PROMPTFLUX Malware - AI-Enhanced VBScript Uses Gemini API for Evasion

PROMPTFLUX is a new VBScript-based malware leveraging Google’s Gemini API to dynamically generate obfuscated code at runtime, evading detection through polymorphic script variants. Google Threat Intelligence identified samples contacting the gemini-1.5-flash model to mutate payloads, aligning with MITRE ATT&CK techniques T1027 (Obfuscated/Encrypted Files) and T1059 (Command and Scripting Interpreter). The malware masquerades as trojanized installers that execute scripts communicating with Gemini’s API for on-demand code regeneration. This allows continuous AV evasion and complicates reverse engineering. Analysts believe PROMPTFLUX represents an experimental proof-of-concept, but its success in bypassing detection could inspire broader threat actor adoption of AI-assisted evasion. From a business standpoint, this trend illustrates how adversaries can abuse legitimate AI services to develop polymorphic malware that outpaces static defenses. Organizations permitting unrestricted access to AI APIs from endpoints risk data leakage and undetected malware operations blending with normal network traffic. Google revoked malicious API keys and improved monitoring, but defenders should enforce egress controls, disable legacy scripting interpreters like VBScript, and deploy behavioral analytics for suspicious script execution.