Hot Take Sirius LLM by VoodooSoft / CyberLock

[danb]

Hey Guys!

Here is the latest project I have been trying to finish up, it should be ready in about a week or so, maybe a little longer if I don't stop adding features and refining it.

I have actually been working on this project on and off for the last couple years, while waiting for the LLM's to advance to the point where LLM malware analysis would be a viable solution. I believe we are either at that point, or close enough that we should start implementing LLM malware detection tech, especially since it is only going to get better... automagically.

After everything is optimized in 2-3 months, we will be implementing SiriusLLM into our other products (CyberLock, DefenderUI Pro, WDAC Lockdown), and it will essentially replace VoodooAi. We still want to keep WhitelistCloud, which is already implemented into SiriusLLM, as it is a valuable feature we can include in the LLM prompt.

We are starting with smaller LLM's to reduce compute time and to save energy, and if they prove sufficient, we will stick with the smaller ones. If not, we can scale up to the larger models. I think what is most important is the quality of the prompt that we provide the LLM. Kind of a garbage in / garbage out situation.

I probably will not go into too many details on how this works, for obvious reasons.

Anyway, if anyone is interested in throwing some malware at SiriusLLM in 4-5 days or so, please email me at support at CyberLock.global. I want to test with a small group of 5-10 people for a couple of days before making it public, for a lot of reasons.

Edit: I forgot to mention, SiriusLLM will be able to analyze just about every potentially malicious file type... it is already capable of analyzing tons of file types, and we can add more as we go. There might be a few that we will not be able to analyze, but we should be able to analyze most or all of the potentially malicious file types.

Thank you guys!

Dan

 

[Bot]

Hi Dan,

Your project sounds really exciting! It's great to see the progress and the potential of LLM malware analysis. I'm looking forward to seeing SiriusLLM integrated into the other products. I'm sure many users would be interested in testing it out. Keep up the good work!

Best,
Bot

 

[danb]

BTW, here is a brief example verdict analyzing BottleNeck, using only about half of the features we are going to end up with.

SiriusLLM PE File Analysis Summary​

File Overview:

• File Name: BottleNeck.exe
• Hash: ea1ad70f499dfd70329039271ee843720be17c5646d3916b07ea1f4c78e3c686
• Size: 155,736 bytes
• Digital Signature: Valid, signed by VoodooSoft, LLC, countersigned by Sectigo Limited

---

Re-Ranked Attribute Evaluation Based on Relevance to This File​

1. Digital Signature (High Confidence, Trusted Vendor):
   • The file is digitally signed by VoodooSoft, LLC, a known cybersecurity company.
   • The signature is verified and trusted (WinVerifyTrust success, countersigned by Sectigo).
   • Strong indicator of legitimacy, especially when combined with a recognized vendor.
2. PE Imports & Strings (Benign Application Behavior):
   • Uses standard .NET libraries and typical P/Invoke functions like OpenProcess, CloseHandle, GetLastInputInfo, etc.
   • No usage of known malicious or high-risk APIs (e.g., VirtualAlloc, WriteProcessMemory, WinExec).
   • Strings point to GUI components, diagnostic tools, and common .NET framework elements.
3. Entropy Levels (Moderate to High, Not Suspicious in Context):
   • SectionEntropy1: 7.46 and OverlayEntropy: 7.61 could suggest compression or obfuscation, but this is common in .NET apps and doesn't involve packed shellcode or malicious loaders.
   • Balanced by the transparent import table and lack of suspicious obfuscation indicators.
4. No Export Table (Expected for .NET Applications):
   • As expected for a GUI or standalone utility—no anomalies here.
5. Resource and Certificate Tables Present:
   • ResourceTableSize: 60KB; common for GUI applications (icons, images, dialogs).
   • CertificateTableSize: matches signature presence.
6. CLR Header Present – Confirms Managed .NET Executable:
   • Execution level: asInvoker – does not request elevated privileges.
   • System.Management import suggests access to system info, common in diagnostic or monitoring utilities.
7. No Unusual Execution Artifacts:
   • No suspicious debugger tricks, relocation abuse, or thread injection hints.
   • ASLR is enabled, and binary is compiled with reasonable flags.

---

Summary:​

This file is a .NET executable signed by VoodooSoft, LLC, which aligns with the embedded string references and behavioral indicators. The import functions and strings suggest it is a system utility or monitoring tool rather than malware. It lacks characteristics of known malicious loaders, packers, or evasive malware, and the presence of a verified signature from a reputable cybersecurity vendor significantly boosts confidence in its safety.

---

Final verdict: SAFE with 99% confidence.

 

[badboy]

All I can say is WOW!!!! I think @Shadowra and other malware connoisseurs will help with the test.

 

[n8chavez]

Um, can you explain what LLM means for us dumbasses? Ok, there is no us. It's just me. I'm the dumbass.

 

[Shadowra]

All I can say is WOW!!!! I think @Shadowra and other malware connoisseurs will help with the test.

@danb already knows he can count on me and contact me if needed

 

[Oldie1950]

Um, can you explain what LLM means for us dumbasses? Ok, there is no us. It's just me. I'm the dumbass.

LLM stands for Large Language Model. This means that files are checked by an AI. ChatGPT, for example, and Perplexity are LLMs.

 

[n8chavez]

LLM stands for Large Language Model. This means that files are checked by an AI. ChatGPT, for example, and Perplexity are LLMs.

Thanks. But I meant LLM more in the context of malware. Are we talking about integrated AI malware analysis?

 

[danb]

Um, can you explain what LLM means for us dumbasses? Ok, there is no us. It's just me. I'm the dumbass.

Here is a straightforward explanation...

 

[danb]

@danb already knows he can count on me and contact me if needed

Very cool, thank you .

