This post draws on conversations with Marcus Hutchins, Principal Threat Researcher; and Aaron Walton, Senior Threat Intelligence Analyst at Expel, on April 14, 2026. You can watch the full interview here.
TL;DR
- AI-generated malware is real—but it’s detectable, constrained by the same technical realities as human-written malware, and still requires expertise to be effective. Low-skill attackers using AI get low-quality results.
- The most viral AI malware claims don’t hold up. AI polymorphic malware, autonomous attackers, and WannaCry being “AI-powered” are all either misunderstood, exaggerated, or factually wrong.
- The real shift is a lower floor, not a higher ceiling. More attackers can do more things more cheaply—but in environments with solid fundamentals, that’s a manageable problem, not an existential one.
Marcus Hutchins has spent more than 15 years writing, reversing, and thinking about malware. He stopped the WannaCry ransomware attack. He’s been on the cover of WIRED. He is not easily impressed by security headlines.
So when he describes the current state of AI malware discourse as something he finds “annoying”—his word—it’s worth paying attention to why.
“There are arguments that certain things are being done faster,” he told us during a recent conversation on the topic. “But with malware, volume has never been the issue. We’ve had attackers making botnets of hundreds of thousands, millions of machines. That was not a capability limitation prior to AI.”
AI-augmented attacks have generated enough noise. Separating what’s actually happening from what’s being predicted, feared, or sold has become its own kind of work. Here’s our attempt to do that clearly.
| The claim | The reality |
|---|---|
|
AI polymorphic malware will defeat antivirus |
Behavioral detection already solves this. Code appearance is irrelevant to how modern EDRs work. |
|
AI gives script kiddies nation-state capabilities |
Low-skill actors get non-working malware. Mid-skill actors get common, detectable techniques. |
|
WannaCry was AI-powered |
WannaCry was 2017. Generative AI launched in 2022. This claim was fraud |
| Worm GPT is a serious offensive tool | It’s an open-source LLM with a scary name. Experts who’ve used it are not impressed. |
| AI malware is undetectable | Current AI-generated malware has tells—emoji comments, common techniques, loud behavior. |
| Fully autonomous AI malware is imminent | LLMs can’t reason or plan. End-to-end autonomous attacks still require human-built pipelines and human direction. |
| AI isn’t changing anything for attackers | AI is lowering the floor for who can execute attacks and how fast. That’s real—just less dramatic than claimed. |
Claim: AI polymorphic malware is going to render antivirus useless
The reality: This one bothers Hutchins more than most, and the reason is instructive.
Polymorphic malware—malware that rewrites its own code to evade detection—is not new. It’s been around for decades. And the security industry already solved for it. “We got rid of static signature-based antiviruses for that reason,” Hutchins said. “We moved on to behavioral-based detections, because looking at how the code looks isn’t very useful if someone can just change a couple of bytes.”
The argument that AI makes polymorphic malware newly dangerous assumes the industry is still relying on the detection method it abandoned years ago. It isn’t. Whether malware rewrites itself a thousand times or a billion times per second, behavioral detections are looking at what the malware actually does—what files it accesses, what processes it interferes with—not what it looks like. That’s the foundation of modern AI threat detection—behavior over appearance, regardless of how many times the code rewrites itself.
“Threat actors have been doing this since before AI,” Hutchins added. “Building self-rewriting code is not a technique that requires AI, and it’s not even really made easier by AI. Those technologies already exist. They work very, very well. They’re for sale on underground markets. So there isn’t really a reason for threat actors to implement a worse version of an existing technology just because it uses AI.”
Claim: AI will turn script kiddies into nation-state-level attackers
The reality: Hutchins tested this directly. He approached it from two angles: as an experienced malware developer using AI as a tool, and as a low-skill actor trying to get working malware out of an AI model with no prior knowledge.
The low-skill result: “You tend to get malware that just doesn’t work. It’s very hard to get working malware out of an AI if you don’t know what you’re doing.”
The mid-skill result is more nuanced—and more revealing. LLMs are statistical models. They gravitate toward the most common answer. In malware development, that’s a problem. “You don’t want the most common method of doing something malicious, because that is going to be the most detected method,” Hutchins said. “I found that in the middle-of-the-road threat actor use cases, you’d get a lot of malware that used very common malicious techniques—very likely to just run headlong into the antivirus.”
For an expert, AI is a productivity tool that speeds up the tedious parts of work they could already do. “I found that it could enable me to maybe do what I already do a little bit faster,” Hutchins said. “I didn’t find anything revolutionary—no new technique, no bypass I couldn’t have found myself.”
