Threatening researchers first discovered AI-operated ransomware, called Promptlock, which uses Lua script to steal and encrypt data on Windows, McOS and Linux systems.
GPT-OSS of Malware Olmai: 20B uses the 20B model through API, which dynamically generates malicious Lua script from the hard-coded prompt.
How does it work
As ESET researcherThe promptlock is written in the Golds and uses Olama API to reach the GPT -SS: 20B larger language model. The LLM is hosted on a remote server, in which the actor connects through a proxy tunnel.
The Malware uses a hard-coded prompt that instructs the model to generate dynamically malicious flavored scripts, including local filesistum enumerations, target files inspection, data exfoliation and file encryption.
Source: ESET
Researchers have also mentioned the functionality of data destruction but the facility has not been implemented.
For file encryption, Promplock uses a light speed 128-bit algorithm, an unusual option for rangesware, is considered suitable Mainly for RFID applications,
Source: ESET
Just a demo for now
ESET told Bleepingcomputer that the promptlock has not appeared in their telemetry, but they have discovered it on virustotal.
The cyber security company believes that the Promptlock works in a proof-of-concept or progress, not an active ransomware in the wild.
In addition, several indications indicate that it is a concept tool rather than a real danger in Presene. Some clues suggest that a weak encryption cipher (Spec 128-bit) is involved, which knows a hard-coded bitcoin associated with Satoshi Nakamoto, and the fact that the data destruction capacity is not implemented.
Published details about a safety researcher Pamplock after ESET Claimed That the malware was his project and somehow it leaked.
Nevertheless, the presence of the promptlock is important in displaying that AIS can be made weapons in malware workflows, offering the bar for cross-platform capabilities, operational flexibility, theft and admission to cybercrime.
The development became clear in July, when Ukraine’s certificate reported the discovery of an LLM-operated tool Lamhug Malware, which uses API and Alibaba’s Quven-2.5-Coder-32B hugging to generate Windows Shell Command on the fly.
LAMEHUG, is believed to have been deployed by Russian hackers of the APT28 group, availing API calls rather than proxing the promptlock. Both implementation achieve the same practical results, although the latter is more complex and risky.
The passwords broke in 46% of the atmosphere, almost doubled by 25% last year.
Picus Blue Report 2025 Now get a wider look at more conclusions on prevention, detection and data exfIs.
