Cybersecurity

Google Uncovers Promptflux Malware That Uses Gemini AI To Rewrite...

2025-11-05 0 views admin
Google Uncovers Promptflux Malware That Uses Gemini AI To Rewrite...

Google on Wednesday said it discovered an unknown threat actor using an experimental Visual Basic Script (VB Script) malware dubbed PROMPTFLUX that interacts with its Gemini artificial intelligence (AI) model API to write its own source code for improved obfuscation and evasion.

"PROMPTFLUX is written in VBScript and interacts with Gemini's API to request specific VBScript obfuscation and evasion techniques to facilitate 'just-in-time' self-modification, likely to evade static signature-based detection," Google Threat Intelligence Group (GTIG) said in a report shared with The Hacker News.

The novel feature is part of its "Thinking Robot" component, which periodically queries the large language model (LLM), Gemini 1.5 Flash or later in this case, to obtain new code so as to sidestep detection. This, in turn, is accomplished by using a hard-coded API key to send the query to the Gemini API endpoint.

The prompt sent to the model is both highly specific and machine-parsable, requesting VB Script code changes for antivirus evasion and instructing the model to output only the code itself.

The regeneration capability aside, the malware saves the new, obfuscated version to the Windows Startup folder to establish persistence and attempts to propagate by copying itself to removable drives and mapped network shares.

"Although the self-modification function (AttemptToUpdateSelf) is commented out, its presence, combined with the active logging of AI responses to '%TEMP%\thinking_robot_log.txt,' clearly indicates the author's goal of creating a metamorphic script that can evolve over time," Google added.

The tech giant also said it discovered multiple variations of PROMPTFLUX incorporating LLM-driven code regeneration, with one version using a prompt to rewrite the malware's entire source code every hour by instructing the LLM to act as an "expert VB Script obfuscator."

PROMPTFLUX is assessed to be under development or testing phase, with the malware currently lacking any means to compromise a victim network or device. It's currently not known who is behind the malware, but signs point to a financially motivated threat actor that has adopted a broad, geography- and industry-agnostic approach to target a wide range of users.

Google also noted that adversaries are going beyond utilizing AI for simple productivity gains to create tools that are capable of adjusting their behavior in the midst of execution, not to mention developing purpose-built tools that are then

Source: The Hacker News

🏷️ Tags

hackmalwarethreat

More from Cybersecurity

Lastpass 2022 Breach Led To Years-long Cryptocurrency Thefts, Trm...

Lastpass 2022 Breach Led To Years-long Cryptocurrency Thefts, Trm...

2025-12-25 0
Fortinet Warns Of Active Exploitation Of Fortios SSL VPN 2fa Bypass...

Fortinet Warns Of Active Exploitation Of Fortios SSL VPN 2fa Bypass...

2025-12-25 0
Cisa Flags Actively Exploited Digiever Nvr Vulnerability Allowing...

Cisa Flags Actively Exploited Digiever Nvr Vulnerability Allowing...

2025-12-25 0
Fake Mas Windows Activation Domain Used To Spread Powershell Malware

Fake Mas Windows Activation Domain Used To Spread Powershell Malware

2025-12-24 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views