ESET specialists have discovered an unusual piece of malware dubbed PromptLock. The researchers describe it as the first known ransomware to use AI.
According to experts, this malware does not yet appear to be fully functional and is clearly still in development. However, researchers have found variants of the malware for Windows and Linux uploaded to VirusTotal.
“Although multiple indicators suggest that this sample is a proof of concept or someone’s unfinished work rather than a fully functional piece of malware used in attacks, we consider it our duty to inform the cybersecurity community about such developments,” ESET says.
Despite the lack of any real-world infections, the PromptLock example shows that AI can significantly streamline the “work” for cybercriminals.
Researchers explain that PromptLock uses OpenAI’s gpt-oss-20b model, which is one of two free open-weight models the company published earlier this month. It runs locally on the infected device via the Ollama API and generates malicious Lua scripts “on the fly”.
“PromptLock uses Lua scripts generated with hard-coded prompts to enumerate the local file system, examine target files, extract selected data, and perform encryption,” the researchers say, noting that the Lua scripts run on machines running Windows, Linux, and macOS.
After that, the malware determines which files to search for, copy, encrypt, or even destroy, based on the file type and its contents. According to the researchers, the data-wiping functionality has not yet been implemented.
PromptLock uses the 128-bit SPECK algorithm to encrypt files, and the ransomware itself is written in Go.
2025.03.12 — Mass exploitation of PHP-CGI vulnerability in attacks targeting Japanese companies
GreyNoise and Cisco Talos experts warn that hackers are actively exploiting CVE-2024-4577, a critical PHP-CGI vulnerability that was discovered and fixed in early June 2024. CVE-2024-457…
Full article →
2025.04.12 — Hackers compromised a bureau within the U.S. Department of the Treasury and spent months in hacked systems
The Office of the Comptroller of the Currency (OCC), an independent bureau within the United States Department of the Treasury, reported a major cybersecurity incident. Unknown attackers had…
Full article →
2025.03.18 — Black Basta ransomware group developed its own automated brute-forcing framework
According to EclecticIQ, Black Basta Ransomware-as-a-Service (RaaS) group has developed its own automated brute-forcing framework dubbed BRUTED. It's used to hack edge network devices…
Full article →
2025.02.01 — Critical RCE vulnerability fixed in Cacti
A critical vulnerability has been discovered in the open-source Cacti framework: it enables an authenticated attacker to remotely execute arbitrary code. Vulnerability's ID is CVE-2025-22604; its…
Full article →
2025.02.18 — Chrome Enhanced Protection mode is now powered by AI
The Enhanced Protection mode in Google Chrome has been updated. Now it uses AI to protect users from dangerous sites, downloads, and extensions in real time.…
Full article →
2025.01.22 — Fake Homebrew Infects macOS and Linux Machines with infostealer
Attackers use Google ads to disguise themselves as the Homebrew website and distribute malware targeting Mac and Linux systems and stealing logon credentials, browser data, and cryptocurrency wallets.…
Full article →
2025.01.24 — Hundreds of websites impersonating Reddit and WeTransfer spread Lumma Stealer
Sekoia researcher crep1x discovered that hackers are currently using some 1,000 pages impersonating Reddit and WeTransfer. Victims visiting these sites are tricked into…
Full article →
2025.02.10 — Failed attempt to block phishing link results in massive Cloudflare outage
According to the incident report released by Cloudflare, an attempt to block a phishing URL on the R2 platform accidentally caused a massive outage; as a result, many Cloudflare…
Full article →
2025.02.21 — Microsoft fixes vulnerability in Power Pages exploited by cybercriminals
Microsoft patched a severe privilege escalation vulnerability in Power Pages used by hackers as a 0-day. The vulnerability tracked as CVE-2025-24989 (CVSS score 8.2) pertains…
Full article →
2025.01.25 — 18,000 script kiddies have been infected with backdoor via XWorm RAT builder
According to CloudSEK analysts, malefactors attack novice hackers using a fake malware builder. Script kiddies' systems become infected with a backdoor that steals data and subsequently…
Full article →