New malware uses AI to adapt during attacks, report finds
State-backed hackers are deploying a new class of malware that uses large language models (LLMs) during execution to dynamically generate malicious code and evade detection, according to fresh research from Google.
Researchers said they observed malware that “employed AI capabilities mid-execution to dynamically alter the malware’s behavior,” a development the report describes as a “significant step towards more autonomous and adaptive malware.” Unlike prior use of AI as an off-line tool for planning or scale, the new technique lets malware query an LLM while running and change its actions on the fly.
Two examples highlighted by Google illustrate the trend:
-
PROMPTFLUX: an experimental dropper that prompts an LLM to rewrite portions of its own source code to avoid detection. Google said it has taken steps to disrupt PROMPTFLUX; the sample appeared to be in testing and did not show evidence of widespread compromise of victim networks.
-
PROMPTSTEAL: observed in June and attributed to Russia-linked APT28 (also known as BlueDelta, Fancy Bear and FROZENLAKE) in attacks on Ukrainian targets. PROMPTSTEAL used LLMs to generate operational commands at runtime rather than relying on hard-coded instructions — marking, Google said, its first sighting of malware querying an LLM in live operations.
Although researchers characterize these techniques as experimental, they warn the incidents demonstrate how threat actors may integrate AI capabilities into future intrusions to increase stealth, adaptability, and reach. “Attackers are moving beyond ‘vibe coding’ and the baseline observed in 2024 of using AI tools for technical support,” the report states.
The report also flags a growing underground marketplace for AI tools tailored to criminal use. Low-skill criminals can now buy or rent AI-enabled services advertised in forums with marketing language mimicking legitimate AI products, enabling more complex, scalable attacks even from less sophisticated actors.
Defenders face several immediate challenges, researchers warned: traditional detection that looks for static indicators will struggle against code that mutates at runtime; provenance and trust controls for LLMs must be strengthened to prevent misuse; and monitoring must expand to detect AI-driven instruction flows.
The findings add to a wave of recent research showing how AI both empowers attackers and complicates defensive operations, underscoring calls for tighter controls on model access, improved telemetry from AI platforms, and greater information sharing between industry and governments.
