Artificial Intelligence & Machine Learning
,
Next-Generation Technologies & Secure Development
Google Details How Attackers Could Use LLMs to Mutate Scripts
Malware authors are experimenting with a new breed of artificial intelligence-driven attacks, with code that could potentially rewrite itself as it runs. Large language models are allowing hackers to generate, modify and execute commands on demand, instead of relying on static payloads.
See Also: OnDemand | Navigate the threat of AI-powered cyberattacks
AI malware is still largely experimental, with many of the documented samples lacking the reliability or persistence of traditional threats, said researchers at Google Threat Intelligence Group. But they show how generative models can be weaponized to shorten development cycles, automate obfuscation and introduce unpredictability into attack patterns.
One malware family, dubbed PromptFlux by Google, uses Gemini’s API to produce new versions of its own VBScript at regular intervals. The malware includes modules that issue prompts such as “Act as an expert VBScript obfuscator” and instructs the model to return only executable code. The intent of PromptFlux is to create a self-modifying system that continually changes its digital fingerprints to evade detection, Google researchers said.
Another sample, dubbed PromptSteal, takes the concept further by blending AI automation with data theft. Disguised as an image generator, the tool queries a hosted model for one-line Windows commands that it runs locally to collect and exfiltrate information. The model’s output functions as a live command engine, giving the malware an adaptable control layer without hard-coded instructions.
Google also uncovered QuietVault, a JavaScript-based credential stealer that uses local AI command-line interfaces to search for access tokens and publish them to GitHub. A separate proof-of-concept dubbed PromptLock shows how attackers are testing AI-generated ransomware scripts that execute at runtime using model-generated Lua.
The architecture of these examples ties the project together: They all have minimal code on the victim’s machine and dependence on model calls. That design lowers the chance of signature-based detection while enabling attackers to update behavior remotely, as easily as revising a prompt.
Google researchers said that most of these experiments are unfinished or under testing. Some samples include commented code and limited API functionality, suggesting developers are still refining how to sustain model sessions and handle failures.
In the case of PromptFlux, the threat actor attempted to get Gemini to generate new logic that would be used by the malware later. It’s unlikely that this would have worked in an operational capacity as those specific prompts would have triggered safety controls, said Steve Miller, a Google AI threats tech lead. Threat actors too are experimenting with AI tools “just like everyone else,” he told Information Security Media Group in an emailed response.
“We’re seeing actors leverage AI tools to fill in the gaps and assist in scaling out existing capabilities. While some of the latest threat activity makes novel use of AI, such as with malware like PromptSteal, we’re not seeing actors use LLMs to generate ‘breakthrough’ capabilities or seriously accelerate their ability to identify and operationalize exploits,” he said. “The majority of actor use falls in the realm of productivity gain.”
The shift introduces a new social engineering layer. Attackers are learning to manipulate model safeguards by crafting deceptive prompts. In several cases, operators posed as cybersecurity students or capture-the-flag participants to coax the model into providing restricted or potentially dangerous code.
Underground marketplaces are moving quickly to commercialize this model integration. Listings on known cybercrime forums advertise generative AI modules for phishing, deepfake production and malware creation. Subscription-based services promise regular updates and API access, mirroring legitimate software business models but applied to attack tools.
Analysts tracking state-aligned activity have also observed early testing across multiple regions. Russian-linked groups have used model-assisted data-gathering utilities, Iranian operators are experimenting with language-to-SQL automation tools, and North Korean actors have incorporated deepfake profiles and AI-enhanced lures into cryptocurrency campaigns. In China, interest appears to center on reconnaissance and infrastructure targeting, with AI tools being trialed for tasks such as vulnerability discovery in Kubernetes environments.
Threat actors often try to blend in with their victim environments – and as organizations adopt AI tooling and increase the use of its services, capable threat actors may similarly embrace AI tooling in malware because it offers them a capability with an additional degree of stealth, Miller said. “Given the speed of modern AI services, there is much capability to gain and little performance to lose by using AI models and services,” he said.
