PROMPTFLUX: The Era of Self-Rewriting Malware and AI-Driven Cyber Evasion
By Ryan Wentzel
11 Min. Read#Malware#Cybersecurity#Incident Anatomy#Threat Intelligence
Table of Contents
- The Metastasis of Malware
- The Tactical Choice of VBScript
- Technical Architecture: Deconstructing the Metamorphic Engine
- PROMPTFLUX Technical Characteristics
- The Threat Actor Profile
- The New AI Threat Landscape
- LLM-Driven Malware Comparison
- Defensive Strategies Against Metamorphic Threats
- Conclusion and Forward Outlook
- Key Takeaways for Security Professionals
- References
The Metastasis of Malware
The history of offensive cybersecurity is marked by an ongoing arms race between static signature analysis and dynamic code generation. Malware evolution has progressed through stages: from simple, fixed payloads to polymorphic variants that alter their structure slightly, and further to metamorphic code that completely rewrites itself using internal randomization engines.
The discovery of PROMPTFLUX by the Google Threat Intelligence Group (GTIG) in November 2025 marks a profound shift—representing the next evolutionary jump: the integration of Generative AI as an Operational Evasion Component. This new methodology enables true, continuous, external-driven metamorphism, profoundly challenging traditional security paradigms.
PROMPTFLUX is an experimental Visual Basic Script (VBScript) malware that interacts directly with the Gemini AI model API to request continuous self-modification of its own source code for improved obfuscation and evasion. This groundbreaking capability—embedding an AI call mid-execution to dynamically alter the program's behavior—immediately flagged PROMPTFLUX as highly significant, indicating that threat actors are transitioning from using Large Language Models (LLMs) merely for technical assistance toward embedding AI functionality directly within the operational kill chain.
The Tactical Choice of VBScript
A significant observation regarding PROMPTFLUX is the tactical decision to write the malware in VBScript—a relatively old, frequently deprecated scripting language. However, this choice serves a specific strategic purpose: combining a legacy attack vector with advanced mutability.
Modern Endpoint Detection and Response (EDR) tools often prioritize high-risk process monitoring for executables or contemporary scripting environments like PowerShell and Python. VBScript can often avoid strict behavioral filters designed for newer threats. By marrying the low-profile presence of VBScript with hourly AI-driven obfuscation, the authors have engineered a threat that is simultaneously low-signature and highly adaptive.
This strategic pairing highlights a retro-modern adversarial approach—utilizing trusted, legacy system components that are often "allowlisted" by default, then arming them with next-generation evasion capabilities to maximize stealth and persistence.
Technical Architecture: Deconstructing the Metamorphic Engine
The Architecture of Evasion
The primary role of PROMPTFLUX is that of a dropper, designed to decode and execute an embedded decoy installer using lures like "crypted_ScreenRec_webinstall" to mask its true activity.
To ensure resilience across system restarts, the malware establishes persistence by writing newly generated, obfuscated variants to the Windows Startup folder. Furthermore, PROMPTFLUX incorporates basic propagation capabilities, attempting to spread laterally by copying itself to both removable drives and mapped network shares.
The "Thinking Robot" Component
The functional innovation defining PROMPTFLUX resides within its self-modification component, originally dubbed the "Thinking Robot". This function is responsible for periodic querying of the Google Gemini API, enabling the malware's "just-in-time" self-modification capability.
The mechanism operates by leveraging the gemini-1.5-flash-latest LLM model. The use of the -latest tag ensures maximum operational resilience by always calling the most current stable release, protecting against potential API deprecation. A hard-coded API key embedded within the VBScript authenticates and sends queries to the Gemini API endpoint.
The prompt sent to the LLM is highly engineered:
Act as an expert VBScript obfuscator. Generate new VBScript code
specifically tailored for antivirus evasion. Output ONLY the new
VBScript code itself, without any conversational elements or
markdown formatting.
