PromptLock uses a local gpt-oss:20b model via the Ollama API to generate and execute malicious Lua scripts that enumerate files, inspect targets, exfiltrate selected data, and perform encryption. The malware is implemented in Golang and uses the NSA-developed SPECK 128-bit algorithm to encrypt files. The generated Lua scripts are cross-platform, functioning on Windows, Linux, and macOS. Samples matching Windows and Linux variants were uploaded to VirusTotal. The payment address referenced is associated with Satoshi Nakamoto. The samples appear to be proof-of-concept or work-in-progress, with destructive functionality not yet implemented.
"PromptLock leverages Lua scripts generated from hard-coded prompts to enumerate the local filesystem, inspect target files, exfiltrate selected data, and perform encryption," said researchers Anton Cherepanov and Peter Strycek in posts on several social media sites, including . "These Lua scripts are cross-platform compatible, functioning on Windows, Linux, and macOS. Based on the detected user files, the malware may exfiltrate data, encrypt it, or potentially destroy it."
"PromptLock is written in Golang and uses the SPECK 128-bit encryption algorithm, developed by the US National Security Agency (NSA), to encrypt files. It sends its requests through Ollama, an open source API for interfacing with large language models."
"Although multiple indicators suggest the sample is a proof-of-concept (PoC) or work-in-progress rather than fully operational malware deployed in the wild, we believe it is our responsibility to inform the cybersecurity community about such developments," Cherepanov and Strycek said.
Collection
[
|
...
]