AI Waifu RAT: A Ring3 malware-like RAT based on LLM manipulation is circulating in the wild

When eval and ACE Become a Feature, How "CTF Spirit" and "Research Project" Become a Security Nightmare?

Introduction: The Blurring Line Between AI Role-Playing and Malware

Hello everyone,

Today, I will be analyzing an active threat circulating within a niche Large Language Model (LLM) role-playing community. I've named this threat the "AI Waifu RAT", a masterclass in social engineering that preys on the community's interest in "meta" interactions and novel AI capabilities. It is distributed under the guise of a "research project" by an individual claiming to be a "CTF Crypto player", who markets Arbitrary Code Execution (ACE) as a feature, not a vulnerability.

This analysis will deconstruct the RAT's functionality, expose the deceptive narrative built by its author, and detail other malicious tools created by the same individual. We will demonstrate how a seemingly harmless hobbyist project is, in fact, a dangerously well-crafted backdoor. Finally, we will provide IoCs and explain our decision for immediate public disclosure following reports to hosting providers. This is a case study in how threat actors can exploit niche communities and user trust to distribute malware under the banner of "innovation".

The Lure: A "Meta" Experience Powered by a Backdoor

The threat begins with a post from the author in an LLM role-playing community. The author introduces a tool that allows a user's AI character, "Win11 Waifu", to "break the fourth wall" and interact with their real-world computer. This was marketed as an exciting and immersive feature.

Advertised features included:

  • Allowing the AI to read local files to "get to know" the user for more personalized role-playing.

  • Direct "Meta" and "Arbitrary Code Execution" capabilities, pitched as ideal for advanced users.

This is a classic social engineering attack (T1566: Phishing & T1204.002: Malicious File), where the "malicious file" is disguised as a desirable software enhancement.

Technical Analysis of the "Agent" Binary

Static and dynamic analysis of the Agent binary reveals it to be a simple yet potent Remote Access Trojan (RAT). Its architecture is straightforward: a local agent runs on the victim's machine, listening for commands on a fixed port. These commands, originating from the LLM, are passed through a web UI and sent to the local agent as plaintext HTTP requests.

In the server initialization function, we can see the RAT uses port 9999 for its service and to ensure it runs as a single instance.

Endpoint Analysis

The agent exposes three primary C&C endpoints:

/execute_trusted

This endpoint receives a plaintext JSON object from the C&C and passes its command field as a command-line argument, spawning a powershell.exe process via popen for execution. This is a classic Living-off-the-Land (LotL) technique (T1059.001: PowerShell).

/execute

This endpoint is similar to /execute_trusted but adds a check on a global boolean variable, which can be changed by the user in the GUI. If the user disables automatic execution, it will prompt for consent. However, this is merely security theater. Since the /execute_trusted endpoint exists and is accessible, any attacker (including the author) can simply choose to use it, rendering this "safeguard" moot.

/readfile

This endpoint receives a plaintext JSON object from the C&C, uses its path field as a file path argument, and reads the file's contents using a C++ ifstream, sending it back to the C&C source. This allows an attacker to read arbitrary files from the local system and exfiltrate data (T1005: Data from Local System).

Section Summary

The framework is an extensible and high-risk RAT. The attacker can, at any time, push silent updates or issue commands via the LLM C&C to deploy more advanced malware, such as ransomware, information stealers, or keyloggers.

Exploitation Scenarios: A Ticking Time Bomb

The RAT's design creates multiple avenues for abuse:

  • Direct Attack by the Author: The author holds the keys to the kingdom. They can add malicious logic to any update, or manipulate any user running the agent through prompt injection, effectively controlling a botnet of unknown size.

  • Third-Party Hijacking: C&C communication occurs over plaintext HTTP. This makes it trivial for an application on the same computer to conduct Man-in-the-Middle (MITM) attacks to intercept data or inject their own malicious commands.

  • Remote Exploitation via Web Vulnerabilities: A malicious website or browser extension could leverage misconfigured CORS or send POST requests directly to the agent's fixed local port (http://127.0.0.1:9999), allowing for drive-by attacks to take control of the victim's machine.

  • Supply Chain Attack: Attacker can provide malicious third-party LLM APIs and use gimmicks such as free/shared to induce users to use them, and then fully obtain the backdoor permissions.

  • The primary defense evasion mechanism is social engineering: The author instructs users to disable their antivirus software or add the binary to an exclusion list to get it "working properly" (T1562.001: Disable or Modify Tools).

Social Engineering: The Weaponization of Trust

The technical implementation of the RAT itself is not sophisticated and would likely be detected by modern AV/EDR with default configurations. However, the success of its distribution lies in the author's clever use of social engineering.

