AI-powered malware, known as \u2018MalTerminal\u2019, uses OpenAI\u2019s GPT-4 model<\/a> to dynamically generate malicious code, including ransomware and reverse shells, marking a significant shift in how threats are developed and deployed.<\/p>\n This discovery follows the recent analysis of PromptLock, another AI-driven malware, indicating a clear trend toward adversaries weaponizing large language models (LLMs).<\/p>\n This discovery was part of the \u201cLLM-Enabled Malware In the Wild\u201d research presented by SentinelLABS at the LABScon 2025 security conference.<\/p>\n The findings highlight how adversaries are beginning to integrate LLMs directly into their malicious payloads, creating challenges for traditional security detection methods.<\/p>\n In August 2025, security firm ESET discovered PromptLock<\/a>, which was initially declared the first-known AI-powered ransomware. It was later revealed to be a proof-of-concept created by researchers at New York University to demonstrate the potential dangers of such threats.<\/p>\n Unlike MalTerminal, which relies on a cloud-based API, PromptLock is written in Golang and uses the Ollama API to run an LLM locally on the victim\u2019s machine.<\/p>\n Based on predefined prompts, PromptLock generates malicious Lua scripts in real-time, making it compatible across Windows, Linux, and macOS.<\/p>\n The malware is designed to identify the type of infected system, such as a personal computer, server, or industrial controller, and then autonomously decide whether to exfiltrate or encrypt data using the SPECK 128-bit encryption algorithm.<\/p>\n While PromptLock was a research project, SentinelLABS researchers found<\/a> LLM-enabled malware in the wild. Instead of searching for known malicious code, they focused on artifacts unique to LLM integration.<\/p>\n The team wrote YARA rules to scan for hardcoded API keys and common prompt structures embedded within binaries. This API key hunting methodology successfully identified a cluster of suspicious Python scripts and a compiled Windows executable named Analysis revealed the malware uses a deprecated OpenAI API endpoint<\/a>, suggesting it was created before November 2023 and making it the earliest known sample of its kind.<\/p>\n MalTerminal functions as a malware generator. Upon execution, the tool prompts its operator to choose between creating \u2018Ransomware\u2019 or a \u2018Reverse Shell\u2019. It then sends a request to the GPT-4 API to generate the corresponding malicious Python code at runtime.<\/p>\n This approach means the malicious logic is never stored within the initial binary, allowing it to bypass static analysis and signature-based detection tools.<\/p>\n The research also uncovered related scripts, including early versions ( The emergence of malware like MalTerminal and PromptLock signifies a new challenge for cybersecurity defenders. The ability to generate unique malicious code for each execution makes detection and analysis significantly more difficult.<\/p>\n However, this new class of malware also has inherent weaknesses. Its dependency on external APIs, local models, and hardcoded prompts creates a new attack surface for defenders.<\/p>\n If an API key is revoked or a model is blocked, the malware is rendered inoperable. While LLM-enabled malware is still considered experimental, these examples serve as a critical warning that threat actors are actively innovating, forcing defenders to adapt their strategies to focus on detecting malicious API usage and anomalous prompt activity.<\/p>\n The post First-ever AI-powered \u2018MalTerminal\u2019 Malware Uses OpenAI GPT-4 to Generate Ransomware Code<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nPromptLock: An Academic Proof-of-Concept<\/strong><\/h2>\n
![\"Promptlock\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEghEpjvHziNsLOJ2s3NcTamQ5jDxsJoK1_N98BsuUQWl6tX3DTSwH5u9ZESLGIQEJMA90bPcKUAgQi5Jmk-MUcTZMKSFa4sXsnjUyF6t5cvqpuVx6JMAfIDqyEBXgw1KXSC08dRVarP91nijKPAVfXmzTrwpE9Ghnoa-OE046xrmyqsFLCi5601XEcroyLt\/s16000\/prompt%2520stealer.webp?ssl=1\")
MalTerminal Uncovered <\/strong><\/h2>\n
MalTerminal.exe<\/code>.<\/p>\nTestMal2.py<\/code>) and even a defensive tool named \u2018FalconShield\u2019, which appears to be an experimental malware scanner<\/a> created by the same author.<\/p>\nFollow Us on Google News<\/a>,\u00a0LinkedIn<\/a>, X<\/a>\u00a0to Get Daily Cyber Security Updates and Contact Us<\/a> to Feature Your Stories.<\/strong><\/code><\/p>\n