The capability ceiling hasn’t moved. What’s changed is that AI makes mediocre malware faster to produce—and mediocre malware is still mediocre.
Claim: WannaCry was AI-powered
The reality: This one isn’t a prediction or an exaggeration. It’s a factual error that circulated in a research paper—one with a prominent enough institutional name attached that it got picked up widely before anyone checked.
Hutchins was among the researchers who did check. “Not a single claim in this report is factual,” he said. The WannaCry claim was the most obviously wrong: the attack happened in 2017. The first generative AI model launched in November 2022. “That’s some interesting time science,” as Hutchins put it.
The paper was eventually pulled. But it had already been cited, amplified, and used to justify security spending decisions by executives who read the headline and assumed the source was credible. It’s a useful case study in how the AI malware hype cycle works—and why treating any research paper as authoritative without reading the substance is a liability.
Claim: Worm GPT is a serious AI-powered cybercrime tool
The reality: Worm GPT is an open-source LLM with a prompt telling it to help people do malicious things. Hutchins’s assessment is direct: “Have you used it? It is like trying to paint your house with a toothbrush. It is like the most useless thing that I’ve ever seen.”
The media attention it received was almost entirely about the name and the concept, not the capability. Cybercriminals don’t have the funding or the researchers to build a genuinely capable specialized model for offensive purposes. Nation-states do—and they probably already have something. But Worm GPT is not that, and conflating the two misrepresents where the actual risk lives.
Claim: AI-generated malware is undetectable
The reality: If anything, it’s more detectable than you might expect—at least for now.
Aaron Walton, a threat intelligence analyst at Expel who has been tracking AI-assisted malware in the wild, has a reliable tell: “We’ll unpack the malware and find a script that has all these comments in Russian—or just a lot of these emojis in the comments.”
Hutchins found the same thing while analyzing a nation-state APT’s code. “One of the biggest telltale signs was the honestly egregious use of emojis. AI models love to just put emojis in code, which is something no sane developer does. I was able to pinpoint the exact AI model they used just from the code.”
There’s a practical reason for this beyond the quirk: AI-generated malware tends toward common techniques, common structure, and common patterns. “It just tends to be fast and maybe gets the job done in an environment that doesn’t have detections in place,” Walton noted. “It tends not to be stuff that’s highly evasive.” Sophisticated evasion still requires sophisticated intent and expertise—things an LLM can’t supply on its own.
Claim: Fully autonomous AI malware is coming and will operate without human involvement
The reality: The LLMs driving current AI capabilities have fundamental limitations that matter here. “These LLMs, specifically, are very limited in their capabilities. They don’t have world models. They can’t truly think or reason. They’re only doing simulated thinking and reasoning, and that caps out at a certain level,” Hutchins said.
Building a system capable of autonomous, end-to-end malicious operation—from initial access through exfiltration, without human direction—requires more than a capable LLM. It requires pipelines, integrations, and infrastructure that someone has to build and maintain. “For something like that to exist for malware, someone would actually have to go out there and make it and then make it available to people,” Hutchins noted. “And that’s kind of where the facts and fiction sort of diverge.”
The more realistic version of the threat—AI used as an operational assistant for a human attacker, handling specific tasks within a larger campaign—is already happening. But it still requires a human in the loop.
What’s actually happening
Set aside the fiction and the picture that emerges is less cinematic but more actionable.
AI is being used to write malware faster. It’s being used to generate phishing content at scale. It’s being used operationally—Walton has tracked attackers using Claude to coordinate operations across a victim environment, handling tasks that would previously have required a larger team. “There are some novel attacks, such as attackers installing OpenClaw, where you have this tool that’s installed, operated by Claude, and you’re able to execute commands on a victim system,” he noted. These campaigns frequently combine AI-assisted tooling with living off the land (LOTL) techniques—using legitimate system tools to avoid detection.
The malware these actors produce is detectable, often loud, and constrained by the same technical realities that have always governed how attacks work. “When I typically hear about people being afraid of AI, it’s really that ‘new new’ thing—as if AI is going to break the laws of how computers work,” Walton said. “But the reality is that malware, whether written by a human or by AI, is constrained as to how it needs to function.”
The genuine concern isn’t a magic weapon. It’s a gradual lowering of the floor—more actors able to do more things, more cheaply, in environments that haven’t kept their defenses current. That’s a real problem. It’s just a much less interesting one than the headlines suggest.
As Hutchins put it: “We need to stop focusing on whether some magic new AI attack is going to happen and start focusing on what’s happening now—which is that even before AI, threat actors were breaking into networks very easily.”
That hasn’t changed. The urgency to address it has.
