Answers to Your Questions After the Malware Packer Article

Thank You for the Positive Response!

I didn’t expect such a high level of interest in my inaugural blog post. It was a short research experiment — an idea to deliberately overfit an LSTM or Transformer model in order to “pack” it with code that could later be retrieved. The concept came to me about a month ago, but I only recently found the time to write it down and publish it.

It might not be something revolutionary, but it clearly hit a niche — no one had previously proposed using overfitting for a practical purpose, especially in the context of malware. And that’s exactly what turned out to be the most intriguing for the community.

My article gained unexpected popularity. After posting it on Reddit, it made it to the front page of r/MachineLearning. As of July 1:

• 79,000 views
• 300 upvotes (96%)
• 324 shares

Thank you for every comment, question, and critique. I’m glad the topic resonated with so many people.

Responses to Reddit Comments

I’d like to now respond collectively to a few of the most common comments and criticisms:

1. “The PoC doesn’t execute the payload”

   Correct. My proof-of-concept was solely meant to demonstrate the mechanism — how an ML model can act as an archive/packer and how deliberate overfitting can encode weights to “store” a source file.

   That’s why you won’t find any real malware or dynamic in-memory code loading on GitHub. This was a conscious decision — I wanted to stay within the bounds of a clean prototype, not build a ready-made tool for malicious purposes.

   The repository includes a basic example using classic bubble sort, nothing more.

2. “It’s just fancy code obfuscation”

   Agreed — in a sense, it is. It’s an unconventional form of code obfuscation. But this “fancy” approach opens up new attack vectors:

   • No binary file — the code resides in the model, so there’s nothing to analyze statically.
   • No traditional deployment — the payload can only be “extracted” using a specific model and architecture.
   • Inference as environment detection — sandboxes often shut down during idle time. Inference looks like… a benchmark to them.

Moreover, if you combine this with native system APIs for model execution (e.g., Windows ML API, CoreML, DirectML), add weight permutation and other tricks — you can create malware that is:

• statically undetectable (because there’s nothing to analyze),
• dynamically invisible (because it runs only under physical hardware conditions: NPU/GPU),
• nearly indistinguishable from legitimate ML inference.

What’s Next?

I’m already working on a few more projects, which I hope the community will also find interesting. The latest one is a custom client library for the Model Context Protocol (MCP), designed to be lightweight, functional, and fast. It aims to address shortcomings in current solutions that lack all of the above. More details will be shared soon in the next article.

Thanks again to everyone for your comments, inspiration, and constructive criticism. If you enjoyed my previous post, let me know — every bit of feedback motivates me to keep exploring.