Automatically Attacking Software Reverse Engineering AI Agents

Researchers demonstrate a novel adversarial attack using genetic algorithm-based prompt injection that can deceive LLM-powered reverse engineering tools like GhidraMCP into misinterpreting binary executables. This vulnerability exploits how large language models process decompiled code through surreptitious string variable assignments, potentially allowing malware to bypass automated detection systems that rely on AI-driven analysis.

This research reveals a critical vulnerability at the intersection of AI and cybersecurity tooling. As organizations increasingly integrate large language models into their malware analysis and reverse engineering workflows, attackers can now exploit these systems through adversarial prompting techniques. The attack works by injecting hidden instructions into binary code via string variables that don't affect executable functionality but corrupt the LLM's interpretation, effectively blinding automated security analysis. This represents an escalation in the malware-detection arms race, where defenders' new tools become vectors for attackers.

The technique builds on established adversarial attack methodologies like AutoDAN but applies them to a previously unexploited domain. Software reverse engineering tools have long been critical infrastructure for cybersecurity professionals, and their automation through AI promised significant productivity gains. However, this paper demonstrates that LLMs inherit fundamental vulnerabilities when processing code, making them susceptible to sophisticated adversarial inputs.

For the security industry, this creates immediate concerns about reliance on AI-assisted analysis pipelines without proper safeguards. Organizations deploying GhidraMCP or similar systems need to implement verification mechanisms alongside automated analysis rather than treating AI output as definitive. The research also highlights broader lessons for enterprises integrating LLMs into any security-critical workflows—adversarial robustness cannot be assumed and requires deliberate architectural choices.

Looking forward, defenders must develop techniques to detect and neutralize prompt injection attacks in code analysis contexts, while researchers should explore adversarial training methods specifically for decompiled code interpretation.

• →Adversarial prompt injection can corrupt LLM-powered binary analysis without modifying executable functionality or triggering traditional security alerts.
• →Automated malware detection systems relying on AI-driven analysis pipelines face new vulnerability vectors from sophisticated prompt-based attacks.
• →Organizations using tools like GhidraMCP must implement additional verification layers rather than trusting AI output as authoritative.
• →This attack demonstrates that LLMs inherit fundamental adversarial vulnerabilities when processing technical code, requiring defensive strategies during integration.
• →The research underscores the importance of adversarial robustness testing before deploying AI systems in security-critical applications.