Threat Research

GTIG AI Threat Tracker: Advances in Threat Actor Usage of AI Tools

GoogleCloudIntel
GTIG AI Threat Tracker: Advances in Threat Actor Usage of AI Tools

Google Threat Intelligence Group (GTIG) reports that adversaries have progressed from using AI for productivity to deploying novel AI-enabled malware that dynamically alters behavior during execution, exemplified by families like PROMPTFLUX and PROMPTSTEAL. The report documents state-backed and criminal actors misusing Gemini and other LLMs across the attack lifecycle and details mitigations Google has taken, including disabling assets and strengthening model and classifier safeguards. #PROMPTFLUX #PROMPTSTEAL

Keypoints

  • GTIG identified “just-in-time” AI use in malware, where LLMs generate or rewrite malicious code during execution (examples: PROMPTFLUX, PROMPTSTEAL).
  • Multiple malware families with AI capabilities were observed or analyzed: PROMPTFLUX (VBScript dropper), PROMPTSTEAL (Python data miner), PROMPTLOCK (Go ransomware), FRUITSHELL (PowerShell reverse shell), and QUIETVAULT (JavaScript credential stealer).
  • Threat actors use social-engineering pretexts in prompts (e.g., CTF participant, student, researcher) to bypass LLM safety guardrails and obtain actionable guidance.
  • State-backed groups (North Korea, Iran, PRC) and financially motivated actors are misusing Gemini and other LLMs across reconnaissance, phishing, C2 development, and exfiltration.
  • An underground marketplace for AI tooling matured in 2025, offering services for deepfakes, malware generation, phishing kits, reconnaissance, and vulnerability exploitation.
  • GTIG and Google took mitigations including disabling assets/accounts, applying intelligence to strengthen classifiers and models (Gemini), and sharing defensive best practices and frameworks (SAIF).
  • Some AI-enabled malware observed is experimental or in development (e.g., PROMPTFLUX, PROMPTLOCK) while others were used in live operations (e.g., PROMPTSTEAL, QUIETVAULT, FRUITSHELL).

MITRE Techniques

  • [T1059] Command and Scripting Interpreter – Malware used LLMs to generate and execute one-line commands and scripts on hosts, as shown by prompts requesting commands to collect system info and copy documents (“…Make a list of commands to create folder C:Programdatainfo and to gather computer information… Return only commands…”).
  • [T1027] Obfuscated Files or Information – PROMPTFLUX used Gemini to rewrite and obfuscate its VBScript source to evade detection (“…requesting VBScript code for antivirus evasion and instructing the LLM to output only the code itself…”).
  • [T1105] Ingress Tool Transfer – PROMPTFLUX decodes and executes an embedded decoy installer and saves regenerated obfuscated code to persistence locations like Startup to enable further payload execution (“…decodes and executes an embedded decoy installer… saving the new, obfuscated version to the Startup folder…”).
  • [T1566] Phishing – Threat actors used LLMs to craft lure content and phishing messages, including multilingual social engineering for cryptocurrency theft and impersonation lures (“…generated lure material and other messaging related to cryptocurrency…”).
  • [T1041] Exfiltration Over C2 Channel – PROMPTSTEAL and QUIETVAULT exfiltrated collected data and credentials to adversary-controlled servers or public repositories (e.g., GitHub) after LLM-generated collection commands executed (“…sends the collected data to an adversary-controlled server” and “exfiltrated via creation of a publicly accessible GitHub repository”).
  • [T1609] Container and Resource Discovery – Actors misused Gemini to enumerate cloud and container environments (vSphere, Kubernetes) and generate commands to enumerate containers and pods (“…to generate commands for enumerating containers and pods…”).
  • [T1490] Inhibit System Recovery – PROMPTLOCK’s proof-of-concept ransomware leverages LLMs to generate and execute encryption scripts across Windows and Linux (“…capabilities include filesystem reconnaissance, data exfiltration, and file encryption on both Windows and Linux systems.”).

Indicators of Compromise

  • [File Names] example malware filenames and lures – “crypted_ScreenRec_webinstall” (used as social engineering decoy), decoy installer names in PROMPTFLUX samples.
  • [APIs / Models] LLM models and endpoints used – “gemini-1.5-flash-latest” (Gemini API model referenced by PROMPTFLUX), “Qwen2.5-Coder-32B-Instruct” (model queried by PROMPTSTEAL via Hugging Face API).
  • [File Paths] local artifacts and logs – “%TEMP%thinking_robot_log.txt” (PROMPTFLUX logs AI responses), “C:Programdatainfoinfo.txt” (target path used by PROMPTSTEAL to aggregate collected data).
  • [Programming Languages / Packaging] contexts indicating build/packaging – PROMPTSTEAL packaged with PyInstaller (Python executable), PROMPTLOCK written in Go (cross-platform), PROMPTFLUX in VBScript, FRUITSHELL in PowerShell, QUIETVAULT in JavaScript.
  • [Exfiltration Destinations] repository and C2 contexts – Public GitHub repository used to exfiltrate tokens (QUIETVAULT), adversary-controlled server for collected data (PROMPTSTEAL), and varied C2 methods referenced with evolving samples.

Read more: https://cloud.google.com/blog/topics/threat-intelligence/threat-actor-usage-of-ai-tools/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint