Chapter 6 — Malware Development and Wireless Attacks

Malware — software designed to damage, disrupt, or gain unauthorised access to systems — has been the persistent threat throughout the history of cybersecurity. Wireless attacks target the increasingly ubiquitous wireless networks that connect modern devices to broader networks. Generative AI affects both areas as both attack capability and defensive capability. This chapter examines AI in malware creation focusing on obfuscation, polymorphism, and evasion; AI in wireless attacks including credential cracking and spoofing; and the defensive responses through secure Wi-Fi configuration, intrusion detection, and endpoint protection. The discussion is educational, focused on understanding the threat landscape and the defensive measures the MSc graduate needs to operate effectively.

6.1 AI in malware creation — obfuscation, polymorphic malware, evasion

Malware overview

Malware (malicious software) is any software designed to cause harm to systems, steal information, disrupt operations, or otherwise act against the interests of the legitimate user or owner of affected systems, ranging from simple scripts to sophisticated multi-component frameworks, with categories including viruses, worms, trojans, ransomware, spyware, rootkits, and others.

The malware landscape:

Commodity malware. Widely available; targets many victims; relatively unsophisticated. Examples: most ransomware-as-a-service, banking trojans, info-stealers.

Targeted malware. Custom-developed for specific operations; harder to detect and analyse. Examples: APT toolkits.

Living-off-the-land. Uses legitimate system tools for malicious purposes; minimises footprint.

Fileless malware. Operates in memory without persistent files; harder to detect.

Defensive perspective

The MSc graduate's relationship with malware is fundamentally defensive — understanding malware to defend against it. The discussion here covers concepts and categories at a level appropriate for defensive understanding without providing operational uplift for malicious development.

Traditional malware development

Without AI, malware development required:

Programming skills (typically C/C++, increasingly Go and Rust).
Knowledge of target OS internals.
Reverse engineering capability.
Understanding of detection mechanisms.
Persistent testing and refinement.

This skill barrier limited the supply of new malware. Skilled malware developers were valuable commodities in criminal ecosystems.

AI assistance in malware development

AI lowers the skill barrier in several ways:

Code generation. LLMs generate functional code for many tasks malware needs to perform.

Translation between languages. AI translates malware concepts across programming languages.

Concept explanation. AI explains attack techniques making them accessible.

Code review. AI identifies issues in malware code.

Documentation. AI produces documentation supporting development.

What AI can do (varying capability)

Frontier LLMs as of 2026 can:

Generate boilerplate. Standard programming patterns easily produced.

Suggest evasion approaches. Discuss conceptual evasion techniques.

Explain attack techniques. Educational discussion of how various malware works.

Help analyse malware. Reverse-engineering assistance.

Translate between languages. Port malware concepts.

What they generally do not do (with appropriate safety measures):

Generate functional novel malware on request. Frontier models refuse such direct requests.

Bypass safety measures consistently. Though prompt-injection and jailbreak research continues.

Match expert human capability. For sophisticated malware development.

AI obfuscation

Code obfuscation is the transformation of code into a form that is functionally equivalent but harder for humans (and detection systems) to analyse, used legitimately for intellectual property protection and illegitimately to hide malicious functionality from security tools and analysts.

Traditional obfuscation:

Variable and function renaming to meaningless identifiers.
Control flow obfuscation (rearranging logic).
String encoding/encryption.
Dead code insertion.
Anti-debugging techniques.

AI-enhanced obfuscation:

AI-generated semantically equivalent but textually different variants.
LLM-driven control flow transformations.
Dynamic obfuscation that varies with each generation.
Polymorphism through AI variation.

Polymorphic malware

Polymorphic malware is malware that changes its code from generation to generation while maintaining the same functionality, evading signature-based detection by ensuring each sample has a different hash and different byte patterns, with the changes typically achieved through encryption with varying keys, code-mutation engines, or in modern variants AI-driven variation.

Polymorphism is not new — concept dates from 1990s. AI extends the capability:

More diverse variation. Beyond mechanical mutation, semantic-level variation.

Functionality preservation. AI verifies variants still work.

Detection-aware variation. AI generates variants that evade specific known detections.

Variant-on-demand. Each victim gets a different variant.

Metamorphic malware

Beyond polymorphism, metamorphic malware changes its actual structure rather than just encrypted appearance:

Code reordering.
Equivalent instruction substitution.
Register usage variation.
Loop transformations.

AI substantially enhances metamorphic capability.

Evasion techniques

Various evasion techniques malware employs:

Anti-analysis.

Detecting analysis environments (VMs, sandboxes, debuggers).
Behaving differently when analysed.
Delaying malicious behaviour.
Encrypting payloads.

Anti-detection.

