452/68 Friday, November 7, 2025
Researchers at Google Threat Intelligence Group (GTIG) have warned of an emerging trend in malware that leverages artificial intelligence (AI) at runtime to change its behavior in real time and harvest data from target systems. These capabilities are being used to evade security detections and continuously adapt malware behavior — a worrying development as AI is adopted both defensively and offensively in cyberspace.
GTIG reports multiple malware families that employ AI to modify their code during execution. Examples include PromptFlux, a dropper that connects to the Google Gemini API to request code-obfuscation and evasion techniques, then writes the updated payload into the Startup folder to maintain persistence; PromptSteal, written in Python and using the Hugging Face API to call the Qwen2.5-Coder model to generate PowerShell commands for harvesting files from sensitive folders; and QuietVault, a credential stealer that searches for tokens from NPM and GitHub using AI-driven command-line tooling.
Google warns that these samples mark the beginning of an era of automated, self-modifying malware capable of adapting during an attack, and predicts AI-assisted offensive tooling will grow in sophistication as underground markets start offering AI-based malware- and phishing-generation tools with few limits. GTIG recommends that organizations increase behavioral monitoring for suspicious activity and update security controls to prepare for more complex, AI-enhanced threats.
