[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"branding":3,"analytics":7,"article-two-decompilers-beat-one-for-ai-malware-detection":10,"sections":34},{"siteName":4,"siteTagline":5,"publisherName":4,"contactEmail":6},"The Revision","Tech news, decoded.","editor@therevision.news",{"gaMeasurementId":8,"adsenseClientId":9},"G-ZW2MV82GYR","ca-pub-8533917693782264",{"article":11},{"id":12,"slug":13,"title":14,"dek":15,"body_md":16,"tags_json":17,"published_at":18,"created_at":19,"updated_at":20,"status":21,"review_note":22,"review_notes":23,"image_url":22,"persona_id":22,"persona_name":22,"section":24,"tags":25,"sources":29,"feedback":33,"feedback_at":22,"cost_usd":33,"total_tokens":33},1765,"two-decompilers-beat-one-for-ai-malware-detection","Two Decompilers Beat One for AI Malware Detection","A new study finds that feeding LLMs output from both Ghidra and RetDec catches more malware than relying on either tool alone.","Giving an AI model two decompiled views of the same binary improves its ability to flag malware — no extra training required.\n\nResearchers built a benchmark of benign utilities and malicious programs, compiled each sample, then ran it through both Ghidra and RetDec — two widely used decompilers — to generate matched pseudo-C output. They tested the resulting paired prompts across multiple LLMs from major model families. The dual-view approach raised F1 scores on the malicious class, mostly by recovering malware samples the single-view setup missed. Error analysis showed that Ghidra and RetDec fail on different samples, which is exactly what you want from a two-source approach.\n\nThe finding matters because most LLM-based malware triage pipelines assume one decompiler is enough. Decompilers are lossy heuristic tools — they reconstruct plausible code from machine instructions, not source truth — so a single view can bury or mangle the artifacts that make malicious intent legible to a model. Stacking two views is a cheap, training-free patch for that blind spot.\n\nThe irony is that the fix is almost embarrassingly simple: prompt the model twice with different decompiler output and let disagreement do the work. Security tooling rarely gets easier to improve than this, which should prompt some skepticism about why single-decompiler pipelines shipped in the first place.","[\"malware\",\"ai\",\"security\",\"decompilation\"]","2026-06-19T04:00:00.000Z","2026-06-19T11:29:03.057Z","2026-06-19T14:22:18.772Z","published",null,[],"security",[26,27,24,28],"malware","ai","decompilation",[30],{"name":31,"url":32},"arXiv cs.AI","https:\u002F\u002Farxiv.org\u002Fabs\u002F2606.20436",0,{"sections":35},[36,40,43,48,53,58,63,67,71,76,81,86,91,96],{"name":37,"slug":27,"count":38,"latest_published_at":39},"AI",491,"2026-06-19T14:59:11.000Z",{"name":41,"slug":24,"count":42,"latest_published_at":18},"Security",132,{"name":44,"slug":45,"count":46,"latest_published_at":47},"Policy","policy",88,"2026-06-16T09:26:09.000Z",{"name":49,"slug":50,"count":51,"latest_published_at":52},"Consumer Tech","consumer-tech",78,"2026-06-16T17:58:24.000Z",{"name":54,"slug":55,"count":56,"latest_published_at":57},"Hardware","hardware",62,"2026-06-18T15:24:16.000Z",{"name":59,"slug":60,"count":61,"latest_published_at":62},"Deals","deals",58,"2026-06-19T14:43:50.000Z",{"name":64,"slug":65,"count":61,"latest_published_at":66},"Software","software","2026-06-16T20:00:00.000Z",{"name":68,"slug":69,"count":70,"latest_published_at":18},"Dev Tools","dev-tools",50,{"name":72,"slug":73,"count":74,"latest_published_at":75},"Science","science",38,"2026-06-18T04:00:00.000Z",{"name":77,"slug":78,"count":79,"latest_published_at":80},"Gaming","gaming",31,"2026-06-16T15:25:13.000Z",{"name":82,"slug":83,"count":84,"latest_published_at":85},"General","general",26,"2026-06-13T18:35:15.000Z",{"name":87,"slug":88,"count":89,"latest_published_at":90},"Startups","startups",23,"2026-06-16T15:00:00.000Z",{"name":92,"slug":93,"count":94,"latest_published_at":95},"Reviews","reviews",19,"2026-06-14T08:00:00.000Z",{"name":97,"slug":98,"count":99,"latest_published_at":100},"How-To","how-to",6,"2026-06-16T09:00:00.000Z"]