Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

PROMPTFLUX Gemini self-modifying VB Script malware

Malware Activity
First reported
Last updated
Happening score
H score 16
1 unique sources, 1 articles

Summary

Hide ▲

The PROMPTFLUX malware family uses the Gemini API to generate VB Script obfuscation and evasion code for just-in-time self-modification, weakening static signature-based detection. It also writes regenerated copies to the Windows Startup folder for persistence and tries to spread through removable drives and mapped network shares. The sample appears to be under development, but its design shows an emerging malware workflow that can adapt while running.

Related Happenings

PromptSpy backdoor for Android with Gemini API automation

Malware Activity
First: 11.05.2026 16:02 Last: 11.05.2026 16:02 Sources 1

About this happening: The **PromptSpy** backdoor for **Android** was highlighted for using **Gemini APIs** to automate device interaction, increasing the risk of unauthorized control on infected phones...

Open Happening

Quasar Linux (QLNX) Linux RAT targeting developer credentials

Malware Activity
First: 06.05.2026 12:48 Last: 06.05.2026 12:48 Sources 1

About this happening: The **Quasar Linux (QLNX)** RAT has been identified as a **Linux backdoor** that can steal **developer credentials** and compromise software-supply-chain publishing pipelines. It...

Open Happening

ABCDoor backdoor activity in Silver Fox attacks

Malware Activity
First: 04.05.2026 14:35 Last: 04.05.2026 14:35 Sources 1

About this happening: The newly identified **ABCDoor** backdoor is being used in **real-world attacks** by **Silver Fox**, expanding the group's malware set and increasing the risk of covert remote acc...

Open Happening

EtherRAT malicious MSI loader with Ethereum-based C2

Malware Activity
First: 30.04.2026 14:30 Last: 30.04.2026 14:30 Sources 1

About this happening: The **EtherRAT** malware is being delivered through **malicious MSI installers** and gives attackers **persistent Windows access**, increasing the risk of covert control inside en...

Open Happening

PromptSpy Android malware with Gemini-assisted persistence and spyware capabilities

Malware Activity
First: 20.02.2026 00:36 Last: 20.02.2026 00:36 Sources 1

About this happening: The **PromptSpy** Android malware family now stands out as the first known **Android malware** to use **Google Gemini** at runtime, letting it adapt app-pinning steps across devic...

Open Happening

Timeline

  1. 05.11.2025 17:33 2 articles · 6mo ago

    PROMPTFLUX Gemini self-modification analysis

    Technical Analysis Update

    Google Threat Intelligence Group discovered PROMPTFLUX, an experimental VB Script malware that uses the Gemini API to request VBScript obfuscation and evasion code for just-in-time self-modification, with a hard-coded API key sending prompts to the Gemini API endpoint and active logging of AI responses to %TEMP%\thinking_robot_log.txt; the malware also saves obfuscated copies to the Windows Startup folder for persistence and attempts propagation through removable drives and mapped network shares, while the sample appears to be under development or testing and currently lacks a confirmed means to compromise a victim network or device.

    Show sources
    Open in new tab