Google AI Threat Report 2025: Cyber Criminals Now Using AI-Powered Malware

Executive Summary: A New Phase of AI-Enabled Cyber Threats

The Google Threat Intelligence Group (GTIG) has published a groundbreaking report documenting a critical evolution in cyber threats: adversaries have moved beyond using AI for productivity gains and are now deploying novel AI-enabled malware in active operations.

This marks what Google calls "a new operational phase of AI abuse" involving tools that dynamically alter their behavior mid-execution—something that was previously theoretical is now a documented reality.

Report Overview

• Publisher: Google Threat Intelligence Group (GTIG)
• Release Date: November 2025
• Report Type: Update to January 2025 "Adversarial Misuse of Generative AI" analysis
• Scope: Analysis of broader threat landscape, state-sponsored actors, and cybercrime markets
• Key Focus: How government-backed threat actors and cyber criminals integrate AI throughout the entire attack lifecycle

🚨 Key Findings: Four Critical Developments

1. First Use of "Just-in-Time" AI in Malware

For the first time, GTIG has identified malware families that use Large Language Models (LLMs) during execution. These tools represent a significant leap toward autonomous and adaptive malware:

These tools dynamically generate malicious scripts, obfuscate their own code to evade detection, and leverage AI models to create malicious functions on demand rather than hard-coding them into the malware.

2. Social Engineering to Bypass AI Safeguards

Threat actors have developed sophisticated techniques to circumvent AI safety guardrails:

• CTF Pretexts: Actors pose as students in "capture-the-flag" cybersecurity competitions
• Research Personas: Claiming to be cybersecurity researchers conducting legitimate studies
• Academic Cover: Pretending to write university papers on security topics

These social engineering tactics persuade AI models like Gemini to provide information that would otherwise be blocked, enabling tool development and vulnerability exploitation.

3. Maturing Cybercrime Marketplace for AI Tooling

The underground marketplace for illicit AI tools has significantly matured in 2025. GTIG identified multiple offerings of multifunctional tools designed to support:

Notable underground AI tools identified: DarkDev, EvilAI, FraudGPT, LoopGPT, MalwareGPT, NYTHEON AI, SpamGPT, WormGPT, Xanthorox

4. State-Sponsored Actors Augment Full Attack Lifecycle

State-sponsored actors from North Korea, Iran, and the People's Republic of China (PRC) continue to misuse Gemini to enhance all stages of their operations:

• Initial Compromise: Reconnaissance, phishing lure creation, vulnerability scanning
• Establish Foothold: Malware development, C2 infrastructure setup
• Escalate Privileges: Exploit research, privilege escalation techniques
• Lateral Movement: Network enumeration, cloud infrastructure attacks
• Maintain Presence: Webshell creation, persistence mechanisms
• Complete Mission: Data exfiltration scripts, credential theft tools

🔬 Deep Dive: PROMPTFLUX - Self-Modifying Malware

GTIG's discovery of PROMPTFLUX in June 2025 represents a watershed moment in cybersecurity. This experimental dropper malware demonstrates how threat actors are using LLMs for dynamic obfuscation.

How PROMPTFLUX Works:

1. Initial Execution: Written in VBScript, PROMPTFLUX decodes and executes an embedded decoy installer
2. AI-Powered Regeneration: Uses Google Gemini API with hard-coded key to query for code rewriting
3. Dynamic Obfuscation: Prompts the LLM to rewrite its own source code on an hourly basis
4. Persistence: Saves new, obfuscated versions to the Startup folder
5. Propagation: Attempts to spread by copying itself to removable drives and network shares

Current Status: GTIG intelligence indicates PROMPTFLUX is in development/testing phase and currently does not demonstrate ability to compromise victim networks. Google has disabled associated assets and strengthened model protections.

⚔️ APT28 Deploys PROMPTSTEAL Against Ukraine

In June 2025, GTIG identified the Russian government-backed actor APT28 (aka FROZENLAKE) using new malware tracked as PROMPTSTEAL (reported by CERT-UA as LAMEHUG) against targets in Ukraine.

PROMPTSTEAL Capabilities:

• LLM Query System: Queries Qwen2.5-Coder-32B-Instruct via Hugging Face API
• Command Generation: LLM generates commands for malware to execute rather than hard-coding them
• Deception: Masquerades as "image generation" program to guide users through prompts
• Data Collection: Generates commands to collect system information and targeted documents
• Blind Execution: Commands are blindly executed locally before output is exfiltrated

Significance: APT28's use of PROMPTSTEAL constitutes GTIG's first observation of malware querying an LLM deployed in live operations.

