Google Uncovers PROMPTFLUX Malware Using Gemini AI
Google revealed a new malware called PROMPTFLUX that leverages its Gemini artificial intelligence (AI) to rewrite its own code hourly, enhancing its ability to evade detection.
How PROMPTFLUX Operates
PROMPTFLUX is a Visual Basic Script (VB Script) malware developed by an unknown threat actor. It interacts with the Gemini AI model API to generate and modify its source code. This interaction allows the malware to employ advanced obfuscation and evasion methods, making static signature-based detection more difficult.
"PROMPTFLUX is written in VB Script and interacts with Gemini's API to request specific VBScript obfuscation and evasion techniques to facilitate 'just-in-time' self-modification, likely to evade static signature-based detection," said the Google Threat Intelligence Group (GTIG).
"Thinking Robot" Component
The malware includes a "Thinking Robot" feature that regularly queries Gemini (version 1.5 Flash or later) to acquire updated code snippets. It uses a hard-coded API key to send precise, machine-readable prompts requesting VB Script modifications focused on antivirus evasion while receiving only the code as the output.
Persistence and Propagation
- The malware saves the newly generated, obfuscated code to the Windows Startup folder, ensuring it runs on system boot.
- PROMPTFLUX attempts to spread by copying itself to removable drives and mapped network shares.
This discovery highlights how attackers are increasingly integrating AI models to create adaptive and resilient malware capable of dynamic self-modification.
Author's summary: PROMPTFLUX malware exploits Gemini AI to continuously rewrite its code, boosting evasion and persistence through automated, real-time self-modifications.