In a major new development that highlights the increasing complexity and multifaceted nature of the threat landscape, Google’s Threat Intelligence Group (GTIG) has discovered a new wave of malware that modifies its own code using artificial intelligence (AI) while running on an infected computer. This new class of malware represents a significant step forward in malicious software, capable of adapting on the fly and staying under the radar in real-time, serving as a whole new kind of threat to cyber defences.
The Rise of “Thinking” Malware
An experimental Visual Basic Script (VBScript) malware , named PROMPTFLUX, was discovered by GTIG in early 2025. Unlike other threats, PROMPTFLUX has direct integration with Google’s Gemini AI language model through its API, enabling the malware to request new obfuscation and evasion code on demand, “just in time,” during an attack. This method, referred to as “just-in-time self-modification,” enables the malware to reach out to Gemini for new code snippets that give it the ability to evade antivirus detection techniques.
The ability to adapt is rooted in a “Thinking Robot” module of the malware. It sends obscure, machine-readable requests for Gemini, small VBScript functions designed to bypass security software. An even more state-of-the-art version of PROMPTFLUX attempts to make Gemini rewrite its own source code from scratch every hour, a programmatic reality analogous to Star Trek’s changeling or the Odo character from Deep Space Nine—a script that constantly metamorphoses and changes shape in response to static, signature-based defences.
While a few self-deletion functionalities in PROMPTFLUX were disabled or in the process of being implemented, the existence of such functionalities indicates that attackers are constructing malware that can evolve to be persistent and mutate on the spot within infected systems. The malware also creates persistence by dropping new obfuscated code variants into the Windows startup directory. It attempts to spread by copying itself to USB drives or network shares.
Broader AI-Enhanced Malware Landscape
PROMPTFLUX is only one example among a growing family of AI-powered malware identified by Google. Other families include:
- FRUITSHELL: A PowerShell reverse shell that uses hard-coded prompts to get around AI-based security checks.
- PROMPTLOCK: A cross-platform ransomware that uses AI to make harmful scripts while they are running.
- PROMPTSTEAL (LAMEHUG): Russian state-sponsored hackers used a data miner to steal information by dynamically creating commands.
- QUIETVAULT: A JavaScript credential thief that goes after GitHub and NPM tokens and uses AI to make it better.
- This change indicates that attackers and defenders are engaged in an ongoing arms race that is constantly evolving. AI is no longer just a means to make things easier or automate phishing attacks; it is now a partner in cybercrime, allowing malware to evolve and grow while it is running.
State-Sponsored and Financially Motivated Threat Actors
Google’s study once again brings the focus to the table that both nation-state sponsored attackers from countries such as Iran, North Korea, China, etc, and financially motivated cybercriminals are resorting to using such AI-backed methods. Nation-state actors are weaponizing AI to create polymorphic malware that can bypass even the most sophisticated defences, while profit-driven attackers are testing wide-geography, geography-agnostic campaigns based on AI’s inherent flexibility.
Although it’s still in the testing phase, PROMPTFLUX’s actions, such as using filenames linked to social engineering lures, suggest that it has a financial goal. Google has taken steps to stop this malware from accessing Gemini’s API and has removed related assets to stop it from spreading.
Challenges for Cybersecurity
The advent of AI-based, self-evolving malware creates entirely new challenges in cybersecurity. Classic antivirus techniques utilize signatures as an indicator of compromise; however, this approach is ineffective for malware that continually changes its code and behaviour. The dynamic characteristics of these AI-enabled attacks have inspired security defenders to employ a class of “AI” for defence, allowing them to sense and adjust to evolving attack techniques.
The GTIG report from Google states that this new type of malware represents an early yet important step toward more self-sufficient and adaptable malicious software. Companies and security experts need to prepare for an increasing number of attacks that utilize generative AI, making them harder to detect, harder to stop, and easier to spread.
This discovery underscores the urgent need to rethink cybersecurity defense architectures amid the AI arms race, as malicious actors push the boundaries of what malware can do using AI—transforming malware from static code into ever-evolving threats.