Cybersecurity firm ESET has disclosed that it found a synthetic intelligence (AI)-powered ransomware variant codenamed PromptLock.
Written in Golang, the newly recognized pressure makes use of the gpt-oss:20b mannequin from OpenAI regionally by way of the Ollama API to generate malicious Lua scripts in real-time. The open-weight language mannequin was launched by OpenAI earlier this month.
“PromptLock leverages Lua scripts generated from hard-coded prompts to enumerate the native filesystem, examine goal recordsdata, exfiltrate chosen knowledge, and carry out encryption,” ESET stated. “These Lua scripts are cross-platform suitable, performing on Home windows, Linux, and macOS.”
The ransomware code additionally embeds directions to craft a customized observe based mostly on the “recordsdata affected,” and the contaminated machine is a private pc, firm server, or an influence distribution controller. It is at present not identified who’s behind the malware, however ESET informed The Hacker Information that PromptLoc artifacts have been uploaded to VirusTotal from america on August 25, 2025.
“PromptLock makes use of Lua scripts generated by AI, which implies that indicators of compromise (IoCs) might differ between executions,” the Slovak cybersecurity firm identified. “This variability introduces challenges for detection. If correctly applied, such an strategy may considerably complicate menace identification and make defenders’ duties harder.”
Assessed to be a proof-of-concept (PoC) moderately than a totally operational malware deployed within the wild, PromptLock makes use of the SPECK 128-bit encryption algorithm to lock recordsdata.
Apart from encryption, evaluation of the ransomware artifact means that it is also used to exfiltrate knowledge and even destroy it, though the performance to really carry out the erasure seems not but to be applied.
“PromptLock doesn’t obtain all the mannequin, which could possibly be a number of gigabytes in dimension,” ESET clarified. “As a substitute, the attacker can merely set up a proxy or tunnel from the compromised community to a server working the Ollama API with the gpt-oss-20b mannequin.”
The emergence of PromptLock is one other signal that AI has made it simpler for cybercriminals, even those that lack technical experience, to rapidly arrange new campaigns, develop malware, and create compelling phishing content material and malicious websites.
Earlier immediately, Anthropic revealed that it had banned accounts created by two completely different menace actors that used its Claude AI chatbot to commit large-scale theft and extortion of private knowledge focusing on a minimum of 17 distinct organizations, and developed a number of variants of ransomware with superior evasion capabilities, encryption, and anti-recovery mechanisms.
The event comes as massive language fashions (LLMs) powering numerous chatbots and AI-focused developer instruments, similar to Amazon Q Developer, Anthropic Claude Code, AWS Kiro, Butterfly Impact Manus, Google Jules, Lenovo Lena, Microsoft GitHub Copilot, OpenAI ChatGPT Deep Analysis, OpenHands, Sourcegraph Amp, and Windsurf, have been discovered vulnerable to immediate injection assaults, doubtlessly permitting info disclosure, knowledge exfiltration, and code execution.
Regardless of incorporating sturdy safety and security guardrails to keep away from undesirable behaviors, AI fashions have repeatedly fallen prey to novel variants of injections and jailbreaks, underscoring the complexity and evolving nature of the safety problem.
“Immediate injection assaults could cause AIs to delete recordsdata, steal knowledge, or make monetary transactions,” Anthropic stated. “New types of immediate injection assaults are additionally always being developed by malicious actors.”
What’s extra, new analysis has uncovered a easy but intelligent assault referred to as PROMISQROUTE – quick for “Immediate-based Router Open-Mode Manipulation Induced by way of SSRF-like Queries, Reconfiguring Operations Utilizing Belief Evasion” – that abuses ChatGPT’s mannequin routing mechanism to set off a downgrade and trigger the immediate to be despatched to an older, much less safe mannequin, thus permitting the system to bypass security filters and produce unintended outcomes.
“Including phrases like ‘use compatibility mode’ or ‘quick response wanted’ bypasses hundreds of thousands of {dollars} in AI security analysis,” Adversa AI stated in a report printed final week, including the assault targets the cost-saving model-routing mechanism utilized by AI distributors.
