Loading Models, Launching Shells: Abusing AI File Formats for Code Execution

Presented at DEF CON 33 (2025), Aug. 10, 2025, 2 p.m. (20 minutes).

Everyone knows not to trust pickle files, but what about .onnx, .h5, or .npz? This talk explores how trusted file formats used in AI and large language model workflows can be weaponized to deliver reverse shells and stealth payloads. These attacks rely solely on the default behavior of widely used machine learning libraries and do not require exploits or unsafe configuration. The presentation focuses on formats that are not typically seen as dangerous: ONNX, HDF5, Feather, YAML, JSON, and NPZ. These formats are commonly used across model sharing, training pipelines, and inference systems, and are automatically loaded by tools such as onnx, h5py, pyarrow, and numpy. A live demo will show a healthcare chatbot executing code silently when these formats are deserialized, with no user interaction and no alerts. This is a demonstration of how trusted data containers can become malware carriers in AI systems. Attendees will leave with a clear understanding of the risks introduced by modern ML workflows, and practical techniques for payload delivery, threat detection, and hardening against this type of tradecraft. References: - Parzian, Cyrus. Turning a Healthcare Chatbot into a Reverse Shell – A Deep Dive into Pickle Exploitation. iRedTeam.ai. [link](https://iredteam.ai/turning-a-healthcare-chatbot-into-a-reverse-shell-a-deep-dive-into-pickle-exploitation-part-2-5e4c0def8be1) - Trail of Bits. Fickling: A Pickle Inspection and Manipulation Tool. [link](https://github.com/trailofbits/fickling) - TensorFlow Developers. SavedModel Format Overview. [link](https://www.tensorflow.org/guide/saved_model) - ONNX Project. ONNX Model Format Documentation. [link](https://onnx.ai) - Apache Arrow Project. Feather and Parquet Format Specification. [link](https://arrow.apache.org) - Hugging Face. Transformers File Formats and Model Loading. [link](https://huggingface.co/docs/transformers/index) - NumPy Developers. NumPy NPZ and NPY Format Documentation. [link](https://numpy.org/doc/stable/reference/generated/numpy.savez.html) - PyYAML Documentation. YAML Deserialization and UnsafeLoader. [link](https://pyyaml.org/wiki/PyYAMLDocumentation) - OWASP. Deserialization Cheat Sheet. [link](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) - DEF CON and Black Hat Archives. Past Talks on Serialization, Supply Chain, and Model Abuse. [link](https://defcon.org) / [link](https://blackhat.com)

Presenters:

• Cyrus Parzian
  Cyrus Parzian is an AI Red Team Lead with over a decade of experience in offensive security, red teaming, and AI risk testing. He has led AI red team assessments targeting model serialization abuse, data leakage prevention, prompt injection, and LLM jailbreak resistance. Cyrus has created standardized reporting frameworks, built payload testing infrastructure, and designed internal training focused on exploitation of AI-powered systems. He has conducted over 100 offensive operations across internal networks, cloud environments, and LLM-integrated applications. His work includes large-scale phishing campaigns, persistent C2 infrastructure, and exploitation of automation platforms like Power Automate. Cyrus shares his research on iRedTeam.ai, where he focuses on weaponizing trusted model formats and exposing blind spots in AI-driven systems. He has spoken at ArcticCon and served as organizer of Fiestacon.

Similar Presentations:

• DEF CON 33 (2025) / Playing Dirty Without Cheating - Getting Banned for Fun and No Profit
• DEF CON 33 (2025) / Shaking Out Shells with SSHamble
• DEF CON 32 (2024) / Social Engineering Like you’re Picard