With the explosive popularity of generative AI platforms over the last few years, security researchers keep coming back to the same question: how will large language models (LLMs) change the behavior and overall level of sophistication we see during malware attacks?

Initially, threat actors appeared to be experimenting with ways to use AI to improve productivity, such as using AI applications for crafting phishing messages and landing pages, or for automating reconnaissance and harvesting victims’ credentials. Recent research this week, however, showcases the ways that threat actors are now using LLMs in malware during execution, as a way to alter the malware’s behavior to enable detection evasion and more.

A Wednesday report from Google's Threat Intelligence Group looked at malware families that are using AI for various means, including generating malicious scripts and obfuscating their own code. The capabilities of the malware tools, which researchers categorized as Promptflux and Promptsteal, are still nascent – however, they stressed that this “represents a significant step towards more autonomous and adaptive malware.”

“Attackers are moving beyond ‘vibe coding’ and the baseline observed in 2024 of using AI tools for technical support,” according to Google’s report. “We are only now starting to see this type of activity, but expect it to increase in the future.” 

Malware in Development

Promptflux, which was found in June, is an experimental dropper written in VBScript that uses the Google Gemini API to rewrite its own source code. The new obfuscated version is then saved in the Startup folder as a way to establish persistence. 

“The most novel component of PROMPTFLUX is its ‘Thinking Robot’ module, designed to periodically query Gemini to obtain new code for evading antivirus software,” said researchers. “This is accomplished using a hard-coded API key to send a POST request to the Gemini API endpoint.”

This, and the self-modification function described above, shows the malware author’s goal of creating a metamorphic script that can evolve over time, said researchers. The malware hasn’t been attributed to a specific threat actor, but the filenames linked to it (such as lures like “crypted_ScreenRec_WebInstall”) are seemingly aligned with behaviors of financially motivated actors.

Still, the malware is in development phase and doesn’t have the ability to compromise a victim device as it stands; and Google has further kneecapped these abilities by disabling the specific assets linked to the actor’s activity.

Malware With Hugging Face API In Attacks

Promptsteal, on the other hand, is being actively used in operations. Researchers found APT28 using Promptsteal in campaigns against Ukraine in June. The tool, a Python-based data miner, includes a compiled script that uses the Hugging Face API to generate Windows commands with the intent of collecting system information and documents from specific folders, which it then sends to an adversary-controlled server.

“[APT28’s] use of PROMPTSTEAL constitutes our first observation of malware querying a LLM deployed in live operations,” said researchers. “PROMPTSTEAL novelly uses LLMs to generate commands for the malware to execute rather than hard coding the commands directly in the malware itself. It masquerades as an ‘image generation’ program that guides the user through a series of prompts to generate images while querying the Hugging Face API to generate commands for execution in the background.”

Researchers said that the malware appears to be under continual development with new samples recently adding obfuscation and tweaking the command-and-control (C2) method.

AI Use Cases In The Wild: SesameOp Backdoor

Overall, researchers are uncovering more ways threat actors are abusing LLMs to help perform various stages of their attacks. Microsoft researchers this week also revealed another way they were seeing threat actors use AI. In July, researchers found a new backdoor called “SesameOp” being used in an incident. The malware used an OpenAI API for C2 communications and as a way to orchestrate malicious activities in the compromised environment. 

“To do this, a component of the backdoor uses the OpenAI Assistants API as a storage or relay mechanism to fetch commands, which the malware then runs,” said researchers. OpenAI Assistants will be deprecated in August 2026; a review of the API by Microsoft and OpenAI led to the API key linked to the attack being disabled. The investigation also found that the associated account hadn’t interacted with any OpenAI models or services beyond limited API calls.

  • Recent Posts

  • Recent Comments

    No comments to show.