AI-in-the-Loop Malware: A Capability-Architecture Reference Map and Defender's Counter-Architecture

AI integration across the malware lifecycle (recon, payload generation, C2, persistence, post-exec) is an observable not hypothetical threat. We construct a five-stage reference architecture, document per-stage capability uplift with research citations, and provide a 100-host network simulation showing AI-augmented malware infects 3.9-6.5x more hosts than traditional. Multi-posture sweep (zero-day/LotL/adaptive x signature/behavioral/cross-stage detector) reveals defender-preference inversion by attacker posture: LotL is best-defended by signature, not behavioral. Cost-Pareto analysis shows 2-detector pairs dominate the 3-detector ensemble. This paper is part of the AIACW (AI-Autonomous Cyber Weapons) ResearchProgramme, Wave 2 (papers P10-P20). Wave 1 (P1-P9) was deposited atpeer-review venues 2026-Q2 (NDSS, ACM CCS, IEEE S&P, USENIX Security,Oxford J. of Cybersecurity, ACM Computing Surveys). Wave 2 establishesthe empirical interior. P19 (cross-paper integration test) and P20(methodology meta-paper) provide programme-level validation anddocumentation.