"The novel feature is part of its "Thinking Robot" component, which periodically queries the large language model (LLM), Gemini 1.5 Flash or later in this case, to obtain new code so as to sidestep detection. This, in turn, is accomplished by using a hard-coded API key to send the query to the Gemini API endpoint. The prompt sent to the model is both highly specific and machine-parsable, requesting VB Script code changes for antivirus evasion and instructing the model to output only the code itself."
"The regeneration capability aside, the malware saves the new, obfuscated version to the Windows Startup folder to establish persistence and attempts to propagate by copying itself to removable drives and mapped network shares. "Although the self-modification function (AttemptToUpdateSelf) is commented out, its presence, combined with the active logging of AI responses to '%TEMP%\thinking_robot_log.txt,' clearly indicates the author's goal of creating a metamorphic script that can evolve over time," Google added."
An unknown threat actor developed PROMPTFLUX, a VBScript malware that queries the Gemini LLM API to obtain obfuscated VBScript code for evasion and self-modification. The malware's "Thinking Robot" component periodically sends highly specific, machine-parsable prompts using a hard-coded API key to Gemini 1.5 Flash or later and writes only code responses. Regenerated, obfuscated copies are saved to the Windows Startup folder for persistence and the malware attempts propagation via removable drives and mapped network shares. The script logs AI responses to %TEMP%\thinking_robot_log.txt and includes a commented AttemptToUpdateSelf routine, indicating metamorphic, evolving behavior. Multiple variants implement hourly full rewrites.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]