Avoiding known signatures.
Avoiding behavioural patterns flagged by EDR.
Using legitimate tools (living-off-the-land).
Operating in memory only (fileless).

Anti-removal.

Multiple persistence mechanisms.
System file modifications.
Rootkit techniques.
Repair mechanisms (reinstalling if removed).

LLM-aided malware analysis (defensive)

The same capabilities help defenders:

Reverse engineering assistance. LLMs help analysts understand obfuscated code.

Signature generation. From samples, generate detection rules.

Behaviour explanation. Describe what malware does.

Variant identification. Recognise variants of known families.

Triage acceleration. Prioritise samples for deeper analysis.

Tools like CAPA (FLARE), various malware-analysis-as-a-service, and AI-augmented sandboxes incorporate LLM capability.

Endpoint Detection and Response (EDR)

Endpoint Detection and Response is a category of security solution that combines continuous monitoring of endpoint activity with detection of suspicious behaviour, response capabilities, and forensic data collection, providing the modern equivalent of antivirus with substantially expanded capabilities for advanced threat detection.

Major EDR products:

CrowdStrike Falcon.
Microsoft Defender for Endpoint.
SentinelOne.
Carbon Black (VMware).
Trellix.
Sophos Intercept X.
Trend Micro Apex One.

EDR capabilities:

Behavioural detection (not just signatures).
Process tree analysis.
Memory analysis.
Network activity correlation.
Forensic data collection.
Automated response.
Threat hunting support.

XDR — Extended Detection and Response

Beyond endpoint:

Integration of endpoint, network, identity, cloud signals.
Cross-domain correlation.
Unified detection and response.

Major XDR offerings extend the EDR vendors' capabilities.

Defence against AI-augmented malware

The defensive response to more capable malware:

Behavioural detection over signatures. Behaviour harder to obfuscate than code.

Memory analysis. Catches fileless malware.

Application allowlisting. Only approved applications run.

Privileged access management. Limits damage from compromise.

Network segmentation. Contains lateral movement.

Continuous monitoring. Detection at multiple stages of attack.

Threat hunting. Proactive search for sophisticated threats.

Rapid response. Containment before damage spreads.

Ransomware specific concerns

Ransomware deserves specific attention:

Modern ransomware:

Targets large organisations for higher payouts.
Often combined with data exfiltration (double extortion).
May include triple extortion (DDoS, customer notification).
Increasingly targets cloud and backup infrastructure.
Sophisticated negotiation and payment systems.

AI-aided ransomware development. All the AI capabilities above apply to ransomware specifically.

Defensive measures for ransomware:

Immutable backups.
Segmentation limiting spread.
EDR catching encryption activity.
Network monitoring catching data exfiltration.
Incident response plans for ransomware specifically.
Decisions about ransom payment policy (typically: no).

For Nepali context, ransomware incidents at Nepali organisations occur regularly though many are not publicly disclosed. Several Nepali banks and enterprises have invested substantially in ransomware-specific defences.

Malware analysis in Nepal

Capabilities relevant to Nepal:

npCERT has malware analysis capability.
Cyber Bureau under Nepal Police investigates malware cases.
Major Nepali banks have internal capability or external partnerships.
Local security firms offer analysis services.
Academic research at IOE Pulchowk and other institutions on malware analysis topics.

The MSc graduate with malware-analysis skills has substantial opportunity in Nepali enterprise security teams or specialised firms.

6.2 Generative AI in wireless attacks — WPA cracking, spoofing

Wireless security context

Wireless networks (Wi-Fi, Bluetooth, NFC, cellular) face specific security challenges:

Radio waves propagate beyond physical perimeters.
Authentication often weaker than wired equivalents.
Many devices with varied security maturity.
IoT proliferation introducing weak devices.
User behaviour around public Wi-Fi.

Wi-Fi security overview

Wi-Fi security has evolved:

WEP. Wired Equivalent Privacy. Broken in early 2000s; should never be used.

WPA. Wi-Fi Protected Access. Improvement over WEP; eventually deprecated.

WPA2. Dominant standard from mid-2000s through 2010s. Reasonably secure when properly configured.

WPA3. Current standard. Improvements particularly for individual users (SAE protocol).

Enterprise variants (WPA2-Enterprise, WPA3-Enterprise). Use 802.1X for individual authentication.

Common Wi-Fi attacks

Cracking WPA2-Personal. Capture handshake; offline crack password.

Evil twin. Rogue AP imitating legitimate network.

Deauthentication attacks. Disconnecting clients from legitimate network.

KRACK (Key Reinstallation Attack). Specific vulnerability in WPA2 protocol; widely patched.

Dragonblood. Vulnerabilities in WPA3 (largely addressed).

Captive portal attacks. Malicious captive portals capturing credentials.

WPS attacks. Wi-Fi Protected Setup PIN brute force.

