LLM-assisted Generation of Pseudo-C2 Servers for IoT Malware Dynamic Analysis
Pith reviewed 2026-06-26 14:03 UTC · model grok-4.3
The pith
An LLM plus decompiler extracts full C2 protocols from malware binaries to build working pseudo servers.
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
The system extracts all 20 core protocol elements from the Mirai binary with 100 percent agreement to the ground truth and produces a pseudo-C2 server that fully reproduces seven of ten DDoS attack vectors with matching behavior; the identical end-to-end process succeeds on a source-modified Mirai variant, showing the LLM infers specifications from binary structures without pre-trained knowledge of the malware.
What carries the argument
LLM semantic interpretation of decompiled binary control structures to recover protocol elements, followed by automated generation of a pseudo-C2 server that implements those elements.
If this is right
- Dormant malware samples without live C2 infrastructure become amenable to full dynamic analysis.
- Protocol extraction reaches complete coverage of the 20 core elements on the tested family.
- A majority of attack vectors can be reproduced consistently by the generated server.
- The method operates on source-altered variants, confirming reliance on observable binary structures.
Where Pith is reading between the lines
- The same extraction-plus-generation steps could be tried on other common IoT botnet families to test breadth.
- Pseudo servers built this way could serve as controlled environments for testing new detection signatures.
- If the accuracy holds across families, large-scale automated analysis of collected samples becomes feasible without waiting for real C2 hosts.
Load-bearing premise
The LLM can correctly map the meaning of binary control structures onto protocol commands even for customized malware variants whose source differs from any training data.
What would settle it
Apply the pipeline to a new customized variant and observe whether the generated pseudo-C2 elicits the malware's expected attack commands or produces mismatched protocol behavior.
Figures
read the original abstract
Most IoT malware operates as botnets dependent on Command and Control (C2) servers, but the short-lived nature of attack infrastructure often leaves samples dormant without C2 communication, hindering dynamic analysis. This paper proposes a system that combines Ghidra with a Large Language Model (LLM) to extract communication specifications from a malware binary and automatically generate a pseudo-C2 server. Experiments using Mirai demonstrate that the proposed system semantically interprets binary control structures and extracts all 20 core protocol elements in agreement with the ground truth (100\% specification extraction accuracy). The generated pseudo-C2 server fully reproduces seven of ten DDoS attack vectors with attack behavior consistent with the original C2. When applied to a customized variant created by modifying the publicly available Mirai source code, the method succeeds end-to-end -- from specification extraction through pseudo-C2 generation to attack reproduction -- demonstrating that the LLM infers specifications from binary structures without relying on pre-trained knowledge. This approach extends the applicability of LLMs from analysis assistance to the automated construction of dynamic analysis environments.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The paper proposes a system combining Ghidra with an LLM to extract communication protocol specifications from IoT malware binaries and automatically generate pseudo-C2 servers for dynamic analysis of dormant samples. Experiments on Mirai report 100% accuracy extracting all 20 core protocol elements matching ground truth and full reproduction of 7/10 DDoS attack vectors with consistent behavior. End-to-end success on a customized Mirai variant (source modified then recompiled) is presented as evidence that the LLM infers specifications from binary control structures without relying on pre-trained knowledge.
Significance. If the central empirical claims are substantiated with detailed methodology and controls, the work could meaningfully extend LLM applications in malware analysis from assistance to automated construction of dynamic analysis environments, addressing the challenge of short-lived C2 infrastructure in IoT botnets.
major comments (2)
- [Abstract] Abstract: the 100% specification extraction accuracy and 7/10 attack reproduction are presented without any information on how ground truth was established, the number of samples tested, error rates on non-Mirai families, or controls for LLM hallucination.
- [Abstract] Abstract: the claim that success on the customized Mirai variant demonstrates inference without pre-trained knowledge is load-bearing for the novelty argument, yet no details are supplied on the scope of source modifications (e.g., protocol fields, control flows, or strings altered) or control experiments with unrelated IoT malware families.
Simulated Author's Rebuttal
We thank the referee for the thoughtful comments on the abstract. We agree that additional methodological context is needed to substantiate the claims and will revise the abstract and related sections accordingly.
read point-by-point responses
-
Referee: [Abstract] Abstract: the 100% specification extraction accuracy and 7/10 attack reproduction are presented without any information on how ground truth was established, the number of samples tested, error rates on non-Mirai families, or controls for LLM hallucination.
Authors: We agree that the abstract lacks sufficient detail on these points. We will revise the abstract to briefly state that ground truth was established via manual comparison to the publicly available Mirai source code and protocol documentation, that experiments used multiple Mirai samples, that the evaluation was limited to the Mirai family (hence no non-Mirai error rates), and that hallucination was addressed through cross-verification with Ghidra decompilation outputs and repeated LLM queries with consistency checks. revision: yes
-
Referee: [Abstract] Abstract: the claim that success on the customized Mirai variant demonstrates inference without pre-trained knowledge is load-bearing for the novelty argument, yet no details are supplied on the scope of source modifications (e.g., protocol fields, control flows, or strings altered) or control experiments with unrelated IoT malware families.
Authors: We acknowledge that more detail is required to support this claim. We will revise the manuscript to describe the specific source modifications made to the public Mirai code (e.g., alterations to protocol fields, control flow changes, and string modifications). We did not conduct experiments on unrelated families because the customized variant was designed to isolate whether the LLM infers from binary structures rather than relying on prior Mirai knowledge; we will add an explicit discussion of this experimental design choice. revision: yes
Circularity Check
No circularity: empirical claims rest on direct measurements against ground truth
full rationale
The paper describes an LLM-assisted system for extracting protocol specs from binaries and generating pseudo-C2 servers, evaluated via direct experiments on Mirai (100% extraction of 20 elements, 7/10 attack vectors reproduced) and a source-modified variant. No equations, fitted parameters, or predictions appear; results are reported as empirical agreement with ground truth. The central claim that success on the variant shows inference 'without relying on pre-trained knowledge' is an interpretive conclusion from the experiment, not a self-definitional reduction or load-bearing self-citation. No patterns from the enumerated circularity kinds are present, and the derivation chain is self-contained as a system description plus measurements.
