On Wednesday, Google disclosed an analysis of five recent malware samples that were generated using AI technology. The outcomes of these AI-developed malicious programs fell significantly short of professional malware standards, suggesting that the development of malicious software using vibe coding is still trailing behind conventional methods. As such, AI-generated malware does not yet constitute a tangible threat.
Among the samples was PromptLock, ostensibly part of an academic study to assess the viability of using large language models to autonomously orchestrate ransomware attacks. Researchers observed that PromptLock exhibited significant limitations, such as the absence of persistence, lateral movement, and advanced evasion techniques, rendering it more a proof-of-concept than a functional threat. Prior to the publication of the study, security firm ESET recognized it as “the first AI-powered ransomware.”
Don't Believe the Hype
Similar to other samples Google scrutinized—namely FruitShell, PromptFlux, PromptSteal, and QuietVault—PromptLock was detectable even by basic endpoint protections that rely on static signatures. All five samples employed familiar methods, making them easy for security measures to counteract. Additionally, they inflicted no operational impact, signifying that they did not necessitate any new defensive strategies.
“What this shows us is that more than three years into the generative AI craze, threat development is painfully slow,” said independent researcher Kevin Beaumont to Ars. “If you were paying malware developers for this, you would be furiously asking for a refund as this does not show a credible threat or movement towards a credible threat.”
An anonymous malware expert concurred with Google's findings, indicating that the use of generative AI had not given malicious developers an advantage over those employing traditional development techniques.
“AI isn’t making any scarier-than-normal malware,” commented the expert. “It’s just helping malware authors do their job. Nothing novel. AI will surely get better. But when, and by how much is anybody’s guess.”