PromptSteal and PromptFlux AI-enabled malware activity
Malware Activity
Summary
Hide ▲
Show ▼
PromptSteal and PromptFlux now show how malware can use LLMs during execution to generate malicious code on demand, raising the risk of more adaptive evasion and theft. PromptSteal was observed in Ukraine with APT28, while PromptFlux uses self-regeneration and persistence tricks to spread and survive. The two families matter because they move beyond hard-coded payloads and can create commands, obfuscation, and exfiltration logic dynamically.
Related Happenings
PromptSpy backdoor for Android with Gemini API automation
Malware Activity
First: 11.05.2026 16:02
Last: 11.05.2026 16:02
Sources 1
About this happening:
The **PromptSpy** backdoor for **Android** was highlighted for using **Gemini APIs** to automate device interaction, increasing the risk of unauthorized control on infected phones...
PromptSpy backdoor for Android with Gemini API automation
Malware ActivityAbout this happening: The **PromptSpy** backdoor for **Android** was highlighted for using **Gemini APIs** to automate device interaction, increasing the risk of unauthorized control on infected phones...
ServiceNow Now Assist second-order prompt injection via agent discovery
Technical Analysis
First: 19.11.2025 11:59
Last: 19.11.2025 11:59
Sources 1
About this happening:
AppOmni showed that **ServiceNow Now Assist** can be abused through **second-order prompt injection**, letting attackers drive **unauthorized actions** across agent teams and expo...
ServiceNow Now Assist second-order prompt injection via agent discovery
Technical AnalysisAbout this happening: AppOmni showed that **ServiceNow Now Assist** can be abused through **second-order prompt injection**, letting attackers drive **unauthorized actions** across agent teams and expo...
PROMPTFLUX Gemini self-modifying VB Script malware
Malware Activity
First: 05.11.2025 17:33
Last: 05.11.2025 17:33
Sources 1
About this happening:
The **PROMPTFLUX** malware family uses the **Gemini API** to generate **VB Script** obfuscation and evasion code for just-in-time self-modification, weakening static signature-bas...
PROMPTFLUX Gemini self-modifying VB Script malware
Malware ActivityAbout this happening: The **PROMPTFLUX** malware family uses the **Gemini API** to generate **VB Script** obfuscation and evasion code for just-in-time self-modification, weakening static signature-bas...
AI-powered malware families integrating LLMs during execution
Malware Activity
First: 05.11.2025 16:59
Last: 05.11.2025 16:59
Sources 1
About this happening:
Google's GTIG identified **multiple AI-powered malware families** that use **LLMs during execution**, signaling a shift toward malware that can adapt while running. The set includ...
AI-powered malware families integrating LLMs during execution
Malware ActivityAbout this happening: Google's GTIG identified **multiple AI-powered malware families** that use **LLMs during execution**, signaling a shift toward malware that can adapt while running. The set includ...
WebSocket RAT and cptch Windows payload activity
Malware Activity
First: 22.10.2025 16:37
Last: 22.10.2025 16:37
Sources 1
About this happening:
A **cptch** download chain delivered a **WebSocket RAT** that enabled **remote command execution** and **data exfiltration** on **Windows** systems. The malware activity mattered...
WebSocket RAT and cptch Windows payload activity
Malware ActivityAbout this happening: A **cptch** download chain delivered a **WebSocket RAT** that enabled **remote command execution** and **data exfiltration** on **Windows** systems. The malware activity mattered...
Timeline
-
06.11.2025 11:45 2 articles · 6mo ago
Google reports PromptFlux and PromptSteal AI-powered malware activity
Initial DisclosureGoogle Threat Intelligence Group reported that PromptFlux and PromptSteal use large language models during execution to dynamically generate malicious scripts and evade detection, with PromptFlux using the Google Gemini API to regenerate obfuscated VBScript for persistence and spreading, and PromptSteal using Qwen2.5-Coder-32B-Instruct to create one-line Windows commands for collecting files and sending them to a command-and-control (C2) server. GTIG also said PromptSteal was observed being used by Russian actor APT28 in Ukraine, while PromptFlux is still being developed, and warned that AI-enabled malware is becoming more autonomous and adaptive.
Show sources
- AI-Enabled Malware Now Actively Deployed, Says Google — www.infosecurity-magazine.com — 06.11.2025 11:45
- AI-Enabled Malware Now Actively Deployed, Says Google — www.infosecurity-magazine.com — 06.11.2025 11:45