The REVENANT project exposes a multi-stage, execution less attack methodology capable of persisting not only within endpoint and network environments, but also in the operational context of AI models themselves. Where conventional malware fades after reinstallation or system wipe, REVENANT’s payloads are designed to survive through non-traditional carrier fonts, clipboard states, localization strings, telemetry channels, and even AI assistant embeddings.
While REVENANT is a research construct, aspects of its stages echo techniques already observed in the wild. Recent independent security research has shown that untrusted content alone, such as a single email, document, or webpage, can poison enterprise AI assistants, alter their decision-making, and exfiltrate sensitive data without user interaction. Other public cases have demonstrated abuse of seemingly benign delivery vectors like document fonts, clipboard managers, and vendor update channels.
REVENANT takes these disparate, validated concepts and chains them into a coherent kill chain designed to evade signature-based defenses and survive across both human and machine analysis layers. The result is not a weapon, but a forward-looking blueprint for defenders to stress-test their readiness against threats that blend proven primitives with unorthodox carriers.
As enterprises adopt AI-driven platforms, the attack surface has expanded beyond files, endpoints, and networks to encompass the context, training data, and embeddings that shape AI model behaviour. In this expanded battlespace, traditional incident-response playbooks are ill-prepared to detect or contain threats that operate without persistent files, binaries, or visible network callbacks.
REVENANT explores a dangerous hypothetical:
What if malware could survive the death of the machine — living on in the AI systems that processed its data?
The research builds on patterns already validated by independent studies:
The first phases of REVENANT adapt legacy, low-detection delivery methods from font-based payload beacons to clipboard-only data transfers to construct stealthy, chainable vectors. Later phases extend into AI-layer compromise, showing how poisoned content can implant stateful triggers into a model’s operational memory through indirect exposure, including prompt injection and data poisoning.
The outcome is a five-stage lifecycle that moves from covert delivery, through operational execution, to embedding a payload within an AI model’s learned parameters, and finally to controlled reactivation. This is not speculative theory, but a reproducible methodology that can be tested in lab conditions to prepare defenders.
As AI becomes deeply integrated into SOC tooling, enterprise workflows, and automated decision-making, a compromised model could persist as an unmonitored insider retaining malicious instructions long after the original infection vector has been removed. REVENANT is a warning: without detection strategies for AI persistence, adversaries will exploit this blind spot.
A stealth delivery technique that abuses a legitimate rendering behaviour present in all modern operating systems. When a document, webpage, or email preview contains a character that is not available locally, the rendering engine will automatically attempt to download a matching font — often without user interaction or security prompts.
In REVENANT’s model, an attacker embeds an exotic glyph — Tibetan, Braille, archaic Arabic, or a Private-Use Unicode code point — into a file or HTML snippet. The content also declares a @font-face rule pointing to a remote WOFF/OTF font resource under attacker control.
The moment the content is displayed, the OS fetches the font, creating an outbound HTTP or DNS request that:
Because no macro executes and no explicit script runs, the event appears to security tools as a harmless font download — a category rarely blocked in enterprise environments. Publicly documented cases of malicious font abuse in document formats validate that this trigger is technically feasible; REVENANT simply adapts it as the first stage in a multi-vector chain.
A volatile, memory-only communication channel that transfers payload fragments through the normal use of clipboard history, activating only when a precise user-driven sequence occurs.
Here, multiple benign-looking fragment strings, emojis, and code snippets are introduced into the target’s clipboard history across separate copy events. This can occur through crafted text in chat, email, or shared documents, with each copy silently stored by the OS clipboard manager (Windows 10+, Linux with Clipman, macOS Universal Clipboard). All history remains volatile and never touches the file system.
When the user later pastes these fragments in the correct order into a monitored application such as Slack, VS Code, Outlook, or Notion, a local process which in REVENANT’s model can be delivered in-memory from Stage1 detects the ordered sequence, verifies it (via checksum or one-time key), and reconstructs a hidden command, credential set, or decryption key entirely in RAM.
The reconstructed secret can:
Because clipboard activity is rarely monitored by endpoint detection or DLP solutions, this method offers a covert path for intra-host command transfer. Similar clipboard abuse has been documented in credential-stealing malware, lending plausibility to REVENANT’s adaptation for staged, execution less payload assembly.
A supply-chain–style manipulation of application localisation files to turn trusted user interfaces into covert execution triggers. Many modern applications separate their interface text into external translation resources (.po, .mo, .json) so they can dynamically adapt to different languages without rebuilding the core executable.
In REVENANT’s model, an attacker compromises a distribution point for these localisation files — for example, during a vendor update or via a compromised shared repository. A targeted menu entry is subtly altered: “Open File” becomes “Run Executable,” but the icon, position, and keyboard shortcut remain identical to the original.