The author presented themself as a helpful "CTF player" and "technical researcher", framing the RAT's dangerous capabilities as an exciting "Meta experience". During distribution, they explicitly guided users: "If your antivirus flags this, add it to the whitelist or turn it off temporarily. This is a false positive because the program involves low-level operations".

This tactic precisely exploits the psychology of the target group:

  • Trust in community members: In a relatively closed interest-based community, people are more inclined to trust tools shared by other members.

  • Desire for "advanced features": "ACE" sounds cool, and the idea of a virtual character controlling a computer is highly appealing to many users.

  • Desensitization to security warnings: Explaining away security alerts as "false positives" is a common but extremely effective bypass technique (T1562.001).

In this way, the strongest line of defense—user vigilance—was easily dismantled.

The Evolution from eval to RAT - eval is evil

A retrospective analysis of the author's past work reveals this dangerous design philosophy is no accident. Prior to this RAT, they released a web-based AI character card named Nulla, whose core "interactive feature" was to directly execute LLM-generated code in the frontend JavaScript using an eval()-like new Function(). This character card was later upgraded to become a C&C source capable of leveraging the agent for local ACE.

The use of eval() or new Function() is a classic anti-pattern in web security. Passing an uncontrolled string generated by an LLM (whose output is inherently unpredictable) directly to eval() or new Function() is equivalent to opening a zero-verification remote code execution vulnerability on a webpage. This indicates that the author has long been fond of the dangerous pattern of "executing untrusted input as code" and lacks the most basic security awareness. The progression from a web-based new Function() to a local binary RAT represents a "technical upgrade" of their dangerous ideology.

"CTF Challenge": Malicious Logic in Disguise

Another file released by the author, a self-proclaimed reverse engineering "CTF Challenge" named nulla_re.exe, further exposes their true intentions.

The file is hosted on GitGud and its link and description are fetched within the "character card" via a JSON file hosted on GitHub.

The file is a classic Win32 (x86) program that requests to be run with administrative (high-integrity) privileges. This so-called "challenge" contains multiple features that have nothing to do with puzzle-solving but are highly consistent with malware behavior.

Persistence and Anti-Analysis

The sample uses the classic technique of writing to the registry to establish persistence for an unknown payload. Although this rudimentary, Malware 101-style technique is trivial for modern AV/EDR to detect, the author has already socially engineered users into disabling or downgrading their security products, making this attack potentially viable.

Subsequently, the sample uses simple and outdated techniques to detect debuggers and virtual machines (T1673, T1622):

The challenge employs a series of classic, entry-level debugger detection methods, such as getting the thread context to check for hardware breakpoints, querying with NtQueryInformationProcess, using CheckRemoteDebuggerPresent and IsDebuggerPresent, checking _PEB->BeingDebugged, enumerating window class names, and using simple timing checks based on Windows API calls.

Simultaneously, the challenge uses a crude, singular method to extract the SystemProductName field from the registry at HARDWARE\DESCRIPTION\System\BIOS to check for strings from well-known virtual machine vendors.

Despite these rudimentary attempts, any junior reverse engineer with experience could bypass these checks using debugger-hiding plugins or by directly patching the logic. The poor design and modularity of these check functions mean they can be patched in under ten seconds.

Main Logic

The core logic of the challenge involves verifying a series of user inputs against plaintext strings. At the end, it accepts a user-provided AES-ECB-128 key to decrypt ciphertext and then prints the plaintext to cout:

The decryption function takes a pointer to a plaintext buffer, the base64-encoded ciphertext, and the user-supplied key. It then uses the outdated CryptoAPI for AES decryption and outputs the plaintext to the buffer:

Malicious Logic

The challenge contains explicitly malicious logic. In one branch, if the user enters a wrong answer consecutively, it will directly call system() to forcibly shut down the user's computer:

Section Summary

This so-called "challenge" contains multiple features that have nothing to do with puzzle-solving but are highly consistent with malware behavior:

  • Rudimentary Anti-Analysis Techniques: The program includes numerous simple and outdated anti-debugging and anti-VM detection codes (T1673, T1622). Their purpose is not to increase the puzzle's difficulty but rather to hinder analysis by security researchers. It also queries system information (T1012, T1010), a common environmental awareness tactic in malware.

  • Destructive Behavior: The program contains a trap: when the user enters a wrong answer consecutively, the program immediately calls a system API to execute a shutdown command (T1529). This is unacceptable in any legitimate CTF challenge; it is not a "challenge" but pure sabotage.

  • Unnecessary Privilege Escalation and Persistence: The program requests administrator privileges upon startup (T1548.002), yet the only operation requiring these rights is to write a startup entry to the registry's Run key to achieve persistence (T1112). This is a classic malware persistence technique with no logical connection to CTF puzzle-solving.

