Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
Malware

LONGSTREAM

LONGSTREAM is a malware family linked to Russia-nexus threat actors targeting Ukrainian organizations. Reported samples use LLM-generated decoy logic to camouflage malicious functionality by padding source files with large amounts of plausible-looking but functionally inert code, complicating static analysis and signature-based detection. A specifically noted characteristic is the presence of 32 separate instances of code querying the system's daylight saving status with no operational purpose beyond appearing benign. LONGSTREAM is repeatedly referenced alongside CANFAIL as part of the same Russia-linked activity cluster focused on Ukrainian targets. The provided content does not describe a specific infection vector, platform, or industry targeting beyond Ukrainian organizations, and does not provide concrete IOCs.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

6 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique
T1587.001MalwareEvidence1

threat actors are using large language models to write polymorphic loaders... Public reporting now names specific actor clusters in the wild... APT27... used Gemini to accelerate development of fleet management tooling... APT45... sending thousands of repetitive prompts that recursively analyze CVEs and validate proof-of-concept exploits

Stealth

5 techniques
T1027Obfuscated Files or InformationEvidence5

Meanwhile, Russia-associated threat actors were reportedly using AI-generated decoy code to conceal malware strains such as CANFAIL and LONGSTREAM.

T1027.001Binary PaddingEvidence1

CANFAIL and LONGSTREAM... ask an LLM to generate large blocks of plausible-looking but functionally inert code, woven through the malicious logic as camouflage. One LONGSTREAM sample reportedly contained 32 separate instances of code querying the system’s daylight saving status

T1027.002Software PackingEvidence1

...two newly disclosed malware families that leverage AI for evasive techniques such as polymorphism...

T1036MasqueradingEvidence2

CANFAIL and LONGSTREAM... ask an LLM to generate large blocks of plausible-looking but functionally inert code, woven through the malicious logic as camouflage... making the malware look like legitimate administrative software to a casual reviewer.

T1497Virtualization/Sandbox EvasionEvidence3

In LongStream, researchers found 32 separate instances of the code checking the system's daylight saving status - repetitive queries with no functional purpose, inserted to make the malicious code harder to identify amid the noise.

Discovery

1 technique
T1497Virtualization/Sandbox EvasionEvidence3

In LongStream, researchers found 32 separate instances of the code checking the system's daylight saving status - repetitive queries with no functional purpose, inserted to make the malicious code harder to identify amid the noise.

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app
malware newsNews
May 29, 2026
The AI-Embedded SOC: An Operating Model for the Asymmetry Era - Malware News - Malware Analysis, News and Indicators

Malware linked to Russia-nexus operations that embeds large amounts of plausible but functionally inert LLM-generated code to disguise malicious logic.

Read more
detectNews
May 29, 2026
The AI-Embedded SOC: An Operating Model for the Asymmetry Era | by Omar Tarek Zayed | May, 2026 | Detect FYI

Malware linked to Russia-nexus operations that embeds large amounts of plausible but functionally useless LLM-generated code to camouflage malicious behavior and resemble legitimate software.

Read more
cysecurity newsNews
May 25, 2026
Google Detects AI-Generated Zero-Day Exploit Targeting Web Admin Tool - CySecurity News - Latest Information Security and Hacking Incidents

A malware strain mentioned as being concealed with AI-generated decoy code by Russia-associated threat actors.

Read more
scworldNews
May 12, 2026
Google reports first known AI-assisted zero-day exploit in the wild | news | SC Media

AI-enabled malware family that uses LLMs to generate large volumes of decoy logic to obfuscate malicious intent.

Read more
+4 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping6

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.