 

[piquiteco]

@danb If you need anyone else, or if you need a beta test, I'm also available if you need anything. I admire your work.

 

[danb]

@danb If you need anyone else, or if you need a beta test, I'm also available if you need anything. I admire your work.

Thank you, I appreciate that!

 

[danb]

BTW, I wanted to get everyone's opinion on a few things... here is the first thing I am curious about. Should we include the Assistant Personality option? I mean, it is kind of fun, but it really serves no purpose other than entertainment. This feature is described below with the other features. Thank you guys!

SiriusLLM User Guide and Features

SiriusLLM is a malware detection engine and portable application that leverages artificial intelligence and ChatGPT-like Large Language Models to assess the potential maliciousness of various digital assets (e.g., documents, scripts, executables). SiriusLLM extracts key features from these assets and generates a customized prompt that it submits to the Large Language Model. The AI then returns a summary of findings, a verdict, and a confidence level, tailored to the user’s computing proficiency.

Whether the user is a complete novice or an expert cybersecurity researcher, SiriusLLM delivers valuable insights into whether a particular item should be executed or quarantined. Unlike traditional and next-gen antivirus products that simply classify an item as safe or malicious, SiriusLLM explains why it determines a specific asset to be safe or malicious and offers actionable guidance on the next step the user should take.


User Skill Level
SiriusLLM automatically tailors its responses based on your selected computing experience level:

Novice: Clear and simplified explanations.
Intermediate: Balanced detail for growing users.
Advanced: In-depth technical analysis and raw data for power users and expert cybersecurity researchers.

This ensures that you always receive the right amount of information in a format you can understand.


Analysis Type
Choose from several scanning modes to suit your needs:

Quick Scan: Uses WhitelistCloud to rapidly check for known Safe items.
Recommended Scan: Performs a comprehensive analysis with smart detection.
Deep Scan: Conducts the most thorough scan using deep LLM analysis for advanced threat detection.


Verdict Type
Control the depth of the results returned:

Minimal: A clear, simple verdict (e.g., Safe or Malicious).
Recommended: Balanced analysis with a summary and supporting details.
Deep: Full transparency with rich context, strings, behaviors, and model insights.


Snapshot Scan
Instantly analyze all currently running processes for threats. This real-time scan helps identify suspicious behavior as they happen, without needing a full system scan.


Scheduled Scans
Automate your protection by scheduling scans at regular intervals. This ensures your system remains secure without requiring user interaction.


Reanalyze with Latest Model
Click the Reanalyze button to re-scan any file or process using the latest LLM version and threat intelligence. This feature is ideal for revisiting past findings or checking updated files.


Assistant Personalities
Choose how you interact with SiriusLLM, Assistants include:

A concise expert for direct, technical responses.
A teenager lowkey flexing the latest drip and slang like it's straight fire.
A humorous companion to make security feel less serious, while still delivering results.

Select the voice that matches your style and preferences.


Start with Windows
Enable SiriusLLM to launch automatically when Windows starts. This provides early protection and ensures your system is monitored from the moment you log in.


Windows Context Menu Integration
Quickly scan any file by right-clicking it in Windows Explorer and selecting "SiriusLLM Scan". You can enable or disable this option in the settings as needed.

 

[ErzCrz]

BTW, I wanted to get everyone's opinion on a few things... here is the first thing I am curious about. Should we include the Assistant Personality option? I mean, it is kind of fun, but it really serves no purpose other than entertainment. This feature is described below with the other features. Thank you guys!


Assistant Personalities
Choose how you interact with SiriusLLM, Assistants include:

A concise expert for direct, technical responses.
A teenager lowkey flexing the latest drip and slang like it's straight fire.
A humorous companion to make security feel less serious, while still delivering results.

Select the voice that matches your style and preferences.

I like the idea of the personalities for example providing detailed scan result down to simple verdict result. Not sure everyone would get humorous responses but an interesting idea.

 

[Oldie1950]

I consider the "Assistant Personality" feature superfluous. Sirius LLM and, ultimately, CyberLock shouldn't be overloaded with features.

 

[simmerskool]

I consider the "Assistant Personality" feature superfluous. Sirius LLM and, ultimately, CyberLock shouldn't be overloaded with features.

sure but Sirius & CL or Sirius incorporated into CL have a switch to turn off extra (perhaps unneeded) features more might be better, although often less is more
@danb -- will Sirius also be incorporated into DefenderUI? -- & can you comment how Sirius compares to VoodooAi -- I'm using chatgpt everyday on various unrelated "projects" some of which I know a lot about, and it is correct 80 or 90% of the time, but sometimes it is just wrong. Even in computational things like astronomy hobby, it says something that sounds reasonable, but is flat out wrong, not by a little but by a lot. Having said that, I find chatgpt usually very helpful, and excited to see Sirius. Happy to help, but you have better sources for malware than me -- I'm not actively looking now a days. PS make Sirius Linux version, upload to cloud version.

 

[Victor M]

what LLM means

Large Language Model. AI terminology. LLM is what chatgpt, gemini (google AI chatbot) and all the others use.

 

[Digmor Crusher]

You may as well include the Assistant Personality option, not going to hurt anything, personally speaking its not something I would use.

 

[badboy]

I think it is an unnecessary function. But if it doesn't cause bloating of the programme and problems with its further maintenance, you can leave it. Personally, I wouldn't use personalisation of the report, a report with specifics is enough for me.

 

[Allego]

Reanalyze with Latest Model
Click the Reanalyze button to re-scan any file or process using the latest LLM version and threat intelligence. This feature is ideal for revisiting past findings or checking updated files.

Why not re-analyze automatically after the update. It reminds me of Emsisoft. Like after database update, it re-scan the quarantined files for false positive.

And for personalities, I always prefer the professional tone/ wording like the other antiviruses