Malware analysis assisted by AI with R2AI
Axelle Apvrille, Daniel Nakov
TL;DR
The paper evaluates AI-assisted malware analysis using r2ai, a Radare2 plugin, on Linux and IoT malware samples from 2024–2025. It compares multiple LLMs, finding Claude 3.5/3.7 Sonnet to deliver the best decompilation quality and explanatory output, while human analysts are still essential to guide and verify AI results. AI assistance accelerates analysis and often matches or surpasses human-only analyses, but introduces challenges such as hallucinations, omissions, and context-length limits that require vigilant oversight. Costs depend on the chosen mode and model, with auto mode offering faster results at higher expense, yet overall often remaining cheaper than hiring dedicated analysts when properly managed. The work demonstrates practical AI-assisted reverse engineering workflows, highlighting both the speedups and safety considerations necessary for deployment in malware analysis practice.
Abstract
This research studies the quality, speed and cost of malware analysis assisted by artificial intelligence. It focuses on Linux and IoT malware of 2024-2025, and uses r2ai, the AI extension of Radare2's disassembler. Not all malware and not all LLMs are equivalent but the study shows excellent results with Claude 3.5 and 3.7 Sonnet. Despite a few errors, the quality of analysis is overall equal or better than without AI assistance. For good results, the AI cannot operate alone and must constantly be guided by an experienced analyst. The gain of speed is largely visible with AI assistance, even when taking account the time to understand AI's hallucinations, exaggerations and omissions. The cost is usually noticeably lower than the salary of a malware analyst, but attention and guidance is needed to keep it under control in cases where the AI would naturally loop without showing progress.