Hackers Harness AI for Dynamic Malware Creation

New malware families use AI for cyberattacks, Google study reveals.

Several new families of malware are leveraging large language models for cyberattacks, according to a Google study.

The Google Threat Intelligence Group (GTIG) report reveals that experts have tracked at least five distinct AI-supported malware strains, some of which are already being used in attacks.

The identified software families dynamically generate malicious scripts, obfuscate their own code to evade detection, and employ AI models to create malicious functions based on the situation, rather than predefining them.

This new technique differs from the traditional approach to developing malicious software, where the software logic is initially embedded in binary code.

By delegating some functions to artificial intelligence, the software can continuously adapt to strengthen its defenses against containment systems.

In GTIG’s technical description, it was noted that the PROMPTFLUX family initiates a Thinking Robot process, which calls the API Gemini every hour to rewrite its own VBScript code. PROMPTSTEAL, linked to the Russian group APT28, uses the Qwen model to generate Windows commands on demand.

Analysts detected activity from the North Korean group UNC1069 (Masan), which abused Gemini. They are known for conducting cryptocurrency theft campaigns using social engineering.

Google’s AI queries included instructions for finding wallet application data, generating scripts to access encrypted storage, and creating multilingual phishing content targeting cryptocurrency exchange employees.

Not New

The use of artificial intelligence by hackers is a longstanding issue.

In February 2024, it was revealed that North Korean fraudsters were using AI for malicious schemes and hacks. A South Korean intelligence representative stated that perpetrators from the neighboring country use generative artificial intelligence to deceive and compromise security personnel.

In June 2025, the AI tool Xbow from the company of the same name topped the leaderboard of white hat hackers who discovered and reported the most vulnerabilities in major companies’ software. Xbow helped identify flaws in the systems of Amazon, Disney, PayPal, and Sony Group Corporation.

In October, cryptographer Kostas Chalkias from Mysten Labs warned that North Korean hackers are integrating artificial intelligence into all stages of cyberattacks—from phishing to money laundering. According to him, AI has become a more serious threat to cryptocurrencies than quantum computing.

“Neural networks are the best tool I’ve ever had as a white hat hacker. And you can imagine what happens when it falls into the wrong hands,” the expert said.

He added that groups like Lazarus use LLM to automatically scan thousands of smart contracts.

In September, experts discovered a new AI tool on dark forums for automating email attacks called SpamGPT. It is advertised as a “revolution” for cybercriminals.