Generative AI is no longer confined to the development phase of malware; it is now also used during their operation.
Google echoes this… and provides five examples. Among them, a VBScript dropper it named PROMPTFLUX.
A dropper rewrites its code thanks to Gemini
Identified in early June, the malware leverages the latest Gemini Flash 1.5 version — via the API, with the key hardcoded — to help obscure its code. And thus maximize its chances of evading antivirus detection.
Variants have been discovered. One, for instance, requests Gemini every hour to rewrite its entire source code. And to save each new version in the startup folder, in order to establish persistence.
PROMPTFLUX also bears worm-like traits, capable of spreading across network shares and removable media. It does not, however, appear able to compromise a network or even a device. Some of its functions are indeed commented out, including the one by which it modifies its code using the elements provided by Gemini. But the presence of this function, as well as the logging of AI responses, clearly illustrates its intent.
A data miner generates Windows commands via Qwen
Another example: PROMPTSTEAL. Also identified in June, it was used by APT28 (the Russia-aligned group) against Ukraine.
It is a Python data miner disguised as an image-creation program. It contains a compiled script that calls Qwen2.5-Coder-32B-Instruct via the Hugging Face API, probably using a stolen token. Objective: generate Windows commands intended to collect system information and copy documents into a specific folder for exfiltration.
When the host’s AI tools are used to search for secrets
Google also mentions PROMPTLOCK, a Go-written ransomware. Considered experimental, it exploits an (unspecified) LLM to generate Lua scripts. It includes capabilities for filesystem discovery, data exfiltration, and encryption on Windows as well as Linux.
FRUITSHELL and QUIETVAULT, on the other hand, have been observed in operations.
The former, publicly available, is a reverse shell written in PowerShell. It carries prompts intended to help it evade detection by security systems relying on LLMs.
The latter, coded in JavaScript, is supposed to exfiltrate GitHub and NPM tokens by pushing them to a public repository. For searching for other secrets, it feeds on the host’s online command-line AI tools.
