Benchmarking Large Language Models for IoC Recovery under Adversarial Code Obfuscation and Encryption

Computer Science > Cryptography and Security [Submitted on 7 May 2026] Benchmarking Large Language Models for IoC Recovery under Adversarial Code Obfuscation and Encryption Jaime Morales, Sergio Pastrana, Juan Tapiador Software obfuscation and encryption present persistent challenges for program comprehension and security analysis, particularly when adversaries conceal Indicators of Compromise (IoCs) such as IP addresses within source code. While Large Language Models (LLMs) have recently demonstrated remarkable progress in code reasoning and transformation, their resilience against adversarial concealment techniques remains largely uncharted. This paper introduces a systematic benchmark for secret detection under adversarial code transformations, designed to evaluate the capacity of LLMs to recover IoCs embedded in obfuscated and encrypted JavaScript programs. We construct a dataset of 336 programs, progressively transformed through 12 levels of obfuscation and cryptographic concealment (including XOR and AES-256), to emulate realistic threat scenarios. An automated evaluation framework standardizes LLM queries and responses, enabling reproducible, large-scale testing across diverse models. Our results reveal a dichotomy: while LLMs exhibit high success against lightweight transformations such as variable renaming and Base64 encoding, encryption-based concealment severely degrades detection performance. These findings establish encryption as a critical frontier for LLM-driven code analysis and highlight both current limitations and avenues for advancing automated threat intelligence. Comments: 11 pages, 2 figures, 8 tables Subjects: Cryptography and Security (cs.CR) ACM classes: K.6.5; I.2.7 Cite as: arXiv:2605.06910 [cs.CR]   (or arXiv:2605.06910v1 [cs.CR] for this version)   https://doi.org/10.48550/arXiv.2605.06910 Focus to learn more Submission history From: Jaime Morales [view email] [v1] Thu, 7 May 2026 20:18:17 UTC (372 KB) Access Paper: HTML (experimental) view license Current browse context: cs.CR < prev   |   next > new | recent | 2026-05 Change to browse by: cs References & Citations NASA ADS Google Scholar Semantic Scholar Export BibTeX Citation Bookmark Bibliographic Tools Bibliographic and Citation Tools Bibliographic Explorer Toggle Bibliographic Explorer (What is the Explorer?) Connected Papers Toggle Connected Papers (What is Connected Papers?) Litmaps Toggle Litmaps (What is Litmaps?) scite.ai Toggle scite Smart Citations (What are Smart Citations?) Code, Data, Media Demos Related Papers About arXivLabs Which authors of this paper are endorsers? | Disable MathJax (What is MathJax?)