Cybersecurity

Google Warns Of New Promptflux Malware Using Gemini API To Rewrite...

2025-11-06 0 views admin
Google Warns Of New Promptflux Malware Using Gemini API To Rewrite...

Google Threat Intelligence Group (GTIG) has unveiled details of an experimental malware family called PROMPTFLUX, which leverages the Gemini AI API to rewrite its own code dynamically.

This development, detailed in GTIG’s latest AI Threat Tracker report released on November 4, 2025, highlights how adversaries are shifting from mere productivity tools to embedding large language models (LLMs) directly into malware for real-time adaptation and evasion.

While still in testing phases and not yet capable of widespread compromise, PROMPTFLUX represents the first observed instance of “just-in-time” AI integration in malicious software, potentially paving the way for more autonomous attacks.​

PROMPTFLUX operates as a VBScript-based dropper, initially masquerading as innocuous installers like “crypted_ScreenRec_webinstall” to trick users across various industries and regions.

Its core innovation lies in the “Thinking Robot” module, which uses a hard-coded Gemini API key to query the “gemini-1.5-flash-latest” model for obfuscated VBScript code designed to bypass antivirus detection.

The malware prompts the LLM to generate self-contained evasion scripts, outputting only the code without extraneous text, and logs responses in a temporary file for refinement.

In advanced variants, it rewrites its entire source code hourly, embedding the original payload, API key, and regeneration logic to create a recursive mutation cycle that ensures persistence via the Windows Startup folder.

GTIG notes that while features like the self-update function remain commented out, indicating early development, the malware also attempts lateral spread to removable drives and network shares.

This approach exploits AI’s generative power not just for creation, but for ongoing survival, differing from static malware that relies on fixed signatures easily detected by defenders.​

The emergence of PROMPTFLUX aligns with a maturing cybercrime marketplace where AI tools flood underground forums, offering capabilities from deepfake generation to vulnerability exploitation at subscription prices.

Source: Cybersecurity News

🏷️ Tags

vulnerabilitymalwareattackthreatexploit

More from Cybersecurity

Malicious Npm Package Steals Whatsapp Accounts And Messages 2025

Malicious Npm Package Steals Whatsapp Accounts And Messages 2025

2025-12-22 0
Romanian Water Authority Hit By Ransomware Attack Over Weekend

Romanian Water Authority Hit By Ransomware Attack Over Weekend

2025-12-22 0
University Of Phoenix Data Breach Impacts Nearly 3.5 Million...

University Of Phoenix Data Breach Impacts Nearly 3.5 Million...

2025-12-22 0
Coupang Breach Affecting 33.7 Million Users Raises Data Protection...

Coupang Breach Affecting 33.7 Million Users Raises Data Protection...

2025-12-22 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views