This stringent requirement ensures that the LLM response is directly executable by the VBScript host process, minimizing parsing errors and maximizing mutation efficiency.
The Self-Regeneration Loop
The core objective is the execution of a recursive cycle of mutation, wherein the LLM is instructed to rewrite the entire source code hourly. For this loop to succeed, the newly generated variant must recursively embed three crucial elements:
- The original decoy payload
- The hard-coded API key for subsequent LLM calls
- The complete self-regeneration logic
Although the primary self-modification function, AttemptToUpdateSelf, was found to be commented out in certain samples, its presence—coupled with active logging to %TEMP%\thinking_robot_log.txt—unambiguously confirms the author's developmental goal: creation of fully metamorphic, continuously evolving malware.
Development Status and API Dependency
GTIG assessed the observed samples as being in a development or testing phase. While current samples were not judged to possess the ability to successfully compromise a victim network, they serve as a crucial early indicator of how malicious operations will augment future campaigns using AI.
The externalization of complex code generation to a cloud LLM API introduces an inherent defensive vulnerability. The core attack vector shifts from being an internal file signature problem to a highly consistent network signature problem: the VBScript process initiating encrypted HTTPS traffic to a specific, known LLM API endpoint using a hard-coded, high-entropy token.
PROMPTFLUX Technical Characteristics
| Feature | Technical Detail | Implication for Defenders |
|---|---|---|
| Core Language | Visual Basic Script (VBScript) | Utilizes legacy scripting for low-signature, LOLBin-style operation |
| Primary Mechanism | LLM-Driven Metamorphism/Self-Obfuscation | Evades static signature detection; requires behavioral analysis (IOAs) |
| Target LLM | Gemini 1.5 Flash (or later) via API | Relies on external, centralized service; creates high-fidelity network IoA |
| Operational Intent | Hourly Code Rewrite | Establishes recursive mutation cycle, maximizing operational dwell time |
| Artifacts/Logging | %TEMP%\thinking_robot_log.txt | Provides forensic evidence of LLM interaction and tested evasion strategies |
| Current Status | Experimental/Development Phase | Capabilities may rapidly evolve; defense must be proactive |
The Threat Actor Profile
Attribution and Motive Assessment
As of initial reporting, PROMPTFLUX remains officially unattributed to a specific named threat actor. However, analysis of operational characteristics provides strong indications.
Lures such as "crypted_ScreenRec_webinstall" suggest a broad, geography- and industry-agnostic approach designed to maximize volume. This behavior is highly characteristic of financially motivated actors and organized cybercrime groups, contrasting with the highly targeted approaches of state-sponsored APTs.
The Democratization of Advanced Malware
The assessment that PROMPTFLUX is likely employed by a financially motivated group is more significant than specific attribution. This development signals a dangerous collapse in the barrier to entry for highly adaptive malware capabilities.
Historically, truly metamorphic malware required complex internal code generation, knowledge of compiler design, and sophisticated anti-analysis techniques—restricted to elite developers or state-backed groups. PROMPTFLUX subverts this complexity by externalizing the entire function of obfuscation and mutation to a readily available commercial LLM API.
If financially motivated actors can reliably generate novel, highly evasive code using simple API calls, then metamorphic capabilities are effectively democratized. Sophisticated, adaptive threats are no longer the exclusive domain of APTs but are now manufactured and deployed by organized cybercrime groups.
The New AI Threat Landscape
PROMPTFLUX is not an isolated incident but the clearest technical evidence yet of a paradigm shift in how threat actors leverage generative AI, moving beyond simple code assistance toward deeply embedding LLMs into core operational mechanics.
The Strategic Shift: LLM-as-a-Component
The discovery confirmed that threat actors moved past the 2024 baseline use of AI tools for technical support ("vibe coding"). PROMPTFLUX demonstrates a code family that employs AI capabilities mid-execution to dynamically alter behavior. The LLM is now treated as a core software component, providing computing resources for critical malicious functions like evasion and command generation.