AI in Wi-Fi attacks

Password cracking enhancement. AI-generated password candidates targeted for specific contexts (geographic, linguistic, demographic). More likely to crack specific passwords than generic wordlists.

Personalised wordlists. Given reconnaissance information about a target, AI generates likely password candidates incorporating personal details, dates, common patterns.

Adaptive attacks. AI adapts attack strategy based on observed responses.

Evil twin enhancement. AI-generated convincing portal pages for specific contexts.

Voice and language matching. For attacks involving social engineering over wireless channels.

Password cracking with AI

Traditional password cracking:

Brute force (try all combinations).
Dictionary attacks (try common passwords).
Hybrid attacks (dictionary + modifications).
Rainbow tables (precomputed hashes).

AI additions:

ML models trained on leaked password sets generate likely candidates.
Personalised wordlists based on target information.
Adaptive strategies prioritising likely candidates.
Pattern-aware generation reflecting how humans actually create passwords.

Tools incorporating AI:

PassGAN. Generative adversarial network for password generation.
Hashcat with AI-generated wordlists.
Various research projects.

Spoofing attacks

MAC address spoofing. Trivial; AI not needed.

SSID spoofing. Pretending to be legitimate network; AI helps select convincing SSIDs.

Beacon flooding. Generating many fake beacon frames; mostly volumetric.

Authentication spoofing. Impersonating authentication exchanges; technical attack.

Captive portal spoofing. AI-generated convincing portal pages.

Voice spoofing in wireless contexts. AI-generated voices for vishing over wireless calls.

Bluetooth attacks

Bluetooth has its own attack categories:

Bluejacking. Sending unwanted messages.
Bluesnarfing. Stealing information from Bluetooth devices.
BlueBorne. Vulnerability class.
KNOB attack. Key Negotiation Of Bluetooth.

AI assists in similar ways — automated reconnaissance, payload generation, social engineering for pairing approval.

Cellular and 5G concerns

Cellular networks:

IMSI catchers / Stingrays. Surveillance equipment intercepting cellular traffic.
SS7 attacks. Exploiting signaling protocol weaknesses.
5G-specific concerns. New attack surfaces in 5G features.

These attacks generally require specialised equipment and skill; AI augments but doesn't fundamentally change.

IoT and wireless

IoT devices proliferate; many have weak wireless security:

Default credentials.
Outdated firmware.
Limited update mechanisms.
Weak protocols.

AI scans for vulnerable IoT devices, automates exploitation, manages botnet of compromised devices.

Defensive considerations

The defensive response to AI-enhanced wireless attacks combines technical and operational measures.

6.3 Defense strategies — secure Wi-Fi configurations, IDS, endpoint protection

Secure Wi-Fi configuration

For enterprise:

WPA3-Enterprise with 802.1X authentication preferred. Individual credentials per user; no shared secrets.

Certificate-based authentication stronger than password-based.

Strong RADIUS configuration with proper TLS.

Network segmentation. Wi-Fi separated from sensitive networks; access through appropriate controls.

Guest networks isolated. Visitors on separate network with limited access.

Wireless intrusion detection monitoring for attacks.

Rogue AP detection. Identifying unauthorised APs.

Regular security review. Wi-Fi configurations audited.

For SMB/home:

WPA3-Personal where supported; WPA2-Personal otherwise.

Strong unique passwords. Not common patterns; long.

Network name (SSID) considerations. Don't reveal organisation or vendor unnecessarily.

Guest network separation. Visitors on different network.

Firmware updates. Router firmware kept current.

Disable WPS. Vulnerabilities; not needed for typical use.

Disable remote administration. Unless specifically needed.

Default credentials changed. Router admin password.

Wireless intrusion detection systems

A Wireless Intrusion Detection System (WIDS) is a security system that monitors wireless network traffic and configurations to detect unauthorised access points, malicious activities, attacks against the wireless infrastructure, and policy violations, providing visibility analogous to wired network intrusion detection.

Capabilities:

Detection of rogue APs.
Detection of attacks (deauth floods, evil twins).
Policy enforcement (which devices can connect where).
Anomaly detection on wireless traffic.

Products:

Built-in to enterprise Wi-Fi controllers (Cisco, Aruba, Ruckus).
Standalone (AirMagnet, others).

Endpoint protection

Discussed throughout, but for wireless context:

Personal firewalls on endpoints.

VPN when on untrusted networks (public Wi-Fi).

Certificate validation. Don't accept invalid certificates on public networks.

Browser security. HTTPS everywhere; warning on weak connections.

EDR. Endpoint detection as discussed.

Captive portal awareness

User behaviour matters:

Awareness of evil twin / fake portal risks.
Verification of legitimate networks.
Caution about credential entry on public networks.
VPN usage on public networks.

