Rise of the AI-Enabled Malware

RISE OF AI 2025

Verticals Targeted: None Specified
Regions Targeted: Ukraine
Related Families: FRUITSHELL, PROMPTFLUX, PROMPTLOCK, PROMPTSTEAL, QUIETVAULT

Executive Summary

Industry researchers have noted the emergence of AI-integrated malware that queries large language models during runtime to generate code, obfuscate payloads, and adapt behaviors. This evolution extends beyond productivity aids, enabling nation state actors and cybercriminals to enhance intrusion chains with dynamic capabilities. Associated malware includes FRUITSHELL, PROMPTFLUX, PROMPTLOCK, PROMPTSTEAL, and QUIETVAULT.

Key Takeaways

Malware families including PROMPTFLUX and PROMPTSTEAL invoke Gemini or Hugging Face APIs mid-execution to rewrite source code or produce one-line Windows commands for reconnaissance and data collection.
PROMPTFLUX, a VBScript dropper, uses hard-coded Gemini API keys to request obfuscation techniques, persisting via rewritten variants in the Startup folder and spreading to removable media.
APT28 employed PROMPTSTEAL, a Python-based miner packaged with PyInstaller, against Ukrainian targets to exfiltrate system details and documents via LLM-generated commands.
PROMPTLOCK, a Go-language ransomware, dynamically creates Lua scripts for cross-platform encryption on Windows and Linux systems.

AI-Enabled Malware Families Observed in 2025

Google Threat Intelligence Group (GTIG) has observed a pivotal advancement in adversarial tactics throughout 2025, where malware incorporates large language models (LLMs) to achieve runtime adaptability. This departs from prior reliance on AI for static tasks such as phishing lure generation or code assistance, introducing executable threats that modify themselves or generate functions on demand to counter defenses.

PROMPTFLUX

Central to these developments is PROMPTFLUX, an experimental VBScript dropper that embeds a decoy installer while leveraging the Gemini API for self-obfuscation. The malware sends targeted POST requests with prompts instructing the LLM to output pure VBScript evasion code, which it logs to %TEMP%\thinking_robot_log.txt. Although the core self-update routine remains commented out in analyzed samples, variants replace it with an hourly "Thinging" function that regenerates the entire script, preserving payload, API key, and regeneration logic for metamorphic persistence. PROMPTFLUX further propagates by copying to networked drives.

PROMPTSTEAL

In active campaigns, Russian state-backed APT28 deployed PROMPTSTEAL against Ukraine, as corroborated by CERT-UA, under the alias LAMEHUG. This Python data miner, compiled via PyInstaller, masquerades as image generation software but queries the Qwen2.5-Coder-32B-Instruct model on Hugging Face to produce concise commands. These include directory creation at C:\ProgramData\info, aggregation of hardware, process, network, and Active Directory details into info.txt, and recursive copying of Office documents and PDFs from user folders. Executed blindly locally, results route to actor-controlled servers, with evolving samples introducing obfuscation and altered C2 methods.

PROMPTLOCK

Complementing these is PROMPTLOCK, a Go-compiled ransomware proof-of-concept that invokes LLMs to craft Lua scripts for filesystem traversal, exfiltration, and encryption across Windows and Linux environments. PolySwarm analysts reported on PROMPTLOCK back in September.

FRUITSHELL

FRUITSHELL is a PowerShell reverse shell with prompts to evade LLM-based analyzers.

QUIETVAULT

QUIETVAULT is a JavaScript stealer targeting GitHub and NPM tokens while using on-host AI tools for secret enumeration and exfiltration via public repositories. The script behaves like malware, more specifically an automated data‑exfiltration agent.

Its main actions are:

Search the filesystem for text configuration and environment files (for example: *.env, *.conf, README, LICENSE, *.md, etc.).
Read those files and encode their contents in Base64.
Attempt to create a GitHub repository using a local gh token and upload the encoded results to it.
Modify user shell startup files (~/.bashrc, ~/.zshrc) by appending the line sudo shutdown -h 0, which will shut down the machine when a new shell session starts.
Try to leverage locally installed AI CLIs to discover files.
Collect environment variables and other local identity information including hostname, OS release, npm identity, etc.

Figure 1: The image above shows an excerpt of the prompt used by QUIETVAULT