There's a part I didn't understand. How did the model know which companies are vulnerable to attack? I get the part where the LLM was used to analyze documents and create "malicious" software but the biggest missing step seems to be the first one.
Someone please correct me if I'm wrong but usually that's either targeted at a specific company or you do a port scan on IP ranges to find any target and proceed from there.
Often you will obtain a vulnerability in some software and then search for companies using it. You can often use Google or Shodan to do the searching, but perhaps ingested LLM data could also work.
In the simplest case if you get remote code execution in SuperServer9000 (made up product) and that has a banner on error / status pages that reads "Powered with pride by SuperServer9000 version 2.1", then you could just search for that string (or part of it) and use your remote code execution bug against any sites that come up.
It can get behavior based or more complicated than that though, or rely on information that an LLM has ingested about a company from public sources.
Then either grab data and sell it or sell your access to a broker or whatever else.
