Artificial intelligence is rapidly reshaping the cybersecurity battlefield. While defenders embrace AI-driven detection and automation, threat actors are equally quick to weaponize the technology. The latest example is PROMPTFLUX, an experimental malware discovered by Google’s Threat Intelligence Group that pushes the boundaries of polymorphism into the era of AI-assisted, continuous self-regeneration.

PROMPTFLUX is not a fully functional attack toolkit yet—but it demonstrates exactly where the cyber threat landscape is heading: malware capable of rewriting itself on demand using large language models (LLMs), evading traditional detection mechanisms and blurring the line between static malicious code and autonomous agents.

In this deep analysis, we examine how PROMPTFLUX works, its implications, and the broader rise of AI-powered attacker tooling.

What PROMPTFLUX Does: Polymorphism Meets LLM Automation

Traditional polymorphic malware has existed for decades. What makes PROMPTFLUX unique is how it integrates modern AI into its regeneration loop.

Key capabilities identified by Google:

• Written in VBScript and designed to run on Windows systems
• Communicates with Gemini 1.5 Flash or later
• Uses a hard-coded API key to contact Gemini and request new source code
• Asks the LLM specifically for:
  • Obfuscation
  • Evasion techniques
  • Code regeneration
• Saves the AI-generated script into the Windows Startup folder
• Attempts to propagate via removable media and network shares
• Maintains logs of the LLM’s responses for debugging and refinement

Although one core function, AttemptToUpdateSelf, is commented out, the intent is unmistakable: to create a self-modifying script that evolves in near real-time, bypassing static signatures and increasing the workload for defenders.

This is not traditional malware. It is malware with an API, pulling fresh code from an AI model whenever necessary.

The “Thinking Robot”: Just-in-Time Metamorphism

PROMPTFLUX contains a component called Thinking Robot. Its purpose:

1. Query the LLM periodically

2. Request specific evasion-focused VBScript

3. Replace its own code with the newly generated version

This is fundamentally different from classical polymorphism where obfuscation is predetermined and embedded in the malware. PROMPTFLUX externalizes the mutation process to a cloud AI model.

That means:

• Every regeneration is unpredictable
• Every copy may be unique
• Signature-based detection becomes almost irrelevant
• AI becomes part of the attacker’s operational infrastructure

This is early-stage, but it is the beginning of a major shift.

Important Reality Check: It Is Not (Yet) a Fully Functional Threat

Security researchers have noted several important limitations:

• No confirmed exploitation or delivery mechanism
• No confirmed capability to compromise or escalate access
• Regeneration function currently disabled
• The malware assumes the AI “knows” how to evade AV engines
• No guaranteed entropy in mutations
• No validation of the generated script’s correctness

This is important: PROMPTFLUX is under development, not yet dangerous in the wild.

But this prototype shows attackers are actively experimenting with LLM-powered malware design.

Similar AI-Driven Malware Experiments

PROMPTFLUX is not an isolated case. Google and other intelligence sources have observed several AI-assisted malicious tools:

FRUITSHELL

A PowerShell reverse shell that embeds prompts to bypass LLM-powered security filters.

PROMPTLOCK

A proof-of-concept ransomware in Go that uses AI to generate malicious Lua payloads at runtime.

PROMPTSTEAL / LAMEHUG

Used by APT28 (Russia). Queries LLMs for command sequences, exfiltration techniques, and execution strategies.

QUIETVAULT

A JavaScript stealer targeting GitHub/NPM developer credentials with automated script adjustments.

Gemini misuse examples

Major state-sponsored actors (China, Iran, North Korea) have already abused AI models for:

• reconnaissance
• phishing lure generation
• code obfuscation
• C2 development
• social engineering
• infrastructure design
• data exfiltration planning

Some used clever pretexts (e.g., “this is for a CTF challenge”) to bypass guardrails.

State-Sponsored Abuse: A Rapidly Escalating Threat

Google identified multiple espionage groups misusing Gemini for:

1. China-linked operations

• Reconnaissance on targets
• C2 infrastructure design
• Payload development
• Phishing kit optimization

2. Iran: APT41, APT42, and MuddyWater

• Obfuscation assistance
• Code for C2 frameworks
• Development of remote execution implants
• Advanced phishing scenarios using AI-written content

3. North Korea: UNC1069 / TraderTraitor

• Cryptocurrency theft mechanisms
• Social engineering lures
• Fake software updates
• Deepfake-enhanced video phishing
• Custom backdoors such as BIGMACHO

The shift is unmistakable: AI is now a standard tool in the attacker’s workflow.

Why PROMPTFLUX Matters Even if It Is Not Yet Dangerous

PROMPTFLUX represents a conceptual breakthrough:

✔ Malware no longer needs to embed its obfuscation

✔ Mutation can occur externally, via AI

✔ Regeneration can happen hourly

✔ Every sample may be unique

✔ Attackers can scale their tooling without coding skills

This is a preview of AI-driven, self-adapting cyber weapons.

The barrier to entry for creating advanced malware is collapsing.

What CISOs Must Do Now: Strategic Recommendations

1. Strengthen behavioral detection

Static signatures will fail against AI-driven polymorphism.
Focus on:

• process-level anomaly detection
• script execution monitoring
• LLM-behavior misuse analytics
• user-level behavior baselining

2. Implement AI-assisted threat detection

If attackers automate, defenders must automate too.
Adopt platforms that:

• cluster variants
• detect mutation patterns
• correlate anomalous script generation
• identify unusual API calls to AI endpoints

3. Monitor outbound AI API usage

Organizations should treat AI model traffic similar to:

• TOR connections
• unknown C2 channels
• unusual cloud API calls

4. Apply strong policy around AI usage

Define strict rules for:

• model access
• API key management
• prompt monitoring
• endpoint AI interactions

5. Adopt zero-trust for scripting environments

VBScript, PowerShell, and JavaScript remain preferred tools for AI-assisted malware.

Harden:

• script execution policies
• endpoint isolation
• code-signing requirements
• application control (allowlisting)

6. Prepare for “Prompt Injection Warfare”

Attackers increasingly manipulate:

• AI guardrails
• model behavior
• downstream automated systems

Defensive AI pipelines must include:

• prompt sanitization
• model input validation
• anomaly scoring for AI responses

The Bigger Picture: AI Malware Will Become the Norm

PROMPTFLUX shows that AI-enabled malware is not the future—it has already begun.
Even though this specific sample is incomplete, its design philosophy is the real warning sign.

Adversaries will transition from occasional AI use to full AI dependency.

Attacks will scale in speed, automation, and mutation.

The cybersecurity landscape will enter a period of rapid acceleration.

Defenders must adapt now.