—are locked in an iterative arms race. AI-generated code isn’t just a productivity tool anymore; it’s also becoming a means to probe, learn from, and potentially outmaneuver real-world defenses.
In this case, the researchers used feedback from Microsoft Defender’s API responses to guide the model’s outputs. While this approach is not novel in concept, applying it at scale with AI introduces efficiencies and speed that manual red teaming lacks.
To stay ahead, defenders may need to adopt similar reinforcement learning techniques to test their own tools, identify detection blind spots, and simulate adversarial tactics more realistically.
The research is expected to be presented at Black Hat 2025, where it will likely spark further discussion about the ethics, risks, and responsibilities tied to AI-enabled security testing—and where to draw the line between helpful simulation and inadvertent enablement.
Ultimately, while this proof-of-concept isn’t yet practical for wide deployment by attackers, it signals a trajectory in which traditional static security methods may not be enough. Adaptive defense systems, dynamic detection models, and continuous red-teaming using AI agents could become necessities, not luxuries.
Learn how AI Agents can supercharge your company’s profits and productivity at TMC’s AI Agent Event, Sept 29-30, 2025 in DC.
If you liked this post, you’ll love one of the the leading global business communications and technology events since 1999, the ITEXPO #TECHSUPERSHOW, Feb 10-12, 2026 Fort Lauderdale, Florida.
Don’t forget the collocated MSP Expo – just for managed service providers!
Aside from his role as CEO of TMC and chairman of ITEXPO #TECHSUPERSHOW Feb 10-12, 2026, Rich Tehrani is CEO of RT Advisors and a Registered Representative (investment banker) with and offering securities through Four Points Capital Partners LLC (Four Points) (Member FINRA/SIPC). He handles capital/debt raises as well as M&A. RT Advisors is not owned by Four Points.
The above is not an endorsement or recommendation to buy/sell any security or sector mentioned. No companies mentioned above are current or past clients of RT Advisors.
The views and opinions expressed above are those of the participants. While believed to be reliable, the information has not been independently verified for accuracy. Any broad, general statements made herein are provided for context only and should not be construed as exhaustive or universally applicable.
Portions of this article may have been developed with the assistance of artificial intelligence, which may have contributed to ideation, content generation, factual review, or editing








