"Promptflux, for example, is a dropper written in VBScript that decodes and executes an embedded decoy installer to mask its activity. Its main capability is regeneration, which it achieves by using the Google Gemini API. It prompts the LLM to rewrite its own source code, saving the new, obfuscated version to the Startup folder to establish persistence. Promptflux also attempts to spread by copying itself to removable drives and mapped network shares."
"Promptsteal, meanwhile, is a data miner written in Python and packaged with PyInstaller, that's been observed in operation. It contains a compiled script that uses the Hugging Face API to query the LLM Qwen2.5-Coder-32B-Instruct to generate one-line Windows commands, said the team. Prompts used to generate the commands indicate that it aims to collect system information and documents in specific folders. Promptsteal then executes the commands and sends the collected data to an adversary-controlled server."
Several malware families have been observed using large language models (LLMs) during execution to dynamically generate and obfuscate malicious code and create functions on demand. Promptflux is a VBScript dropper that decodes and runs a decoy installer, uses the Google Gemini API to prompt an LLM to rewrite and obfuscate its source, saves regenerated code to the Startup folder for persistence, and attempts lateral spread via removable drives and mapped shares. Promptsteal is a Python-based data miner that uses the Hugging Face API and Qwen2.5-Coder-32B-Instruct to generate one-line Windows commands to collect system information and documents and exfiltrate results. These techniques are experimental but likely to improve.
Read at IT Pro
Unable to calculate read time
Collection
[
|
...
]