{"id":23272,"date":"2025-07-10T12:44:02","date_gmt":"2025-07-10T16:44:02","guid":{"rendered":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/?p=23272"},"modified":"2025-07-10T12:44:02","modified_gmt":"2025-07-10T16:44:02","slug":"ai-trained-malware-evades-microsoft-defender-8-of-the-time-researchers-warn","status":"publish","type":"post","link":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/security\/ai-trained-malware-evades-microsoft-defender-8-of-the-time-researchers-warn.html","title":{"rendered":"AI-Trained Malware Evades Microsoft Defender 8% of the Time, Researchers Warn"},"content":{"rendered":"\n<p><strong>Key Takeaways:<\/strong><\/p>\n\n\n\n<ul>\n<li>Researchers used reinforcement learning on the open-source Qwen 2.5 model to train AI-generated malware that successfully bypassed Microsoft Defender 8% of the time.<\/li>\n\n\n\n<li>The project took three months and about $1,500 in cloud compute to complete, highlighting accessibility.<\/li>\n\n\n\n<li>Other tested models, including those from Anthropic and DeepSeek, had significantly lower evasion success rates (under 1%).<\/li>\n\n\n\n<li>The technique involves a feedback loop where the LLM learns from Defender\u2019s detection responses and adapts its malware outputs accordingly.<\/li>\n\n\n\n<li>While not immediately weaponizable, the research raises concerns about how easily AI tools can be repurposed to undermine endpoint protection.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"alignright size-full is-resized\"><a href=\"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-content\/uploads\/2025\/07\/image-36.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1559\" height=\"775\" src=\"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-content\/uploads\/2025\/07\/image-36.png\" alt=\"\" class=\"wp-image-23274\" style=\"width:749px;height:auto\" srcset=\"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-content\/uploads\/2025\/07\/image-36.png 1559w, https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-content\/uploads\/2025\/07\/image-36-768x382.png 768w, https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-content\/uploads\/2025\/07\/image-36-1536x764.png 1536w\" sizes=\"(max-width: 1559px) 100vw, 1559px\" \/><\/a><\/figure><\/div>\n\n\n<p>A team of security researchers has demonstrated how an open-source large language model, Qwen 2.5, can be trained to create malware capable of slipping past Microsoft Defender\u2019s antivirus protections in roughly 8% of test cases. The <a href=\"https:\/\/www.tomshardware.com\/tech-industry\/cyber-security\/ai-malware-can-now-evade-microsoft-defender-open-source-llm-outsmarts-tool-around-8-percent-of-the-time-after-three-months-of-training\">findings<\/a> add to a growing body of research suggesting that AI, while a powerful tool for defenders, may also be used to develop increasingly evasive threats.<\/p>\n\n\n\n<p>The project\u2014conducted by cybersecurity firm Outflank\u2014was completed over a span of three months using reinforcement learning, an approach that allowed the model to evolve its attack strategy in response to real-time feedback. By querying Microsoft Defender&#8217;s response to generated code samples, the system learned to produce executables that were more likely to avoid detection.<\/p>\n\n\n\n<p>The researchers built a sandboxed environment where the AI model iteratively created malware, tested it against Defender, and adjusted its outputs based on whether the software was flagged. When a piece of malware avoided detection, that result reinforced the model\u2019s training loop.<\/p>\n\n\n\n<p>After months of training and several iterations, the Qwen 2.5 model succeeded in generating evasive malware 8% of the time\u2014a rate that significantly outpaced other models included in the experiment. Models from Anthropic and DeepSeek achieved evasion rates below 1%, demonstrating the comparative effectiveness of an open-source, reinforcement-tuned approach.<\/p>\n\n\n\n<p>What makes this development particularly concerning is the relatively modest amount of resources used to pull it off. The team reportedly spent around $1,500 in cloud compute, putting the technique well within reach of determined adversaries with technical knowledge and modest funding.<\/p>\n\n\n\n<p>Though the researchers stressed that the current approach is far from plug-and-play, and not something that can be deployed immediately by non-experts, it illustrates a trend: AI is beginning to stress-test the limits of traditional cybersecurity defenses.<\/p>\n\n\n<div class=\"wp-block-image is-style-rounded\">\n<figure class=\"alignright size-large is-resized\"><a href=\"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-content\/uploads\/2025\/07\/image-37.png\"><img loading=\"lazy\" decoding=\"async\" width=\"924\" height=\"694\" src=\"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-content\/uploads\/2025\/07\/image-37-924x694.png\" alt=\"\" class=\"wp-image-23275\" style=\"width:311px;height:auto\"\/><\/a><\/figure><\/div>\n\n\n<p>Microsoft Defender is a widely used endpoint protection tool, embedded in enterprise and consumer systems across the globe. An 8% evasion rate doesn\u2019t imply system failure, but it does point to a gap that could be exploited, particularly in targeted attacks where even one successful infiltration can have significant consequences.