Google Exposes AI-Powered Malware Behind North Korea’s Crypto Attacks

In a recent report, the company’s Threat Intelligence Group (GTIG) explained that several malware programs rely on large language models (LLMs) to write or change code while running.

GTIG said it has observed at least five types of AI-powered malware active in current attacks.

Did you know?

Want to get smarter & wealthier with crypto?

Subscribe - We publish new crypto explainer videos every week!

Crypto Fees Explained: How Not to Overpay? (Animated)

SUBSCRIBE

ON YOUTUBE

Unlike traditional malware, which contains fixed instructions, these new programs can use models like Gemini or Qwen2.5-Coder to create or hide harmful code when needed. This approach, called "just-in-time code creation", lets the malware adjust itself and avoid detection systems.

Two examples from the report, PROMPTFLUX and PROMPTSTEAL, show how attackers are combining AI with hacking operations.

PROMPTFLUX contacts the Gemini API every hour to rewrite parts of its VBScript code, while PROMPTSTEAL, linked to Russia’s APT28 group, uses the Qwen model on Hugging Face to generate Windows commands during attacks.

The report also highlights a North Korean group known as UNC1069, or Masan. According to Google, this group is known for stealing cryptocurrency through social engineering.

Investigators found that UNC1069 used Gemini to look up wallet data, write scripts that reach encrypted files, and create phishing emails in several languages aimed at crypto exchange employees.

Recently, GTIG identified a new tactic used by North Korean hackers, known as "EtherHiding". What is it? Read the full story.