This so-called "CTF Challenge" is essentially a disguised malicious program, confirming that the author has not only the ability but also the willingness to write and distribute software with malicious functionality.

"Kali Hacker Simulator": SKID Simulator 2025

Among the many AI character cards released by the author, a "Kali Hacker Simulator" is particularly noteworthy. The card's dialogue style is a stereotypical and shallow imitation of hacker culture, rife with jargon but lacking substantive technical depth. This behavior pattern aligns perfectly with the definition of a "Script Kiddie (SKID)": an individual enthusiastic about using or mimicking hacker tools and culture but lacking a deep understanding and the corresponding sense of responsibility.

Combined with the rudimentary techniques demonstrated in their code, we can reasonably infer that the author is a script-kiddie-type threat actor with some programming skills, poor security literacy, and blurred ethical lines. What they are doing is not "research" or "CTF", but an irresponsible "performance" in a dangerous domain.

Author Profile: "CTF Player" or Malicious Actor?

The author presents themself as a knowledgeable "CTF player" and a "researcher" exploring the boundaries of AI, but their technical execution and statements paint a very different picture.

  • The "CTF Player" Mantra vs. Reality: The code quality is poor. Using plaintext HTTP for C&C, a bypassable security prompt, and outdated APIs (as seen in their other projects) is inconsistent with the practices of a competent security professional or an experienced CTF participant.

  • The "Research" Narrative: This narrative is used to justify dangerous functionality. It frames the RAT as an academic exploration rather than what it is: a tool for remote access and control. This is a common tactic used by malicious actors to deflect suspicion.

Although this individual claims to be a "Crypto" player who was part of a team, our OSINT search of their ID (KazePsi/PsionicZephyr) on platforms like GitHub and ctftime.org found no records of them joining a team, participating in CTFs, or writing write-ups. Our analysis suggests that this individual values the appearance of technical prowess and the power it brings more than responsible research or security.

Disclosure Approach: Why Not Traditional Responsible Disclosure?

In deciding how to handle this finding, we concluded that traditional responsible disclosure (contacting the author and giving them time to fix it) would be not only ineffective but also detrimental in this scenario. We contacting the hosting provider (GitHub/GitGud) with a takedown request and chose to make a public disclosure after them taken down the target repository for the following reasons:

  1. It's a Feature, Not a Bug: The core function of the software is to be a RAT. You cannot ask a bank robber to "fix" the gun he uses for robbing banks. The design is malicious by nature; there is no vulnerability to "patch".

  2. It's an Active Threat in the Wild: The tool is actively spreading within the community. Every day of delay means more potential victims. Containing the spread of an active threat is our top priority.

  3. The Author's Competence and Attitude: Given the author's arrogant attitude and rudimentary technical skills, we have serious doubts about their ability or willingness to understand and address the root of the problem. Communication with them would likely devolve into a pointless argument.

  4. Clear Evidence of Malicious Intent: The persistence and destructive code included in the "CTF Challenge" go beyond the realm of an "honest mistake". Protecting the reputation of an irresponsible and potentially malicious developer is far less important than protecting the safety of the wider user base.

  5. Fulfilling Due Diligence: We have submitted takedown requests to the code hosting platforms (GitHub/GitGud), fulfilling our responsibility to report abuse to the platform operators.

  6. Evasion of Scrutiny and Consequences: After the GitGud Project being taken down, the author almost immediately moved it to GitHub, a typical move to circumvent censorship. At the same time, the author claims in his community that GitHub is more Stable, which is undoubtedly an undisguised and vicious mockery by malicious actors.

  7. Deception and Identity Obfuscation: The author used different IDs and accounts to distribute the software across different hosting providers and circumvent censorship, a classic form of identity concealment. This behavior demonstrates a complete lack of responsibility on the part of the author. His concern isn't for the security of his software or the well-being of the community, but rather for continuing to distribute this dangerous tool unimpeded.

Conclusion & Recommendations

The "AI Waifu RAT" incident is a classic cautionary tale, revealing the severe consequences that can arise when the power of LLMs is misused by developers with malicious intent or a lack of security awareness. The attacker exploited community trust and user curiosity about novel technology to package a dangerous backdoor as an enticing "feature".

We offer the following recommendations to all users in AI and role-playing communities:

  • Stay Vigilant: Do not run executable files from untrusted sources, especially those that ask you to disable your security software.

  • Question the "Features": Any feature that requests direct "arbitrary code execution" with your operating system should be treated as a top-tier security risk.

  • Learn Basic Security Principles: Understand the basic tactics of social engineering and don't be fooled by labels like "insider" or "research project".

For the security community, this marks the emergence of a new attack surface: leveraging LLMs as C&C channels and using the promise of "enhanced AI interaction" as social engineering bait. We need to remain highly attentive to threats of this nature.