<\/p>\n\n\n\n<p>The broader implication is clear: cybersecurity is entering a new phase in which machine learning models on both sides\u2014attackers and defenders\u2014are locked in an iterative arms race. AI-generated code isn\u2019t just a productivity tool anymore; it\u2019s also becoming a means to probe, learn from, and potentially outmaneuver real-world defenses.<\/p>\n\n\n\n<p>In this case, the researchers used feedback from Microsoft Defender&#8217;s API responses to guide the model\u2019s outputs. While this approach is not novel in concept, applying it at scale with AI introduces efficiencies and speed that manual red teaming lacks.<\/p>\n\n\n\n<p>To stay ahead, defenders may need to adopt similar reinforcement learning techniques to test their own tools, identify detection blind spots, and simulate adversarial tactics more realistically.<\/p>\n\n\n\n<p>The research is expected to be presented at Black Hat 2025, where it will likely spark further discussion about the ethics, risks, and responsibilities tied to AI-enabled security testing\u2014and where to draw the line between helpful simulation and inadvertent enablement.<\/p>\n\n\n\n<p>Ultimately, while this proof-of-concept isn\u2019t yet practical for wide deployment by attackers, it signals a trajectory in which traditional static security methods may not be enough. Adaptive defense systems, dynamic detection models, and continuous red-teaming using AI agents could become necessities, not luxuries.<\/p>\n\n\n\n<p><strong><mark>Le<em>arn how AI Agents can supercharge your company\u2019s profits and productivity at&nbsp;<a href=\"http:\/\/www.tmcnet.com\/\">TMC\u2019s&nbsp;<\/a><a href=\"https:\/\/www.aiagentevent.com\/\">AI Agent Event<\/a>, Sept 29-30, 2025 in DC.<\/em><\/mark><\/strong><\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"alignleft\"><a href=\"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-content\/uploads\/2025\/05\/image-10.png\"><img loading=\"lazy\" decoding=\"async\" width=\"299\" height=\"136\" src=\"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-content\/uploads\/2025\/05\/image-10.png\" alt=\"\" class=\"wp-image-20657\"\/><\/a><\/figure><\/div>\n\n\n<p>If you liked this post, you\u2019ll love one of the the leading global business communications and technology events since 1999, the&nbsp;<a href=\"http:\/\/www.itexpo.com\/\">ITEXPO #TECHSUPERSHOW<\/a>, Feb 10-12, 2026 Fort Lauderdale, Florida.<\/p>\n\n\n\n<p>Don\u2019t forget the collocated&nbsp;<a href=\"http:\/\/www.mspexpo.com\/\">MSP Expo<\/a>&nbsp;\u2013 just for managed service providers!<\/p>\n\n\n\n<p><em>Aside from his role as CEO of&nbsp;<a href=\"http:\/\/www.tmcnet.com\/\">TMC<\/a>&nbsp;and chairman of&nbsp;<a href=\"http:\/\/www.itexpo.com\/\">ITEXPO<\/a>&nbsp;#TECHSUPERSHOW Feb 10-12, 2026,&nbsp;Rich Tehrani is CEO of&nbsp;<a href=\"https:\/\/www.rt-advisors.com\/\">RT Advisors<\/a>&nbsp;and a Registered Representative (investment banker) with and offering securities through&nbsp;<a href=\"https:\/\/www.4pointscapital.com\/\">Four Points Capital Partners LLC&nbsp;<\/a>(Four Points) (Member FINRA\/SIPC). He handles capital\/debt raises as well as M&amp;A. RT Advisors is not owned by Four Points.<\/em><\/p>\n\n\n\n<p>The above is not an endorsement or recommendation to buy\/sell any security or sector mentioned. No companies mentioned above are current or past clients of RT Advisors.<\/p>\n\n\n\n<p>The views and opinions expressed above are those of the participants. While believed to be reliable, the information has not been independently verified for accuracy. Any broad, general statements made herein are provided for context only and should not be construed as exhaustive or universally applicable.<\/p>\n\n\n\n<p><em>Portions of this article may have been developed with the assistance of artificial intelligence, which may have contributed to ideation, content generation, factual review, or editing<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Key Takeaways: A team of security researchers has demonstrated how an open-source large language model, Qwen 2.5, can be trained to create malware capable of slipping past Microsoft Defender\u2019s antivirus protections in roughly 8% of test cases. The findings add to a growing body of research suggesting that AI, while a powerful tool for defenders,<\/p>\n","protected":false},"author":44,"featured_media":23273,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[156],"tags":[],"post_mailing_queue_ids":[],"_links":{"self":[{"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/posts\/23272"}],"collection":[{"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/users\/44"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/comments?post=23272"}],"version-history":[{"count":1,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/posts\/23272\/revisions"}],"predecessor-version":[{"id":23276,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/posts\/23272\/revisions\/23276"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/media\/23273"}],"wp:attachment":[{"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/media?parent=23272"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/categories?post=23272"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/tags?post=23272"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}