Google researchers have uncovered a new strain of self-modifying malware powered by artificial intelligence — a sign that the same tools fueling corporate productivity are rapidly being turned into instruments of cyberwarfare. The discovery, part of a wider pattern of state-sponsored abuse of Google’s Gemini AI platform, reveals how adversaries are beginning to automate deception, phishing, and code generation at industrial scale.
A Malware That Rewrites Itself
In a report released this week, Google’s Threat Intelligence Group (GTIG) disclosed a novel malware family dubbed PROMPTFLUX — an experimental Visual Basic Script that uses the Gemini 1.5 Flash model to rewrite its own code every hour. The program, nicknamed the “Thinking Robot,” periodically queries Gemini through a hard-coded API key, requesting fresh variations of itself to evade antivirus detection.
By instructing the AI to act as an “expert VB Script obfuscator,” the malware can modify and regenerate its source code almost in real time. Logs discovered in the file system, such as thinking_robot_log.txt, indicate the developer’s goal: to create an evolving, metamorphic script capable of surviving successive rounds of security scanning.
Although still in testing, PROMPTFLUX hints at a future in which malware is not merely written by humans but continuously re-engineered by machines, blurring the line between software maintenance and autonomous threat behavior.
From Productivity Tool to Weaponized Platform
Google’s researchers say the finding underscores a broader shift: threat actors are “moving decisively from using AI as an exception to using it as the norm.” As large-language models become cheaper and more accessible, attackers are embedding them into daily operations — from reconnaissance to phishing-lure creation and data exfiltration.
GTIG has already observed AI-driven malware ecosystems emerging on underground forums. Some, like FRUITSHELL and PROMPTLOCK, use generative models to dynamically create payloads; others, such as QUIETVAULT, steal GitHub and NPM credentials. The company warns that these low-cost, high-reward tools lower the technical bar for cybercrime and create “perfect conditions for prompt-injection attacks,” where malicious instructions are hidden inside seemingly benign text.
In effect, the same natural-language fluency that makes AI so powerful for business productivity is now being exploited to craft convincing spear-phishing content, realistic deepfakes, and adaptive malware code — at a pace no human team could match.
State-Backed Operations: From Tehran to Pyongyang
The most concerning trend, according to Google, is the state-sponsored weaponization of Gemini and similar AI models. Investigators have tracked misuse by at least four major geopolitical adversaries:
Iran’s APT42 (also known as Charming Kitten) used Gemini to draft phishing material impersonating academics and defense analysts, and to generate SQL queries for extracting sensitive data.
North Korea’s UNC1069 (also CryptoCore or MASAN) and its affiliate TraderTraitor exploited the model to craft lure messages targeting cryptocurrency employees, distribute deepfake imagery, and develop fraudulent software updates.
Iran’s MuddyWater and APT41 relied on Gemini for code obfuscation, C2 framework development, and malware research under academic pretexts.
A China-nexus actor used the tool to design data-exfiltration infrastructure and reconnaissance scripts disguised as legitimate capture-the-flag (CTF) exercises.
In one instance, attackers even identified themselves as “students” seeking advice on cybersecurity challenges — a ruse that tricked Gemini into offering step-by-step exploitation guidance.
Such activity, Google notes, reflects a new doctrine in cyber operations: AI as an offensive accelerator, helping states scale their espionage and influence campaigns with minimal human labor.
An Escalating Race Between Defenders and Adversaries
For security experts, the rise of AI-driven malware represents both an innovation and a nightmare. LLMs allow attackers to test ideas, translate content, and refine phishing scripts with unprecedented speed. Meanwhile, defenders must contend with systems that mutate faster than traditional detection tools can adapt.
Google’s analysts caution that adversaries are already creating “purpose-built tools” capable of adjusting their behavior mid-execution, and selling them on dark-web markets for profit. Although PROMPTFLUX is still considered a proof of concept, its architecture — combining self-modification, AI querying, and automated persistence — marks a turning point.
“The accessibility of powerful AI models,” one Google researcher wrote, “has created the perfect storm for attackers seeking scale.”
As AI continues to reshape industries, it is also redrawing the battle lines of cybersecurity — proving that in the digital age, intelligence itself can become weaponized.
