GTIG Advances in Threat Actor Usage of AI Tools [pdf] (services.google.com)

Google’s Threat Intelligence Group (GTIG) reports a meaningful shift: adversaries are moving from using AI for productivity to embedding LLMs directly into malware, enabling “just‑in‑time” self‑modification and on‑demand generation of malicious code. GTIG documented families like PROMPTFLUX (VBScript dropper using the Gemini API and a “Thinking Robot” module to request VBScript obfuscation and rewrite itself), PROMPTSTEAL (a data miner used by APT28 that queries Qwen2.5‑Coder‑32B‑Instruct via Hugging Face to generate one‑line Windows commands for reconnaissance and exfil), and experimental PROMPTLOCK ransomware that executes generated Lua scripts. Attackers are using stolen API keys, hard‑coded prompts (including model targets like gemini-1.5-flash-latest), and social‑engineering pretexts (e.g., posing as CTF players) to bypass safety guardrails. GTIG says some samples are experimental, but PROMPTSTEAL was observed in live operations; Google has disabled related assets and hardened classifiers and model safeguards. For the AI/ML community this signals a technical inflection point: malware can become adaptive and polymorphic by outsourcing logic to LLMs, complicating static signature detection and increasing the speed and scale at which novel payloads can be produced. Key implications include the need to prioritize runtime and behavioral detection, protect API credentials and telemetry, tighten model query controls and provenance, and expand intel‑sharing around prompt patterns and abuse indicators. The underground marketplace’s maturation also lowers the bar for less skilled actors, making proactive model robustness, rate limits, and ecosystem coordination essential to mitigate emerging threats.