GTIG AI Threat Tracker: Advances in Threat Actor Usage of AI Tools

Google Threat Intelligence Group (GTIG) has observed a shift to AI-enabled malware actively deployed by adversaries. New malware families like PROMPTFLUX and PROMPTSTEAL use LLMs during execution for dynamic code generation and obfuscation. Cybercriminals are using social engineering to bypass AI safety guardrails for malicious purposes. The underground marketplace now provides multifunctional AI tools for phishing, malware development, and vulnerability research. State-sponsored actors are misusing Gemini to enhance all stages of cyberattacks, from reconnaissance to data exfiltration. GTIG has identified malware employing AI to dynamically alter behavior mid-execution, marking a step towards autonomous malware. PROMPTFLUX leverages Gemini to obfuscate code and evade detection, though it's still in development. PROMPTSTEAL, used by APT28, queries an LLM to generate commands for data mining. Google has disabled malicious assets, strengthened classifiers, and enhanced model protections. These evolving threats indicate the need for proactive measures and robust AI security.