For Nepali context, public Wi-Fi is widely available at cafes, hotels, airports. Awareness of risks is variable; defensive use of VPN is increasingly common among professionals.

Network segmentation

Beyond Wi-Fi:

Sensitive systems isolated from general network.
Guest networks completely separated.
IoT devices on separate network.
Building automation systems isolated.
Lab/test environments separated.

Each network connection then explicitly controlled.

Continuous monitoring

For wireless specifically:

Wireless traffic patterns monitored.
Anomalies investigated.
Coverage assessed (no gaps, no overlap with neighbours that creates issues).
Performance monitoring identifies degradation.
Configuration drift detected.

Defensive AI for wireless

The defensive side:

Behavioural analytics on wireless connections. Identifying unusual patterns.

Automated rogue AP detection with ML.

Threat intelligence on wireless attacks. Specific to wireless environment.

Configuration analysis identifying weak configurations.

User behaviour analytics for wireless usage.

Wireless security in Nepali enterprises

Banks. Generally have segregated wireless networks for guests, employees, and operations. WPA3 or WPA2-Enterprise. Wireless IDS deployed.

Telecoms. Their own product but internal corporate Wi-Fi managed separately.

Enterprises. Variable maturity; major enterprises follow good practices; smaller ones often weak.

Universities. Often substantial wireless deployments with mixed security; eduroam federation common at IOE and TU.

Public spaces. Cafes, hotels, transport hubs — variable security; users responsible for own protection.

The MSc graduate working in network security in Nepal will encounter Wi-Fi as part of broader network architecture work; understanding wireless-specific concerns is part of the foundation.

IoT security

The category demands specific attention:

Inventory. Know what IoT devices are deployed.

Network isolation. IoT on separate networks.

Authentication. Strong unique credentials.

Update mechanisms. Firmware updates applied.

Decommissioning. Devices removed properly at end of life.

Monitoring. Behavioural detection of compromise.

Procurement controls. Security requirements in IoT purchases.

Defence-in-depth synthesis

For wireless and endpoint security:

User awareness
       ↓
Strong authentication
       ↓
Network segmentation
       ↓
Wireless intrusion detection
       ↓
Endpoint protection
       ↓
Continuous monitoring
       ↓
Incident response

Each layer catches some threats; combined they catch most. The endpoint and wireless attack vectors will continue evolving; defensive practice must adapt continuously.

The malware-wireless connection

Many malware infections begin with wireless vectors:

Compromised endpoint connected to corporate network.
IoT compromise providing pivot point.
Public Wi-Fi exploitation.
Mobile devices bringing infections.

Defensive measures span malware and wireless concerns.

Practical capability building

The MSc graduate building skills in these areas:

Hands-on labs. Setting up wireless infrastructure; testing attacks and defences.

CTF participation. Practical security challenges.

Industry certifications. OSCP, CWNA, CEH where relevant.

Vendor training. Cisco, Aruba, others.

Open-source tools. Aircrack-ng, Kismet, others for understanding wireless attacks.

Defensive tools experience. EDR, wireless IDS, SIEM.

For Nepali context, hands-on capability is what makes graduates immediately employable. Theoretical knowledge alone is insufficient; demonstrable practical capability matters.

The next chapter addresses the operational disciplines that bring everything together — advanced security operations leveraging AI throughout, building resilient AI systems against adversarial attacks, AI in incident response and forensics, and the frameworks for managing AI-related risks themselves.

· min read

6.1 AI in malware creation — obfuscation, polymorphic malware, evasion​

Malware overview​

Defensive perspective​

Traditional malware development​

AI assistance in malware development​

What AI can do (varying capability)​

AI obfuscation​

Polymorphic malware​

Metamorphic malware​

Evasion techniques​

LLM-aided malware analysis (defensive)​

Endpoint Detection and Response (EDR)​

XDR — Extended Detection and Response​

Defence against AI-augmented malware​

Ransomware specific concerns​

Malware analysis in Nepal​

6.2 Generative AI in wireless attacks — WPA cracking, spoofing​

Wireless security context​

Wi-Fi security overview​

Common Wi-Fi attacks​

AI in Wi-Fi attacks​

Password cracking with AI​

Spoofing attacks​

Bluetooth attacks​

Cellular and 5G concerns​

IoT and wireless​

Defensive considerations​

6.3 Defense strategies — secure Wi-Fi configurations, IDS, endpoint protection​

Secure Wi-Fi configuration​

Wireless intrusion detection systems​

Endpoint protection​

Captive portal awareness​

Network segmentation​

Continuous monitoring​

Defensive AI for wireless​

Wireless security in Nepali enterprises​

IoT security​

Defence-in-depth synthesis​

The malware-wireless connection​

Practical capability building​