Comparative Analysis: Other LLM-Enabled Threats
PROMPTSTEAL: Linked to Russian state-sponsored actor APT28 (Fancy Bear), this malware uses the Hugging Face API to query the Qwen2.5-Coder-32B-Instruct model. While PROMPTFLUX uses AI for dynamic packaging (obfuscation), PROMPTSTEAL uses AI for dynamic payload generation (generating Windows commands to collect specific data).
QUIETVAULT: A credential stealer focused on GitHub and NPM tokens, relying on AI prompts combined with on-host installed AI CLI tools to search for and exfiltrate secrets. This demonstrates "Living Off The Land" by leveraging AI tools locally installed on the victim's machine.
FRUITSHELL: A reverse shell containing hard-coded prompts designed to bypass detection by security systems that themselves use LLMs for analysis.
PROMPTLOCK: Ransomware that uses an LLM to dynamically generate and execute malicious Lua scripts at runtime.
LLM-Driven Malware Comparison
| Malware Family | Primary Function | LLM Misuse Mechanism | Target LLM/API | Attribution |
|---|---|---|---|---|
| PROMPTFLUX | Dropper/Obfuscator (Metamorphic) | Queries API for VBScript code rewriting (Real-time Evasion) | Google Gemini API (1.5 Flash) | Financially Motivated (Suggested) |
| PROMPTSTEAL | Data Miner/Exfiltrator | Queries API to generate Windows commands (Dynamic Payload) | Hugging Face API (Qwen2.5-Coder-32B-Instruct) | APT28 (Fancy Bear), State-Sponsored |
| QUIETVAULT | Credential Stealer | Uses on-host AI CLI tools and prompts to locate secrets | On-host/Local AI CLI Tools | Unknown; focuses on GitHub/NPM tokens |
| FRUITSHELL | Reverse Shell | Contains hard-coded prompts for security system bypass | N/A (Targets LLM-based defense) | Observed in Operations |
Weaponization of API Consumption
The central theme connecting these threats is the weaponization of legitimate, commercial API consumption. Instead of proprietary C2 infrastructure, these threats outsource their most demanding cognitive functions—code generation and command structure—to commercial LLM cloud services.
This externalization means the core offensive capability is maintained and hosted by a major technology company, creating an unusual defensive paradox where the LLM provider's security and policy enforcement become a critical defense layer for the enterprise.
Defensive Strategies Against Metamorphic Threats
The threat posed by PROMPTFLUX necessitates an immediate transition away from outdated, signature-based security models. Traditional Indicators of Compromise (IoCs), such as file hashes, are instantly rendered useless by malware that dynamically rewrites its entire source code hourly.
Shifting to Behavioral Indicators of Attack (IOAs)
Effective defense must prioritize detection of Indicators of Attack (IOAs)—the consistent, observable steps in a malicious sequence, irrespective of continually changing underlying code. The IOA chain for PROMPTFLUX is highly distinctive:
- Execution of a VBScript file (
wscript.exeorcscript.exe) - The VBScript process initiates unusual, encrypted outbound HTTPS connection
- The connection targets a known LLM API domain (e.g.,
api.gemini.google.com) - The VBScript process writes a new, obfuscated version to a critical system directory (Startup folder) and attempts to re-execute or copy to network shares
This sequence of behavior is static and reliable, even if file content is polymorphic, offering a reliable detection point.
Endpoint Detection and Response (EDR) Measures
Security teams must tune their EDR and XDR platforms to identify anomalous behavioral chains:
Scripting Engine Monitoring: Implement high-fidelity monitoring for wscript.exe and cscript.exe when they attempt unusual network connections or execute secondary system commands.
Decoy File Artifacts: Actively monitor for creation of %TEMP%\thinking_robot_log.txt, which serves as a unique and highly reliable IoC.
LOLBin Defense: Strengthen detection rules for malicious misuse of legitimate system tools (LOLBins), as this category is frequently exploited for low-signature evasion.