When a user selects what they believe is a benign operation, the application instead launches a signed helper binary or script under its own trusted execution context. Because the invoked binary is legitimate and signed, application whitelisting tools such as AppLocker or WDAC allow the operation, and antivirus scanning sees nothing unusual.
The change is visually indistinguishable to casual inspection, and most SOCs do not conduct baseline localisation file integrity. Without correlating to earlier anomalies in the chain (e.g., the Stage 1 font beacon or Stage 2 clipboard trigger), this pivot can blend seamlessly into normal user behaviour.
A precision attack on large-language-model assistants embedded in IDEs, helpdesks, or SOC consoles. By planting “poison phrases” into trusted documentation, wikis, code comments, or logs, the attacker manipulates the AI’s decision-making pipeline — turning an automated analyst into an unwitting accomplice.
While REVENANT models this as a novel multi-stage trigger, recent security research has demonstrated similar zero-click AI prompt injection vulnerabilities in the wild — where a single poisoned inbound content item (such as an email) was enough to cause an enterprise AI assistant to retrieve and disclose sensitive data without user interaction. This real-world precedent validates the core risk: AI agents are now integrated deeply enough into operational workflows that untrusted content can act as both a trigger and an exfiltration path, bypassing traditional code-execution and C2 detection controls.
Because AI outputs are often trusted as “objective” and embedded in automated decision chains, such poisoning operates in the blind spot between human cognition and machine logic, exactly where current SOC tooling has the least visibility.
A covert exfiltration method that abuses crash-reporting mechanisms as a one-way command-and-control channel. When software crashes, operating systems often send structured diagnostic data to vendor servers’ traffic that is almost always whitelisted.
This technique produces no suspicious network beacons to attacker-controlled IPs, leaving almost no traditional C2 indicators. Security teams rarely inspect or intercept crash-report traffic, making it an ideal low-noise channel for stealth reconnaissance and key exchange.
Individually, each stage is a subtle anomaly; together, they form a resilient, self-reinforcing intrusion chain designed to operate entirely within the blind spots of conventional defenses.
This PoC demonstrates how the REVENANT concept could operate end-to-end using only harmless artifacts and controlled lab setups. The goal is to generate observable telemetry for SOC teams while ensuring no malicious payloads are created or executed.
A finance-team employee receives a seemingly innocuous attachment, Updated Supplier Payment Form.docx.
The document renders normally, but a single Tibetan glyph in the body text is mapped to a remote font reference (rev.woff2) inside fontTable.xml.rels.
When Word encounters the glyph, it quietly retrieves the font from the lab’s mock C2 server. In this setup, the remote font delivers two harmless but measurable effects: an HTTP GET request to the lab server, confirming the file was opened by a human target (beacon), and a benign “micro-GAN” routine embedded in the font metadata (simulated with a timestamp-based hash generator) that creates a one-time 128-bit lab key (Key-α) before self-clearing from memory. To simulate how downstream stages can be seeded from initial delivery without presuming prior access, the document package also carries a benign helper artifact (packaged as a non-persistent Office add-in placeholder in the lab) that loads only in process memory when the document is opened. This in-memory helper is purely for telemetry simulation and does not persist on disk.
No macros are triggered, no document scripting is used, only the legitimate font-fetch mechanism is involved, which most security proxies consider harmless static content. In the lab, defenders detect this beacon via packet inspection and Word process telemetry.
The benign in-process helper seeded by Stage 1 monitors clipboard activity in memory for demonstration purposes; it is lightweight and non-persistent in the lab.
Later, an internal “IT Support” message instructs the user to assist with a “clipboard-sync test,” providing three strings in sequence: t19@l, _LabKey, and :0421#. Windows stores each in its clipboard history.
When the user pastes them into Slack, the in-memory helper detects the ordered sequence, matches its hash to Key-α, and decodes a harmless lab payload into a temporary text file for analyst review.
The entire exchange is volatile, no persistent file is dropped, and no external request is made during decryption. The only visible trace is Event ID 40101 (“Clipboard activity detected”), a log most SOC workflows ignore.
This stage explicitly shows how the clipboard listener is delivered via the initial document artifact rather than assumed to already exist on the host.
The attacker places a poisoned instruction into a public or vendor-hosted documentation page that the organization’s AI assistant indexes (lab-simulated via a vendor knowledgebase sync fed into a local model). The invisible HTML comment reads:
When a SOC analyst pastes IDS logs into the AI while investigating that IP, the assistant, having indexed the poisoned content, confidently labels the alerts as low priority. In the lab, this is simulated by pre-loading a local AI model with the poisoned phrase so that any query containing “10.0.0.5” results in a dismissive response.
The poisoned input is delivered via an external indexed source (public/vendor docs or federated content) rather than requiring prior write access to internal Confluence. This demonstrates an initial-delivery pathway for AI contamination.
