PromptRiskDBThreat intelligence atlas

User Execution - AI Security Technique

AI Security Technique

An adversary may rely upon specific actions by a user in order to gain execution. Users may inadvertently execute unsafe code introduced via AI Supply Chain Compromise. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link.

Overview

A source-backed snapshot of this AI security technique.

Tactics1Attacker goals connected to this method.
Mitigations5Defenses that may help against this attack.
AI risks1Research-backed risks connected to this topic.

Technique details

Identifiers, maturity, and source taxonomy for this technique.

ATLAS ID
AML.T0011
Maturity
realized
ATT&CK external ID
T1204
Priority score
70
ATLAS tactics
Execution

Attack flow

How to read the public records connected to this technique.

1. TechniqueRead the ATLAS description and evidence level.
2. TacticsSee which attacker goals this method supports.
3. ExamplesCheck whether public case studies mention it.
4. DefensesReview safeguards mapped by ATLAS.
5. SourcesOpen the original public records and references.

Impact

Why this technique may deserve attention in the current dataset.

  • Evidence levelrealized
  • Mapped defenses5 ATLAS mitigation records
  • Public examples2 linked case study records
  • Research risks1 related MIT AI Risk records above the confidence threshold
  • Vulnerabilities0 linked CVE records

Mitigations

Defenses that may help against this attack.

AML.M0023 - AI Bill of Materials

An AI BOM can help users identify untrustworthy binaries.

LifecycleBusiness and Data Understanding + 2 moreCategoryPolicy
B&D UnderstandingData Preparation+1 more

AML.M0011 - Restrict Library Loading

Restricting binaries from loading external libraries can limit their ability to execute malicious code.

LifecycleDeploymentCategoryTechnical - Cyber
Deployment

AML.M0018 - User Training

Training users to be able to identify attempts at manipulation will make them less susceptible to performing techniques that cause the execution of malicious code.

LifecycleBusiness and Data Understanding + 5 moreCategoryPolicy
B&D UnderstandingData Preparation+4 more

AML.M0014 - Verify AI Artifacts

Introduce proper checking of signatures to ensure that unsafe AI artifacts will not be executed in the system.

LifecycleBusiness and Data Understanding + 2 moreCategoryTechnical - Cyber
B&D UnderstandingData Preparation+1 more

Showing 4 of 5

Case studies

Examples from public reports and exercises.

LAMEHUG: Malware Leveraging Dynamic AI-Generated Commands

In July 2025, Ukrainian authorities reported the emergence of LAMEHUG, a new AI-powered malware attributed to the Russian state-backed threat actor APT28 (also tracked as Forest Blizzard or UAC-0001). LAMEHUG uses a large language model (LLM) to dynamically generate commands on the infected hosts.

The campaign began with a phishing attack leveraging a compromised government email account to deliver a malicious ZIP archive disguised as Appendix.pdf.zip. The archive contained the LAMEHUG malware, a Python-based executable, packed with PyInstaller. When executed, the malware, makes calls to an LLM endpoint to generate malicious from natural language prompts. Dynamically generated commands may make the malware harder to detect. LAMEHUG was configured to collect files from the local system and exfiltrate them.

Date2025-06-03
incident

Arbitrary Code Execution with Google Colab

Google Colab is a Jupyter Notebook service that executes on virtual machines. Jupyter Notebooks are often used for ML and data science research and experimentation, containing executable snippets of Python code and common Unix command-line functionality. In addition to data manipulation and visualization, this code execution functionality can allow users to download arbitrary files from the internet, manipulate files on the virtual machine, and so on.

Users can also share Jupyter Notebooks with other users via links. In the case of notebooks with malicious code, users may unknowingly execute the offending code, which may be obfuscated or hidden in a downloaded script, for example.

When a user opens a shared Jupyter Notebook in Colab, they are asked whether they'd like to allow the notebook to access their Google Drive. While there can be legitimate reasons for allowing Google Drive access, such as to allow a user to substitute their own files, there can also be malicious effects such as data exfiltration or opening a server to the victim's Google Drive.

This exercise raises awareness of the effects of arbitrary code execution and Colab's Google Drive integration. Practice secure evaluations of shared Colab notebook links and examine code prior to execution.

Date2022-07-01
exercise

Source evidence

Original public records and references for this page.