Insights, news, education and announcements from PolySwarm

Rise of the AI-Enabled Malware

Written by The Hivemind | Nov 10, 2025 6:41:22 PM

Verticals Targeted: None Specified
Regions Targeted: Ukraine
Related Families: FRUITSHELL, PROMPTFLUX, PROMPTLOCK, PROMPTSTEAL, QUIETVAULT

Executive Summary

Industry researchers have noted the emergence of AI-integrated malware that queries large language models during runtime to generate code, obfuscate payloads, and adapt behaviors. This evolution extends beyond productivity aids, enabling nation state actors and cybercriminals to enhance intrusion chains with dynamic capabilities. Associated malware includes FRUITSHELL, PROMPTFLUX, PROMPTLOCK, PROMPTSTEAL, and QUIETVAULT.

Key Takeaways

  • Malware families including PROMPTFLUX and PROMPTSTEAL invoke Gemini or Hugging Face APIs mid-execution to rewrite source code or produce one-line Windows commands for reconnaissance and data collection.  
  • PROMPTFLUX, a VBScript dropper, uses hard-coded Gemini API keys to request obfuscation techniques, persisting via rewritten variants in the Startup folder and spreading to removable media.  
  • APT28 employed PROMPTSTEAL, a Python-based miner packaged with PyInstaller, against Ukrainian targets to exfiltrate system details and documents via LLM-generated commands.  
  • PROMPTLOCK, a Go-language ransomware, dynamically creates Lua scripts for cross-platform encryption on Windows and Linux systems.  

AI-Enabled Malware Families Observed in 2025

Google Threat Intelligence Group (GTIG) has observed a pivotal advancement in adversarial tactics throughout 2025, where malware incorporates large language models (LLMs) to achieve runtime adaptability. This departs from prior reliance on AI for static tasks such as phishing lure generation or code assistance, introducing executable threats that modify themselves or generate functions on demand to counter defenses.

 

PROMPTFLUX

Central to these developments is PROMPTFLUX, an experimental VBScript dropper that embeds a decoy installer while leveraging the Gemini API for self-obfuscation. The malware sends targeted POST requests with prompts instructing the LLM to output pure VBScript evasion code, which it logs to %TEMP%\thinking_robot_log.txt. Although the core self-update routine remains commented out in analyzed samples, variants replace it with an hourly "Thinging" function that regenerates the entire script, preserving payload, API key, and regeneration logic for metamorphic persistence. PROMPTFLUX further propagates by copying to networked drives.

 

PROMPTSTEAL

In active campaigns, Russian state-backed APT28 deployed PROMPTSTEAL against Ukraine, as corroborated by CERT-UA, under the alias LAMEHUG. This Python data miner, compiled via PyInstaller, masquerades as image generation software but queries the Qwen2.5-Coder-32B-Instruct model on Hugging Face to produce concise commands. These include directory creation at C:\ProgramData\info, aggregation of hardware, process, network, and Active Directory details into info.txt, and recursive copying of Office documents and PDFs from user folders. Executed blindly locally, results route to actor-controlled servers, with evolving samples introducing obfuscation and altered C2 methods.

 

PROMPTLOCK

Complementing these is PROMPTLOCK, a Go-compiled ransomware proof-of-concept that invokes LLMs to craft Lua scripts for filesystem traversal, exfiltration, and encryption across Windows and Linux environments. PolySwarm analysts reported on PROMPTLOCK back in September. 

 

FRUITSHELL

FRUITSHELL is a PowerShell reverse shell with prompts to evade LLM-based analyzers.

 

QUIETVAULT

QUIETVAULT is a JavaScript stealer targeting GitHub and NPM tokens while using on-host AI tools for secret enumeration and exfiltration via public repositories. The script behaves like malware, more specifically an automated data‑exfiltration agent. 

 

Its main actions are:

  • Search the filesystem for text configuration and environment files (for example: *.env, *.conf, README, LICENSE, *.md, etc.).
  • Read those files and encode their contents in Base64.
  • Attempt to create a GitHub repository using a local gh token and upload the encoded results to it.
  • Modify user shell startup files (~/.bashrc, ~/.zshrc) by appending the line sudo shutdown -h 0, which will shut down the machine when a new shell session starts.
  • Try to leverage locally installed AI CLIs to discover files.
  • Collect environment variables and other local identity information including hostname, OS release, npm identity, etc.

Figure 1: The image above shows an excerpt of the prompt used by QUIETVAULT

IOCs

PolySwarm has multiple samples associated with this activity and continues to monitor the threat landscape for AI-enabled malware. 

 

PromptLock

e24fe0dd0bf8d3943d9c4282f172746af6b0787539b371e6626bdb86605ccd70

1458b6dc98a878f237bfb3c3f354ea6e12d76e340cefe55d6a1c9c7eb64c9aee

2755e1ec1e4c3c0cd94ebe43bd66391f05282b6020b2177ee3b939fdd33216f6

7bbb06479a2e554e450beb2875ea19237068aa1055a4d56215f4e9a2317f8ce6

1612ab799df51a7f1169d3f47ea129356b42c8ad81286d05b0256f80c17d4089

09bf891b7b35b2081d3ebca8de715da07a70151227ab55aec1da26eb769c006f

b43e7d481c4fdc9217e17908f3a4efa351a1dab867ca902883205fe7d1aab5e7

 

QuietVault

8eea1f65e468b515020e3e2854805f1ef5c611342fa23c4b31d8ed3374286a90

 

You can use the following CLI command to search for all related samples in our portal:

$ polyswarm link list -f MalwareFamily

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 
View full post