Google Warns of PROMPTFLUX Malware That Uses Gemini API for Self-Rewriting Attacks

Cybersecurity researchers at Google Threat Intelligence Group (GTIG) have identified a significant shift in how threat actors are leveraging artificial intelligence in their operations.

The discovery of experimental malware called PROMPTFLUX marks a watershed moment in cyber threats, demonstrating that attackers are no longer using AI merely to boost productivity they are now deploying AI-enabled malware capable of dynamically altering its own behavior during execution.

This represents a fundamental escalation in the threat landscape, introducing what security experts are calling “just-in-time” malware that evolves mid-attack to evade detection systems.

PROMPTFLUX, identified in early June 2025, stands as the first confirmed case of malware that harnesses a large language model’s capabilities to rewrite its own source code actively.

Written in VBScript, the dropper interacts directly with Google’s Gemini API to request specific obfuscation and evasion techniques, effectively creating a perpetually shifting target for traditional security defenses ...