Google's Threat Intelligence Group published findings on PROMPTFLUX, a dropper malware that uses the Google Gemini API to rewrite its own VBScript code on an hourly schedule. The malware does not carry a fixed payload. Each hour it queries Gemini for new obfuscation techniques, receives modified code back, logs the response, and regenerates itself. The result is a sample that looks different on every analysis pass.
PROMPTFLUX was observed in what GTIG assessed as a testing or development state, suggesting it is not yet deployed at scale. That assessment matters less than the capability it demonstrates: the self-modification loop works, the API integration is functional, and the fundamental evasion objective, defeating signature-based detection through continuous code regeneration, is achieved.
How the Self-Modification Loop Works
PROMPTFLUX establishes persistence via the Windows Startup folder on initial execution. Once resident, it runs on a scheduled cycle. At each interval the malware constructs a prompt to the Gemini API requesting new obfuscation patterns for its current VBScript implementation. The prompt includes the existing code structure and instructs the model to produce a functionally equivalent but syntactically varied version using different variable names, string encoding schemes, comment injection, and control flow modifications.
The API response is logged locally before application, providing the malware developer with a record of every generated variant. The new code overwrites the existing VBScript file in the Startup directory. The next execution instance runs the freshly generated version. No two consecutive executions share the same code structure.
Traditional AV and EDR signature databases work by matching static patterns in file content. PROMPTFLUX produces no static patterns. Every sample is functionally identical but syntactically unique. By the time a signature is written against a captured sample, the malware on the target system has already regenerated past it.
Why VBScript and Why Gemini
VBScript is a deliberate choice. It is an interpreted language, meaning the execution environment processes source text at runtime rather than compiled binary. This makes code-level obfuscation directly effective: varied syntax produces varied byte sequences without requiring a recompile step. VBScript also has a long history of malware use, meaning it is monitored heavily and well-understood by defenders, which makes the evasion requirement more acute and the value of continuous regeneration higher.
The Gemini API integration is notable for a different reason. PROMPTFLUX is using a commercial, publicly available AI API for its core capability. There is no custom model, no local inference, no specialized tooling. The capability is available to anyone with a Google account and a few dollars of API credit. GTIG's finding is not that someone built sophisticated custom AI infrastructure for malware. It is that commodity AI infrastructure is sufficient for this class of evasion.
The outbound API call to Gemini is itself a potential detection point: periodic HTTPS requests to generativelanguage.googleapis.com from a process associated with VBScript execution in the Startup directory is an anomalous pattern. Defenders monitoring egress behavior should flag this combination regardless of whether the traffic itself looks benign.
What This Means for Detection Strategy
PROMPTFLUX is a proof of concept for a class of malware that makes signature-based detection structurally ineffective. The response for defenders is not to write better signatures. It is to move detection logic to layers that are not affected by code-level variation.
Behavioral detection that keys on runtime activity remains effective against PROMPTFLUX. The malware's behavior, what it does once running, is not obfuscated by the self-modification loop. Process execution patterns, network connections, file write activity to sensitive locations, and registry interactions are consistent regardless of the underlying script syntax. EDR platforms with strong behavioral telemetry are substantially better positioned against this threat class than AV products relying on file signatures.
Network-layer detection of outbound LLM API calls from endpoint processes is a specific control worth implementing. Legitimate enterprise software does not typically generate periodic HTTPS calls to Gemini, OpenAI, or Anthropic APIs from system processes or script interpreters. Flagging this pattern is low-noise and high-signal for this threat category.
Signature-based detection is losing ground to AI-regenerated malware.
RedEye Security assesses your behavioral detection coverage and identifies gaps that leave environments exposed to evasion techniques traditional AV cannot catch.
Talk to us