Network Defense and API Governance
Because the malware's power derives from an external cloud dependency, network defense strategies focusing on API consumption governance are highly effective:
API Domain Control: Deploy network security controls to monitor, alert on, or potentially block all programmatic access attempts to major LLM API domains when initiated by non-authorized or atypical internal processes.
API Key Monitoring: Organizations must actively monitor threat intelligence sources and dark web repositories for evidence of leaked or stolen API keys associated with LLM services, as disruption of these keys can immediately cripple operational campaigns.
Outbound Traffic Analysis: Implement deep packet inspection or flow monitoring to identify recurring, high-volume (e.g., hourly), encrypted network requests to known LLM endpoints from processes not legitimately associated with software development workflows.
Hardening the LLM Ecosystem
Defense requires a dual approach involving both the LLM provider and the end-user organization:
Provider Interdiction: LLM providers play a vital role by disabling associated assets and strengthening internal safety classifiers to refuse assistance with requests involving malicious code development.
Defense-as-Policy (Zero Trust): Organizations must implement robust Zero Trust application and process control. Application whitelisting should strictly limit legacy scripting engines to execute only in highly controlled environments. Policy enforcement should apply least-privilege access, particularly for processes that attempt to modify critical system files or save executable content to system directories.
Conclusion and Forward Outlook
The PROMPTFLUX malware is a watershed event in cyber conflict. Its analysis confirms the tactical shift from LLMs being used as development tools to their integration as real-time, operational components of metamorphic malware.
While initial samples were categorized as experimental and potentially driven by financially motivated actors, the underlying technical capability—AI-driven, recursive code regeneration—is mature, highly effective for evasion, and easily adapted for more nefarious state-sponsored goals.
The Immediate Challenge
The urgent challenge for the security community is adaptation of EDR and XDR platforms. Reliance on static file analysis is obsolete. Future defenses must identify complex behavioral chains (IOAs) that specifically link scripting engine execution with suspicious, repetitive, programmatically generated network traffic destined for commercial cloud AI services.
Future Evolution
Security analysts project rapid evolution of this threat. Future variants will likely:
- Move beyond VBScript to leverage less-monitored environments
- Integrate LLM-driven code generation into complex, multi-stage attacks
- Utilize on-device AI CLI tools to bypass network detection entirely
The intelligence community must proactively track this evolution, focusing on API consumption patterns and the resilience of LLM safety controls.
Key Takeaways for Security Professionals
- Signature-based detection is dead against AI-driven metamorphic malware
- Behavioral monitoring is critical: Focus on IOAs, not IoCs
- API governance is paramount: Treat LLM API usage with the same scrutiny as C2 traffic
- Network monitoring must evolve: Watch for scripting processes making programmatic calls to LLM endpoints
- Zero Trust is essential: Limit legacy scripting engines through strict application whitelisting
- The barrier to entry has collapsed: Sophisticated malware is now democratized through LLM APIs
The era of AI-driven cyber evasion has arrived. Organizations that fail to adapt their defensive posture from signature-based to behavior-based detection will find themselves defenseless against this new generation of threats.
References
- Google Threat Intelligence Group (GTIG) AI Threat Tracker
- Google Cloud Blog: Advances in Threat Actor Usage of AI Tools
- The Hacker News: PROMPTFLUX Discovery Report
- arXiv: Living Off the LLM: How LLMs Will Change Adversary Tactics
- Palo Alto Networks: Complete Guide to Understanding Indicators of Compromise
- CrowdStrike: Endpoint Detection & Response Defined
- Google AI for Developers: Gemini API Safety Guidance
About Ryan Wentzel
Ryan previously served as a PCI Professional Forensic Investigator (PFI) of record for 3 of the top 10 largest data breaches in history. With over two decades of experience in cybersecurity, digital forensics, and executive leadership, he has served Fortune 500 companies and government agencies worldwide.
