We discuss a novel AI-augmented attack method where malicious webpages use LLM services to generate dynamic code in real-time within a browser.

Unit42 is a cybersecurity research team known for its  analysis of cyber threats, malware, and cyber attack trends. Through research reports, threat intelligence briefings, and data analysis, Unit42 offers insights into emerging cyber threats and adversary tactics. Readers can learn about threat detection methodologies, vulnerability trends, and cyber attack attribution to enhance their cybersecurity posture and protect their organizations from advanced cyber threats.

Unit 42

Security researchers demonstrate a novel attack technique where malicious webpages use LLM APIs to dynamically generate phishing JavaScript at runtime. Attackers craft prompts that bypass AI safety guardrails, causing LLMs to return malicious code snippets that are assembled and executed in the victim's browser. This creates polymorphic, unique variants for each visit while delivering payloads from trusted LLM domains to evade network detection. The attack builds on existing runtime assembly behaviors but adds AI-generated code diversity. Effective defense requires runtime behavioral analysis within browsers rather than traditional network-based detection.

The Next Frontier of Runtime Assembly Attacks: Leveraging LLMs to Generate Phishing JavaScript in Real Time

LLM-Augmented Runtime Assembly Attack Model

Generalizing the Threat and Expanding the Attack Surface