Google has discovered a new breed of AI-powered malware that uses large language models (LLMs) during execution to dynamically generate malicious scripts and evade detection.
A Google Threat Intelligence Group (GTIG) report yesterday highlighted two families it said use “just-in-time AI” in this way – PromptFlux and PromptSteal.
“These tools dynamically generate malicious scripts, obfuscate their own code to evade detection, and leverage AI models to create malicious functions on demand, rather than hard-coding them into the malware,” the report explained.
“While still nascent, this represents a significant step toward more autonomous and adaptive malware.”
Read more on LLM abuse: New “LameHug” Malware Deploys AI-Generated Commands
PromptFlux is a dropper written in VBScript which “regenerates” by using the Google Gemini API. It prompts the LLM to rewrite its own source code on the fly, and then save the obfuscated version to the Startup folder for persistence. The malware also tries to spread by copying itself to removable drives and mapped network shares, GTIG said.
PromptSteal is a data miner written in Python that queries the LLM Qwen2.5-Coder-32B-Instruct to generate one-line Windows commands to collect information and documents in specific folders and send the data to a command-and-control (C2) server.
GTIG said it had observed PromptSteal being used by Russian actor APT28 in Ukraine, while PromptFlux is still being developed.
Among the other AI-enabled malware families the report highlighted are:
- FruitShell: a reverse shell written in PowerShell which establishes remote C2 connections and enables the execution of commands on a targeted system. It uses hard-coded prompts to evade detection by LLM-based security
- PromptLock: ransomware written in Go which uses an LLM to dynamically generate malicious Lua scripts at runtime for reconnaissance, data encryption and exfiltration
- QuietVault: a JavaScript credential stealer which uses an AI prompt and on-host installed AI CLI tools to search for and exfiltrate secrets
The AI Malware Market Matures
Google warned that the cybercrime market for AI tools is developing at a rapid pace. It cited “multiple offerings of multifunctional tools designed to support phishing, malware development, and vulnerability research,” which could democratize cybercrime further.
It also noted continued efforts to bypass guardrails in Gemini by using “social engineering-like pretexts” in prompts. Additionally, GTIG warned that nation state actors are misusing the chatbot to assist in all stages of their attacks – from reconnaissance and creation of phishing lures to C2 development and data exfiltration.
Cory Michal, CSO at AppOmni, said the GTIG report echoes what his firm is seeing in the SaaS threat landscape.
“AI-enabled malware mutates its code, making traditional signature-based detection ineffective. Defenders need behavioral EDR that focuses on what malware does, not what it looks like,” he added.
“Detection should key in on unusual process creation, scripting activity or unexpected outbound traffic especially to AI APIs like Gemini, Hugging Face or OpenAI. By correlating behavioral signals across endpoint, SaaS and identity telemetry, organizations can spot when attackers are abusing AI and stop them before data is exfiltrated.”
Max Gannon, cyber intelligence team manager at Cofense, argued that the use of AI at every step of the kill chain should be a concern to network defenders.
“This is a significant change from last year when AI was used minimally with a focus on phishing emails and kits,” he added.
“I expect that in the near future enterprising threat actors will be selling all-inclusive AI-based kits that generate every part of the attack chain and require zero knowledge – making the only barrier to entry the subscription fee.”