PROMPTFLUX Gemini self-modifying VB Script malware
Malware Activity
Summary
Hide ▲
Show ▼
The PROMPTFLUX malware family uses the Gemini API to generate VB Script obfuscation and evasion code for just-in-time self-modification, weakening static signature-based detection. It also writes regenerated copies to the Windows Startup folder for persistence and tries to spread through removable drives and mapped network shares. The sample appears to be under development, but its design shows an emerging malware workflow that can adapt while running.
Related Happenings
AI-driven worm reasons at runtime and self-replicates across a 33-host test network
Technical Analysis
H score40
First: 09.06.2026 14:59
Last: 09.06.2026 14:59
Sources 1
About this happening:
Researchers demonstrated a **proof-of-concept AI-driven worm** that reasons at runtime and self-replicates, showing adaptive host-to-host spread across a **33-host** vulnerable te...
AI-driven worm reasons at runtime and self-replicates across a 33-host test network
Technical AnalysisAbout this happening: Researchers demonstrated a **proof-of-concept AI-driven worm** that reasons at runtime and self-replicates, showing adaptive host-to-host spread across a **33-host** vulnerable te...
PromptSpy backdoor for Android with Gemini API automation
Malware Activity
H score22
First: 11.05.2026 16:02
Last: 11.05.2026 16:02
Sources 1
About this happening:
The **PromptSpy** backdoor for **Android** was highlighted for using **Gemini APIs** to automate device interaction, increasing the risk of unauthorized control on infected phones...
PromptSpy backdoor for Android with Gemini API automation
Malware ActivityAbout this happening: The **PromptSpy** backdoor for **Android** was highlighted for using **Gemini APIs** to automate device interaction, increasing the risk of unauthorized control on infected phones...
Quasar Linux (QLNX) Linux RAT targeting developer credentials
Malware Activity
H score28
First: 06.05.2026 12:48
Last: 06.05.2026 12:48
Sources 1
About this happening:
The **Quasar Linux (QLNX)** RAT has been identified as a **Linux backdoor** that can steal **developer credentials** and compromise software-supply-chain publishing pipelines. It...
Quasar Linux (QLNX) Linux RAT targeting developer credentials
Malware ActivityAbout this happening: The **Quasar Linux (QLNX)** RAT has been identified as a **Linux backdoor** that can steal **developer credentials** and compromise software-supply-chain publishing pipelines. It...
ABCDoor backdoor activity in Silver Fox attacks
Malware Activity
H score23
First: 04.05.2026 14:35
Last: 04.05.2026 14:35
Sources 1
About this happening:
The newly identified **ABCDoor** backdoor is being used in **real-world attacks** by **Silver Fox**, expanding the group's malware set and increasing the risk of covert remote acc...
ABCDoor backdoor activity in Silver Fox attacks
Malware ActivityAbout this happening: The newly identified **ABCDoor** backdoor is being used in **real-world attacks** by **Silver Fox**, expanding the group's malware set and increasing the risk of covert remote acc...
EtherRAT malicious MSI loader with Ethereum-based C2
Malware Activity
H score23
First: 30.04.2026 14:30
Last: 30.04.2026 14:30
Sources 1
About this happening:
The **EtherRAT** malware is being delivered through **malicious MSI installers** and gives attackers **persistent Windows access**, increasing the risk of covert control inside en...
EtherRAT malicious MSI loader with Ethereum-based C2
Malware ActivityAbout this happening: The **EtherRAT** malware is being delivered through **malicious MSI installers** and gives attackers **persistent Windows access**, increasing the risk of covert control inside en...
Timeline
-
05.11.2025 17:33 2 articles · 8mo ago
PROMPTFLUX Gemini self-modification analysis
Technical Analysis UpdateGoogle Threat Intelligence Group discovered PROMPTFLUX, an experimental VB Script malware that uses the Gemini API to request VBScript obfuscation and evasion code for just-in-time self-modification, with a hard-coded API key sending prompts to the Gemini API endpoint and active logging of AI responses to %TEMP%\thinking_robot_log.txt; the malware also saves obfuscated copies to the Windows Startup folder for persistence and attempts propagation through removable drives and mapped network shares, while the sample appears to be under development or testing and currently lacks a confirmed means to compromise a victim network or device.
Show sources
- Google Uncovers PROMPTFLUX Malware That Uses Gemini AI to Rewrite Its Code Hourly — thehackernews.com — 05.11.2025 17:33
- Google Uncovers PROMPTFLUX Malware That Uses Gemini AI to Rewrite Its Code Hourly — thehackernews.com — 05.11.2025 17:33