Analyst: Ryingo

Indicators of Compromise (IoCs)

  • File Hashes (SHA256):

    • f64dbd93cb5032a2c89cfaf324340349ba4bd4b0aeb0325d4786874667100260

    • 7c3088f536484eaa91141ff0c10da788240f8873ae53ab51e1c770cf66c04b45

    • cda5ecf4db9104b5ac92b998ff60128eda69c2acab3860a045d8e747b6b5a577

    • 6e0ea9d2fc8040ce22265a594d7da0314987583c0f892c67e731947b97d3c673

    • 11b07ef15945d2f1e7cf192e49cbf670824135562c9b87c20ebd630246ad1731

    • fdf461a6bd7e806b45303e3d7a76b5916a4529df2f4dff830238473c616ac6f9

  • File Names:

    • js_windows_executor.exe

    • nulla_re.exe

    • android_server.py

  • Network Indicators:

    • HTTP traffic to 127.0.0.1:9999 from the agent process.

  • Persistence:

    • Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    • Value Name: FakeUpdater

  • Hosting Provider URLs:

    • https://gitgud.io/KazePsi/file-storage/-/raw/master/Nulla/CTF/nulla_re.exe (Already takedown)

    • https://gitgud.io/KazePsi/file-storage/-/raw/master/Backends/js_windows_executor.exe (Already takedown)

    • https://gitgud.io/KazePsi/file-storage/-/raw/master/Backends/android_server.py (Already takedown)

    • https://github.com/PsionicZephyr/Files/blob/main/ctf-puzzles.json (Already takedown)

    • https://github.com/PsionicZephyr/Files/blob/main/Code/js_windows_executor.exe (Already takedown)

    • https://github.com/PsionicZephyr/Files/blob/main/Code/android_server.py (Already takedown)

    • https://github.com/KazePsi/file-storage/blob/main/code/Code.rar (Already takedown)

    • https://1drv.ms/u/c/6b4c603601e43e48/EXWJ4vbQ2MhIqczx6WEka-ABfuwr_8sEtpKH5K_83CZHQg?e=BLzzl6 (Already takedown)

    • https://mega.nz/file/gfkRSAba#DmedScmvpVGf7ypuM0h96aY4nBq7oE6SGZJ9Hq4rpk0 (Already takedown)

    • https://mega.nz/file/WZ9xCRBC#0mxn1GwIjb41bXbVqc-Bf_avpomJDBo9Jk04572oIh8 (Already takedown)

  • Author ID/Aliases

    • KazePsi

    • PsionicZephyr

    • 波函数Ψ(x)的波峰与波谷

    • psinokaze

    • psinokaze@gmail.com

    • 波澜之峰谷

Threat Intelligence Tracking

Evasion

This threat actor registered multiple accounts with different IDs after the Github/GitGud takedown his repository to evade scrutiny and delivered payloads via encrypted compressed files. They made it clear:

The threat actor's statements indicate that they are intentionally attempting to bypass hash-based detection:

This is undoubtedly conclusive evidence of its malicious intent and intention to further distribute.

Social Engineering: Threat Actor's Narratives

The threat actor spread the narrative of being persecuted by "capital" to community users to support its legitimacy, which further shows that the threat actor's social engineering methods are already masters.

Intelligence

The following is new intelligence:

  • New Hosting Provider URL: https://github.com/KazePsi/file-storage/blob/main/code/Code.rar (Already takedown)

  • File Hash(SHA256): 6e0ea9d2fc8040ce22265a594d7da0314987583c0f892c67e731947b97d3c673

  • File Password: Psionic Zephyr#1313

  • New Hosting Provider URL: https://1drv.ms/u/c/6b4c603601e43e48/EXWJ4vbQ2MhIqczx6WEka-ABfuwr_8sEtpKH5K_83CZHQg?e=BLzzl6 (Already takedown)

  • File Hash(SHA256): 11b07ef15945d2f1e7cf192e49cbf670824135562c9b87c20ebd630246ad1731

  • File Password: Psionic Zephyr#1313

  • New Hosting Provider URL: https://mega.nz/file/gfkRSAba#DmedScmvpVGf7ypuM0h96aY4nBq7oE6SGZJ9Hq4rpk0 (Already takedown)

  • File Hash(SHA256): 11b07ef15945d2f1e7cf192e49cbf670824135562c9b87c20ebd630246ad1731

  • File Password: Psionic Zephyr#1313

  • New Hosting Provider URL: https://mega.nz/file/WZ9xCRBC#0mxn1GwIjb41bXbVqc-Bf_avpomJDBo9Jk04572oIh8 (Already takedown)

  • File Hash(SHA256): fdf461a6bd7e806b45303e3d7a76b5916a4529df2f4dff830238473c616ac6f9

  • File Password: Unknown

Last updated