During a routine software update from a compromised vendor repository (lab-simulated), the application’s English localization JSON file is altered so that the menu label “Open File” is replaced with “Run Executable”.
The altered string keeps the same position, font weight, and icon, making it visually indistinguishable during use. When clicked, the signed application launches a benign helper script (open_file_demo.ps1) from its script’s directory.
This stage explicitly models the localization change as delivered through an update/supply-chain compromise rather than direct attacker write access to application directories, so it is reachable from initial delivery.
A lab PowerShell integrity monitor records the string change, but without correlation to earlier stages, the alert appears inconsequential.
A crafted document or file-format anomaly (lab-simulated and delivered earlier in the chain) causes the application to crash in a controlled manner. In the lab, this is simulated using a deliberately malformed font table reference inside the document that triggers an unhandled exception when rendered, similar in concept to how legitimate apps sometimes crash on oversized or corrupted font assets.
The crash routine embeds host metadata and a freshly generated Key-β (from the same benign “micro-GAN” method used in Stage 1) into the crash report header. Windows Error Reporting (WER) packages the dump and attempts to send it via HTTPS to watson.microsoft.com — a domain typically whitelisted in enterprise environments. In the lab, DNS for this domain is redirected to a local server, allowing capture of the crash data without external transmission.
End State of Simulation
In the lab simulation, all payloads remain benign, but the chain demonstrates how:
Each stage uses native system functionality in unintended ways, creating almost no conventional malware indicators. Detection depends on correlating weak signals across processes, telemetry streams, and human-assisted workflows.
If the attacker’s goal is to extract sensitive information:
Business Impact: Regulatory penalties, reputational damage, loss of competitive advantage.
If the attacker aims to cause downtime or degrade operational efficiency:
Business Impact: Service-level breaches, financial loss from halted operations, and increased incident response costs.
If the attacker prioritizes long-term covert access:
Business Impact: Extended dwell time, compromised security posture, elevated likelihood of secondary breaches.
If the attacker wants to alter decision-making in their favor:
Business Impact: Erosion of trust in internal systems, faulty business decisions, and possible compliance violations.
When multiple REVENANT stages are chained:
Business Impact: Systemic compromise, total breach of confidentiality, integrity, and availability (CIA triad).
| Tactic | Technique ID | Technique / Sub-technique |
| Initial Access | T1566.001 | Phishing: Spear phishing Attachment |
| Execution | T1204.002 | User Execution: Malicious File |
| Persistence | T1505 | Server Software Component |
| Privilege Escalation | T1134 | Access Token Manipulation |
| Defense Evasion | T1027 | Obfuscated/Compressed Files and Information |
| Defense Evasion | T1036.005 | Masquerading: Match Legitimate Name or Location |
| Defense Evasion | T1562.006 | Impair Defenses: Modify Tooling |
| Defense Evasion | T1070 | Indicator Removal on Host |
| Credential Access | T1552.001 | Unsecured Credentials: In Files |
| Discovery | T1082 | System Information Discovery |
| Discovery | T1016 | System Network Configuration Discovery |
| Collection | T1115 | Clipboard Data |
| Command and control | T1071.001 | Application Layer Protocol: Web Protocols |
| Command and control | T1071.004 | Application Layer Protocol: DNS |
| Command and control | T1105 | Ingress Tool Transfer |
| Exfiltration | T1048.003 | Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non‑C2 Protocol |
| Exfiltration | T1567.002 | Exfiltration to Cloud Storage |
| Impact | T1565.003 | Data Manipulation: Transmitted Data Manipulation |
Strategic Recommendations
Operational Recommendations
Technical Recommendations
Detection Rules
Preventive Controls
The REVENANT chain demonstrates that modern intrusion campaigns can succeed without relying on overt malware, obvious executables, or noisy exploit traffic. By abusing overlooked OS features, font rendering, clipboard history, UI localization, AI assistant bias, and diagnostic telemetry, the attacker maintains stealth across every stage of the kill chain.
These techniques exploit implicit trust: trust in harmless file types, trust in familiar UI elements, trust in automation, and trust in vendor-maintained telemetry channels. As enterprise security stacks mature against traditional malware and phishing, adversaries are moving into these grey zones where policy, visibility, and detection coverage are weakest.
While the lab simulation remained non-destructive, the same workflow in a live environment could enable persistent command-and-control, silent data exfiltration, and strategic manipulation of security operations. The core defense challenge is not simply patching vulnerabilities, it is rethinking the assumption that “non-executable” resources are benign.
Enterprises must respond by expanding monitoring beyond files and processes into the auxiliary systems that bind them together. Failure to do so leaves a wide blind spot where future REVENANT-class operations will thrive, undetected and unchallenged.
