PROMPTFLUX Malware Uses AI for Self-Modifying Code
The Google Threat Intelligence Group (GTIG) has discovered a new wave of malicious activity integrating artificial intelligence directly into malware. A notable example is the PROMPTFLUX dropper, which demonstrates the first known use of “just-in-time” AI, enabling malware to dynamically modify its own code during execution.
How PROMPTFLUX Operates
Unlike traditional obfuscation techniques, PROMPTFLUX interacts with the Gemini API to rewrite and regenerate its VBScript source code. This dynamic code alteration allows the malware to avoid signature-based detection by continuously changing its structure and content.
Use of Gemini AI Model
Researchers found PROMPTFLUX leverages Gemini’s “gemini-1.5-flash-latest” model to obtain updated obfuscation logic and executables. The malware sends specific prompts to Gemini through hard-coded API keys, requesting new VBScript variants targeted solely at evading antivirus systems.
"Thinking Robot" Module
This module automates the code regeneration process by regularly polling the Gemini API and saving new VBScript files into the Windows Startup folder, ensuring persistent infection.
“Unlike traditional obfuscation methods, PROMPTFLUX interacts with the Gemini API to rewrite and regenerate its VBScript source code, allowing it to evade signature-based detection by constantly altering structure and content.”
“Its module, known as ‘Thinking Robot,’ further automates this cycle by periodically polling the API and saving new regenerated files into the Windows Startup folder to maintain persistence.”
Significance
This development marks a significant advancement toward autonomous, adaptive malware ecosystems driven by large language models (LLMs).
Author's summary: PROMPTFLUX signifies a new era in malware where AI-driven self-modification challenges detection by continuously evolving code via the Gemini API.