AI Malware Evolves: Google Exposes New Wave of Self-Modifying, LLM-Powered Attacks

Google’s Threat Intelligence Group (GTIG) is warning that artificial intelligence is no longer just a tool for defenders — it’s becoming an active accomplice in cybercrime. In its latest report, the company outlines a new class of malware that uses large language models (LLMs) not just to assist development, but to rewrite itself dynamically during execution.

From Static Code to “Thinking” Malware

GTIG calls this technique “just-in-time self-modification.” It enables malicious code to evolve mid-execution — adapting in real time to evade antivirus detection or sandbox environments. The standout example, PromptFlux, is an experimental VBScript dropper that queries Google’s Gemini model for new code fragments while running.

“The most novel component of PROMPTFLUX is its ‘Thinking Robot’ module, designed to periodically query Gemini to obtain new code for evading antivirus software,” said Google’s researchers. The malware spreads via removable drives and network shares, suggesting early experiments in self-propagating AI logic.

Although Google has not linked PromptFlux to a specific threat actor, its behavior suggests a financially motivated group. The company has already disabled its Gemini API access and removed associated assets before the prototype could mature into a fully operational threat.

AI-Infused Malware Families Multiply

PromptFlux is only one of several AI-enhanced tools identified this year. FruitShell is a PowerShell reverse shell using hard-coded prompts to sidestep AI-driven malware analysis. QuietVault hunts GitHub tokens and API keys, leveraging local AI command-line interfaces to find and exfiltrate secrets. Meanwhile, PromptLock, an experimental ransomware written in Lua, can target Windows, macOS, and Linux — an unusually broad cross-platform design for a proof-of-concept.

These aren’t theoretical curiosities anymore. “Google has observed AI in use at every step of the chain,” said Max Gannon, Cyber Intelligence Team Manager at Cofense. “This includes using AI to generate convincing phishing emails, develop malware modules, modify code mid-execution to avoid detection, and even bypass LLM-based analysis.”

Adversaries Go Hands-On with Gemini

Beyond bespoke malware, GTIG uncovered direct misuse of Gemini by state-linked groups from China, Iran, and North Korea. These threat actors used the model to assist in crafting phishing lures, debugging code, and developing exploit chains.

A China-nexus actor disguised themselves as a capture-the-flag participant to extract exploit data. Iran’s MuddyCoast (UNC3313) impersonated a student to generate malware, inadvertently exposing its own command-and-control infrastructure. Another Iranian group, APT42, built a natural-language-to-SQL data mining agent. Meanwhile, China’s APT41 used Gemini to improve its C2 obfuscation framework, and North Korea’s Masan (UNC1069) applied it for crypto theft and multilingual deepfake campaigns.

Google has since revoked all known abusive accounts and reinforced Gemini’s safety guardrails to detect such manipulative prompts.

A Black Market for Synthetic Intelligence

In parallel, underground forums are now advertising AI-powered attack kits that read like legitimate SaaS product launches. Listings promise “workflow efficiency” and “automated campaign generation,” offering plug-and-play malware builders, reconnaissance modules, and deepfake generators. Some even integrate Discord bots or API tiers for premium customers.

According to Google, “many underground forum advertisements mirrored language comparable to traditional marketing of legitimate AI models,” a sign that AI-as-a-service has gone fully rogue.

Evan Powell, CEO of Deep Tempo, warned that this wave of adaptive malware “circumvents today’s static, rules-based defenses.” Since these systems depend on recognizing previously seen attack signatures, “an attack that has never been seen before is very unlikely to be detected,” he said. Powell added that while dozens of startups are racing to build LLM-powered SOC tools, “none solve the fundamental problem of detecting novel, AI-generated attacks.”

SaaS Becomes the New Battleground

For Cory Michal, CSO at AppOmni, the implications stretch deep into the enterprise SaaS ecosystem. “We’ve observed attackers using AI to automatically generate data extraction code, reconnaissance scripts, and adversary-in-the-middle toolkits that adapt to defense,” he said. “They’re essentially ‘vibe-hacking’ — using generative AI to mimic authentic behavior and refine social engineering lures.”

Michal argues that static detection is now obsolete. “AI-enabled malware mutates its code, making traditional signature-based detection ineffective. Defenders need behavioral EDR that focuses on what malware does, not what it looks like.”

By monitoring unusual process creation, scripting activity, or unexpected outbound traffic — especially to AI APIs like Gemini or OpenAI — organizations can identify these adaptive threats before data exfiltration occurs.

The Next Security Arms Race

The rise of “thinking” malware represents a turning point in the cybersecurity arms race. Attackers are now deploying the same models that defenders use — and using them faster, cheaper, and more creatively. Each AI model update becomes a potential dual-use tool, capable of fueling both innovation and exploitation.

As Google’s report emphasizes, responsible AI design and active abuse detection are no longer optional. They’re the new frontline in an escalating battle where algorithms fight back — and learn as they go.