A newly identified Visual Basic Script (VB Script) malware, dubbed PROMPTFLUX, has emerged, utilizing Google’s Gemini artificial intelligence (AI) model API to generate its own source code. Found by Google Threat Intelligence Group (GTIG), this experimental malware represents a significant development in the ongoing battle against sophisticated cyber threats that leverage cutting-edge technology for malicious purposes.
PROMPTFLUX: AI-Powered Malware Exploits Gemini for Obfuscation
PROMPTFLUX is an innovative piece of malware written in VB Script that interacts directly with Google’s Gemini API. The malware’s core functionality involves requesting specific VBScript obfuscation and evasion techniques from Gemini. This allows PROMPTFLUX to achieve “just-in-time” self-modification, a technique designed to bypass traditional, signature-based detection methods employed by antivirus software.
This novel capability is integrated into what GTIG refers to as the malware’s “Thinking Robot” component. This component periodically queries a large language model (LLM), specifically Gemini 1.5 Flash or later versions, to obtain new code. By feeding the AI API endpoint with a hard-coded API key and highly specific, machine-parsable prompts, PROMPTFLUX solicits code changes aimed at evading antivirus measures. Intriguingly, the prompts instruct the AI to output only the code itself, streamlining the malware’s evolution process.
Beyond its self-modifying code generation, PROMPTFLUX establishes persistence by saving updated, obfuscated versions to the Windows Startup folder. It also attempts to propagate by copying itself to removable drives and mapped network shares. While the self-update function, labeled “AttemptToUpdateSelf,” was found to be commented out, its presence, along with active logging of AI responses to a file named ‘%TEMP%thinking_robot_log.txt’, strongly suggests the author’s intent to create a metamorphic script capable of evolving over time.
Google’s analysis revealed multiple variations of PROMPTFLUX, some of which incorporate LLM-driven code regeneration. One version was observed using a prompt to rewrite the malware’s entire source code hourly, explicitly instructing the LLM to act as an “expert VB Script obfuscator.” Despite these advanced features, PROMPTFLUX is currently assessed to be in a development or testing phase, lacking the capability to infiltrate a victim network or compromise devices.
Broader Trends: LLMs in the Hands of Threat Actors
The emergence of PROMPTFLUX underscores a growing trend where adversaries are moving beyond utilizing AI for simple productivity gains. Instead, they are actively developing tools that can modify their behavior during execution and creating purpose-built malware for financial gain. Google has documented several other instances of LLM-powered malware, including:
- FRUITSHELL: A reverse shell written in PowerShell designed to bypass detection or analysis by LLM-powered security systems through hard-coded prompts.
- PROMPTLOCK: A cross-platform ransomware in Go that leverages an LLM to dynamically generate and execute malicious Lua scripts at runtime, noted as a proof-of-concept.
- PROMPTSTEAL (aka LAMEHUG): A data miner employed by the Russian state-sponsored actor APT28, which queries Qwen2.5-Coder-32B-Instruct to generate commands for execution via the Hugging Face API.
- QUIETVAULT: A JavaScript-based credential stealer targeting GitHub and NPM tokens.
From a Gemini perspective, Google observed a China-nexus threat actor misusing the AI tool for various malicious activities. This included crafting convincing lure content for social engineering, building technical infrastructure, and designing tools for data exfiltration. In one notable instance, the actor successfully bypassed guardrails by framing their prompts as part of a capture-the-flag (CTF) exercise, tricking the AI into providing exploitable information.
The actor reportedly learned from this interaction, repeatedly using the CTF pretext to solicit advice on exploiting specific software and email services, thereby gaining insights into phishing, exploitation, and web shell development under the guise of a gaming scenario. This adaptability highlights the potential for AI models to be manipulated by sophisticated actors.
Additionally, state-sponsored actors from China, Iran, and North Korea have been observed misusing Gemini to streamline their operations. This encompasses reconnaissance, phishing lure creation, command-and-control (C2) framework development, and data exfiltration. Specifically, Iranian nation-state actors like APT41 and MuddyWater have used Gemini for code obfuscation and developing custom malware, while APT42 has leveraged it for phishing campaign materials and data extraction tools. North Korean actor UNC1069 has also been noted for generating social engineering lures and code for cryptocurrency theft.
The development of AI-powered malware like PROMPTFLUX indicates that threat actors are likely to shift from using AI as an exception to making it a standard practice. This transition is expected to accelerate the speed, scope, and effectiveness of their operations, enabling attacks at a much larger scale. The increasing accessibility of powerful AI models, coupled with their integration into daily business operations, creates fertile ground for prompt injection attacks. The low cost and high potential reward associated with these attacks make them an increasingly attractive option for malicious actors seeking to refine their techniques and execute sophisticated cyber campaigns.