Axiom & Free-Parameter Ledger
axioms (1)
- domain assumption LLM can semantically interpret binary control structures to extract protocol elements
Reference graph
Works this paper leans on
-
[1]
NICTER Observation Report 2024
National Institute of Information and Communications Technology (NICT). NICTER Observation Report 2024. https://www.nicter.jp/report, 2025. (in Japanese)
2024
-
[2]
J. Gamblin. Mirai-Source-Code. https://github.com/jgamblin/Mirai-Source-Code, 2016. Accessed: Feb., 2026
2016
-
[3]
Gomes, E
D. Gomes, E. Felix, F. Aires, and M. Vieira. Static code analysis for iot security: A systematic literature review. ACM Computing Surveys, 58(3):1–47, 2025
2025
-
[4]
The circle of life: A large-scale study of the iot malware lifecycle
Omar Alrawi, Chaz Lever, Kevin Valakuzhy, Ryan Court, Kevin Snow, Fabian Monrose, and Manos Antonakakis. The circle of life: A large-scale study of the iot malware lifecycle. InProceedings of the 30th USENIX Security Symposium, pages 3505–3522, 2021
2021
-
[5]
Reverse engineering and observing an iot botnet, Aug
G DATA CyberDefense. Reverse engineering and observing an iot botnet, Aug. 2020. URL https://blog. gdatasoftware.com/2020/08/36243-reverse-engineering-and-observing-an-iot-botnet . Ac- cessed: Feb., 2026
2020
-
[6]
V-sandbox for dynamic analysis iot botnet.IEEE Access, 8:145768–145786, 2020
Hai-Viet Le and Quoc-Dung Ngo. V-sandbox for dynamic analysis iot botnet.IEEE Access, 8:145768–145786, 2020
2020
-
[7]
CnCHunter: An MITM-approach to Identify Live CnC Servers
Ali Davanian, Ahmad Darki, and Michalis Faloutsos. CnCHunter: An MITM-approach to Identify Live CnC Servers. Black Hat USA 2021 (Whitepaper), 2021. URL https://i.blackhat.com/USA21/ Wednesday-Handouts/us-21-CnCHunter-An-MITM-Approach-To-Identify-Live-CnC-Servers-wp. pdf
2021
-
[8]
C2Miner: Tricking IoT Malware into Revealing Live Command & Control Servers
Ali Davanian, Michalis Faloutsos, and Martina Lindorfer. C2Miner: Tricking IoT Malware into Revealing Live Command & Control Servers. InProceedings of the 19th ACM Asia Conference on Computer and Communications Security (ASIA CCS ’24), pages 112–127, 2024. doi:10.1145/3634737.3644992
-
[9]
Towards an Automatic Generation of Low-Interaction Web Application Honeypots
Marius Musch, Martin Härterich, and Martin Johns. Towards an Automatic Generation of Low-Interaction Web Application Honeypots. InProceedings of the 13th International Conference on Availability, Reliabil- ity and Security (ARES ’18), pages 1–6, New York, NY , USA, 2018. Association for Computing Machinery. doi:10.1145/3230833.3230839
-
[10]
Reconstructing c2 servers for remote access trojans with symbolic execution
Luca Borzacchiello, Emilio Coppa, Daniele Cono D’Elia, and Camil Demetrescu. Reconstructing c2 servers for remote access trojans with symbolic execution. In Shlomi Dolev, Danny Hendler, Sachin Lodha, and Moti Yung, editors,Cyber Security Cryptography and Machine Learning, pages 121–140, Cham, 2019. Springer International Publishing. ISBN 978-3-030-20951-3
2019
-
[11]
RIoTMAN: A Systematic Analysis of IoT Malware Behavior
Ahmad Darki and Michalis Faloutsos. RIoTMAN: A Systematic Analysis of IoT Malware Behavior. In Proceedings of the 16th International Conference on Emerging Networking EXperiments and Technologies (CoNEXT ’20), pages 169–182, 2020. doi:10.1145/3386367.3431317
-
[12]
H. Jelodar, S. Bai, P. Hamedi, H. Mohammadian, R. Razavi-Far, and A. Ghorbani. Large language model (llm) for software security: Code analysis, malware analysis, reverse engineering. arXiv preprint arXiv: 2504.07137, 2025
arXiv 2025
-
[13]
Z. Li, S. Dutta, and M. Naik. Iris: Llm-assisted static analysis for detecting security vulnerabilities. InProceedings of the International Conference on Learning Representations (ICLR), 2025
2025
-
[14]
S. Fujii and R. Yamagishi. Feasibility study for supporting static malware analysis using llm. arXiv preprint arXiv:2411.14905, 2024
arXiv 2024
-
[15]
Ghidramcp.https://github.com/LaurieWired/GhidraMCP, 2025
Laurie Wired. Ghidramcp.https://github.com/LaurieWired/GhidraMCP, 2025. Accessed: Feb., 2026
2025
-
[16]
The evolution of mirai botnet scans over a six-year period.Journal of Information Security and Applications, 79:103629, 2023
Antonio Affinito, Savio Zinno, Gennaro Stanco, Alessio Botta, and Giorgio Ventre. The evolution of mirai botnet scans over a six-year period.Journal of Information Security and Applications, 79:103629, 2023. 12
2023
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.