By Alfaiz Nova, Cybersecurity Expert

Home
AI malware

AI‑Generated Malware: “Funklocker” and “SparkCat” Hit the Wild

Researchers cite Funklocker and SparkCat as early real-world AI-generated malware families, signaling a dangerous pivot to automated.
A conceptual image of AI-generated malware. A glowing core labeled "AI-generated" branches out into a network of nodes labeled "Funklocker" and "SparkCat.


 Security research highlights a pivotal shift—operators are now using GenAI to build and iterate malware, with “Funklocker” and “SparkCat” cited as early, real-world proof points that AI-authored code is no longer theoretical, marking a new class of automated cybercrime that complicates detection and response.

What’s actually new

  • Early named exemplars: Industry coverage of Black Hat/CrowdStrike’s 2025 threat hunting findings calls out “Funklocker” and “SparkCat” as emblematic, early-stage families showing GenAI-built malware is appearing “in the wild,” not just in lab PoCs. CrowdStrike frames this as adversaries automating malware generation and iteration at scale.crowdstrike+1

  • Related confirmation trend: In parallel, ESET disclosed PromptLock, an AI-powered ransomware that uses a local LLM to generate variable Lua payloads at runtime—evidence that AI-driven code paths can dynamically change IOCs and frustrate static detection. While PromptLock is a PoC/early-stage strain, it validates the technical pathway.thehackernews+1

Funklocker snapshot

  • Ransomware lineage with AI assists: Public research ties “FunkSec/Funklocker” operations to rapid, AI-assisted development cycles, Rust-based encryptors, and low initial AV detections, with claims of an AI chatbot supporting operator tasks. Analysts note code redundancy and inexperience offset by AI-enabled iteration speed.research.checkpoint+1

  • Why it matters: Frequent version bumps plus AI-augmented coding reduce dwell time between feature adds and AV signatures, boosting initial success rates before defenses adapt.research.checkpoint

SparkCat snapshot

  • Emerging actor/tooling: Security community and academic references cite SparkCat as an AI-influenced malware family used to automate intrusion steps; public, detailed family writeups are still sparse, reflecting the nascency of the strain and limited artifact availability. Coverage groups it with Funklocker as early AI-built proof points.westoahu.hawaii+1

Why AI-built malware is harder to catch

  • Variable code paths: LLM-generated components can alter strings, control flow, and loaders between builds or even at runtime (e.g., PromptLock’s Lua), reducing hash-based and simple heuristic matches.eset+1

  • Faster iteration: Adversaries use AI to prototype features, solve errors, and port across languages (Golang/Rust/Python), compressing dev cycles and widening platform reach.wired+1

  • Lower skill barrier: Less-experienced actors can produce working encryptors and loaders, expanding the pool of viable threat actors and increasing noise and volume.wired+1

Detection and defense implications

  • Behavior over signatures: Emphasize behavior-based EDR (encryption patterns, mass file ops, shadow copy deletes, LOLBin abuse) and cloud analytics that spot anomalous process trees regardless of binary novelty.crowdstrike

  • Memory and script telemetry: Monitor in-memory loaders, interpreter spawns (e.g., Lua/Python), and on-host model/runtime calls used to generate code on the fly—PromptLock-style approaches will propagate.thehackernews

  • Rapid intel loops: Expect more frequent minor variants; tighten threat intel ingestion and automated blocking for emerging families and infrastructure to keep pace.computerweekly+1

What to watch next

  • From PoC to monetization: Track if SparkCat/Funklocker affiliates shift from demos/low ransom asks to mainstream RaaS offerings with AI “builders.”research.checkpoint+1

  • Agentic malware: Reports forecast attackers co-opting AI agents to orchestrate multi-step operations; defenders should harden AI pipelines and watch for model/tool invocation from compromised hosts.computerweekly+1

Sources

  • Computer Weekly summary of CrowdStrike/Black Hat briefing: AI-built malware “Funklocker” and “SparkCat” cited as early proof that GenAI malware is in the wild.computerweekly

  • CrowdStrike 2025 Threat Hunting Report: adversaries automate with GenAI; identity and AI-agent targeting trends.crowdstrike+1

  • ESET and The Hacker News: PromptLock, an AI-powered ransomware using local LLM to generate variable Lua scripts at runtime, complicating detection.eset+1

  • WIRED analysis: broader trend of criminals using GenAI to develop ransomware and lower barriers to entry.wired

Hey there! I’m Alfaiz, a 21-year-old tech enthusiast from Mumbai. With a BCA in Cybersecurity, CEH, and OSCP certifications, I’m passionate about SEO, digital marketing, and coding (mastered four languages!). When I’m not diving into Data Science or AI, you’ll find me gaming on GTA 5 or BGMI. Follow me on Instagram (@alfaiznova, 12k followers, blue-tick!) for more. I also run https://www.alfaiznova.in for gadgets comparision and latest information about the gadgets. Let’s explore tech together!"
NextGen Digital... Welcome to WhatsApp chat
Howdy! How can we help you today?
Type here...