🌍 State-Sponsored Threat Actor Activities

🇨🇳 China-Nexus Actors

Chinese threat actors demonstrated extensive Gemini misuse across the attack lifecycle:

• Social Engineering: Used CTF pretexts to bypass safety responses
• Exploitation: Developed Python scripts to scan for vulnerable Roundcube and Zimbra email servers
• Mass Exploitation: Used n-day exploits against email servers
• Malware Development: Created tools in Python, C#, PHP, Ruby, and Go
• C2 Infrastructure: Developed malware backend using WeChat for command and control
• Cloud Attacks: Researched AWS EC2 credentials and Kubernetes exploitation

🇰🇵 North Korean Actors

UNC1069 (aka MASAN) targeted cryptocurrency infrastructure:

• Cryptocurrency Research: Used Gemini to research wallet application data locations
• Multi-Language Campaigns: Generated Spanish-language lures to expand targeting
• Deepfake Usage: Leveraged deepfake images and videos impersonating cryptocurrency industry individuals
• Social Engineering: Distributed BIGMACHO backdoor via fake "Zoom SDK" downloads

UNC4899 (aka PUKCHONG) focused on supply chain compromise and exploit development for edge devices and modern browsers.

🇮🇷 Iranian Actors

TEMP.Zagros (aka MUDDYCOAST, Muddy Water) evolved from using public tools to custom malware development:

• Custom Malware: Developed webshells and Python-based C2 servers
• Bypass Techniques: Used "student" and "researcher" pretexts to bypass safety guardrails
• OPSEC Failures: Revealed C2 domains and encryption keys while asking Gemini for help with scripts

APT42 focused on sophisticated phishing campaigns:

• Impersonation: Created lures impersonating prominent think tanks and organizations
• Data Processing: Attempted to build "Data Processing Agent" to convert natural language queries into SQL for sensitive data analysis
• Translation Services: Used Gemini to translate specialized vocabulary for targeted campaigns

🇷🇺 APT41 (China) - Code Development

Demonstrated sophisticated technical support usage:

• C2 Development: Sought assistance with C++ and Golang code for OSSTUN C2 framework
• Obfuscation: Researched code obfuscation using publicly available libraries
• Multi-Platform Targeting: Targeted mobile and desktop systems across multiple operating systems

🛡️ Google's Response and Mitigation Efforts

Google has taken proactive steps to counter these threats:

Immediate Actions:

• Account Termination: Disabled projects and accounts associated with malicious actors
• Asset Disruption: Disabled C2 infrastructure and hard-coded API keys found in malware
• Threat Intelligence Sharing: Shared findings with security community and law enforcement

Model Improvements:

• Classifier Strengthening: Enhanced detection of malicious prompt patterns
• Model Hardening: Improved model-level protections against misuse
• Safety Responses: Refined safety guardrails to better detect social engineering attempts

Broader Security Framework:

• Secure AI Framework (SAIF): Conceptual framework for securing AI systems
• Red Teaming: Automated evaluation framework for testing AI vulnerabilities
• Big Sleep: AI agent for finding security vulnerabilities in software
• CodeMender: Experimental AI-powered agent for automatically fixing code vulnerabilities

🔮 Future Threat Landscape Predictions

Based on GTIG's analysis, security professionals should anticipate:

🛡️ Protecting Your VPS Infrastructure

In light of these evolving AI-enabled threats, securing your VPS infrastructure has never been more critical:

Essential Security Measures:

# 1. Implement Multi-Factor Authentication
# 2. Use SSH Key Authentication Only
sudo nano /etc/ssh/sshd_config
# Set: PasswordAuthentication no

# 3. Install and Configure Fail2Ban
sudo apt install fail2ban -y
sudo systemctl enable fail2ban

# 4. Enable Automatic Security Updates
sudo apt install unattended-upgrades -y

# 5. Configure Intrusion Detection
sudo apt install aide -y
sudo aideinit

# 6. Monitor System Logs
sudo apt install logwatch -y

# 7. Implement Network Segmentation
sudo ufw enable
sudo ufw default deny incoming
sudo ufw default allow outgoing

For comprehensive VPS security guidance, see our VPS Security Basics and VPS Hacked Response Guide.

📚 Related Resources

• Complete VPS Security Guide
• VPS Hacked? Response & Recovery Steps
• VPS Performance & Security Monitoring
• SSH Key Authentication Setup

Conclusion: A Paradigm Shift in Cybersecurity

Google's November 2025 threat intelligence report documents a fundamental shift in the cyber threat landscape. The evolution from AI as a productivity tool to AI as an active component of malware represents a new era of adaptive, intelligent threats.

Key Takeaways:

1. AI-enabled malware is now operational: Tools like PROMPTFLUX and PROMPTSTEAL are being deployed in active campaigns
2. State actors lead innovation: APT groups from Russia, China, Iran, and North Korea are at the forefront
3. Underground markets are maturing: Commercial AI-powered attack tools lower the barrier to entry
4. Social engineering evolves: Threat actors successfully bypass AI safety guardrails using pretexts
5. Defense must adapt: Traditional signature-based detection is insufficient against runtime-generated malware

About this article: This comprehensive analysis is based on the official Google Threat Intelligence Group (GTIG) report "AI Threat Tracker: Advances in Threat Actor Usage of AI Tools" published in November 2025. All malware names, threat actor designations, and technical details are sourced directly from Google's original research.

Related: Read this article in German (Deutsch)