PROMPTFLUX and LLM-Aware Malware mark a key shift in cybersecurity threats, requiring security teams in 2026 to understand the significant changes they bring. Google’s Threat Intelligence Group identified PROMPTFLUX as the first malware family confirmed to use a large language model while running, allowing it to dynamically rewrite its own code to evade detection. This differs from earlier AI-assisted threats, which only used AI for coding before deployment, not during an attack. Key takeaway: Security teams must recognize this shift from static to dynamic AI-driven threats.
How PROMPTFLUX and LLM-Aware Malware Operate Once Deployed
PROMPTFLUX is written in VBScript and functions as a dropper, meaning its primary job is to establish persistence and prepare a system for further compromise. Its most notable feature, called the Thinking Robot function, periodically queries Google’s Gemini API using a hard-coded key to request fresh obfuscation and evasion techniques. One identified variant goes further, instructing the model to rewrite the malware’s entire source code hourly, creating what researchers describe as a recursive cycle of mutation. Upon its discovery, PROMPTFLUX remained in an experimental stage and had not demonstrated the ability to compromise a victim network directly, though its design intent was unmistakable to researchers who analyzed it closely.
Why This Category of Malware Breaks Traditional Detection
Traditional antivirus and endpoint detection tools rely heavily on signature-based detection, which identifies malware by recognizing known code patterns. This broader category of LLM-Aware Malware undermines that approach because the malicious code is no longer static. If the source code is rewritten automatically every hour, a signature captured today may be useless tomorrow. This shifts the burden toward behavioral detection methods that focus on what a program does rather than what it looks like on disk. Security vendors are responding by emphasizing anomaly detection for unusual outbound API calls, particularly traffic directed toward AI service endpoints like Gemini, OpenAI, or Hugging Face, which can serve as an early warning signal of this threat category emerging on a network.
The Broader Family of PROMPTFLUX and LLM-Aware Malware
PROMPTFLUX did not emerge in isolation. Google’s research also identified related families, including PROMPTSTEAL, a data mining tool linked to the Russian state-sponsored group APT28, which uses a different large language model to generate exfiltration commands on the fly (Google Threat Intelligence Group, 2025). Other identified families include FruitShell, a PowerShell reverse shell containing hard-coded prompts designed specifically to bypass LLM-powered security analysis tools, and PromptLock, an experimental cross-platform ransomware that uses an LLM to generate malicious scripts dynamically. Together, these families paint a picture of attackers experimenting broadly with AI integration across very different stages of the attack lifecycle, from initial access through data exfiltration and encryption of compromised systems.
How Security Teams Should Respond Today
Security leaders should not panic over PROMPTFLUX specifically, since Google disabled its associated API access shortly after discovery, but the underlying trend deserves serious attention going forward. Begin by reviewing your detection stack for behavioral and anomaly-based capabilities rather than relying solely on signature matching. Monitor for unusual API traffic to known AI model endpoints from unexpected processes or systems within your environment. Additionally, brief your incident response teams on this threat category so they recognize the indicators if they encounter a similar variant in the wild. Vendor coordination matters here, too, since AI providers like Google have shown a willingness to disable accounts used for abuse quickly once identified, which means establishing timely reporting channels is worth doing now rather than waiting for an incident to force the issue.
Preparing for the Next Generation of AI-Enabled Threats
Looking ahead, PROMPTFLUX and LLM-Aware Malware are early indicators rather than mature threats, and that is exactly why the response window matters so much right now. As these techniques mature, the gap between experimental and operationally dangerous will likely shrink considerably. Investing in behavioral detection, threat intelligence sharing, and staff training today builds the institutional muscle needed before these techniques become commonplace rather than novel curiosities discussed mainly in research papers. Security teams that treat this as a distant future problem risk being caught unprepared when LLM-aware techniques move from research curiosities to widespread criminal tooling, which most researchers expect to happen gradually but steadily over the coming few years.
References
Google Threat Intelligence Group. (2025). GTIG AI threat tracker, advances in threat actor usage of AI tools. Google Cloud Blog. https://cloud.google.com/blog/topics/threat-intelligence/threat-actor-usage-of-ai-tools
Mandiant. (2025). M-Trends 2025, special report. Google Cloud Security. https://www.mandiant.com/m-trends
The Hacker News. (2025). Google uncovers PROMPTFLUX malware that uses Gemini AI to rewrite its code hourly. https://thehackernews.com/2025/11/google-uncovers-promptflux-malware-that.html
