ESET Warns AI-driven Malware Attack and Rapidly Growing Ransomware Economy

Brownie2019

Brownie2019

Level 23
Thread author
Verified
Well-known
Forum Veteran
Mar 9, 2019
910
4,294
2,168
Germany
Content source
https://cybersecuritynews.com/eset-warns-ai-driven-malware-attack/
The cybersecurity landscape has reached a critical turning point as artificial intelligence moves from theoretical threat to operational reality.

In their H2 2025 Threat Report, ESET researchers have documented a disturbing shift in how attackers operate, revealing that AI-powered malware is no longer a distant concern but an active threat targeting systems worldwide.

The emergence of AI-driven threats marks a fundamental change in attack sophistication. Attackers now employ machine learning models to craft malicious code that adapts to each victim’s environment, making traditional defense mechanisms increasingly ineffective.
Click to expand...
Full Story:
cybersecuritynews.com

ESET Warns AI-driven Malware Attack and Rapidly Growing Ransomware Economy

ESET warns AI-powered malware is now active worldwide, using adaptive code that weakens traditional defenses.
cybersecuritynews.com cybersecuritynews.com
 
  • Like
  • Wow
  • Thanks
Reactions: Dave Russo, Dimitriss, RansomwareRemediation and 5 others
Brownie2019 said:
Full Story:
cybersecuritynews.com

ESET Warns AI-driven Malware Attack and Rapidly Growing Ransomware Economy

ESET warns AI-powered malware is now active worldwide, using adaptive code that weakens traditional defenses.
cybersecuritynews.com cybersecuritynews.com
Click to expand...
The CyberSecurityNews piece is largely a “high-drama” summary of ESET’s own write-up, but ESET’s H2 2025 Threat Report adds important nuance that’s easy to miss in the news article. ([cybersecuritynews.com](https://cybersecuritynews.com/eset-warns-ai-driven-malware-attack/))

What ESET is actually claiming (and what it isn’t)

  • ESET documents a sample they call PromptLock, described as the first known AI-powered ransomware they found (discovered on VirusTotal in H2 2025). ([web-assets.esetstatic.com](https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-threat-report-h22025.pdf))
  • The interesting part is the execution-time prompting: a Go “main module” talks to a server running an AI model (ESET mentions an OpenAI model via the Ollama API) and generates Lua scripts dynamically, then executes them. ([web-assets.esetstatic.com](https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-threat-report-h22025.pdf))
  • ESET assessed PromptLock as proof-of-concept and says this was confirmed when NYU academics contacted them and pointed to a matching prototype. ([web-assets.esetstatic.com](https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-threat-report-h22025.pdf))
  • ESET also explicitly notes we’re still looking at a handful of “prompt-at-runtime” malware families, and that the biggest real-world transformation is still AI-assisted social engineering (more convincing phishing, scams, deepfakes, ads), not armies of fully autonomous “AI malware” everywhere. ([web-assets.esetstatic.com](https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-threat-report-h22025.pdf))

Why this matters for defenders (practical takeaways)

Even if “AI-driven malware” headlines are overcooked, PromptLock-style tradecraft does point to a few defensive priorities:

  • Behavioral detection > static patterns: If payload logic is generated per victim, signature-only approaches age badly. Focus on behavior (mass file access/encryption patterns, suspicious scripting engines, unusual child-process trees, etc.).
  • Script control and hardening: Where feasible, reduce/monitor script execution (PowerShell/script host restrictions, application control/allowlisting for interpreters like Lua/Python, constrain “living off the land” tooling).
  • Outbound controls: If malware depends on reaching an external “AI server/API,” egress filtering, DNS monitoring, and TLS inspection (where appropriate) become even more valuable.
  • Backups remain non-negotiable: Offline/immutable backups plus tested restore procedures still blunt ransomware outcomes regardless of how “smart” the malware is.

Bottom line

ESET’s report is worth reading directly because it frames PromptLock as a meaningful milestone but not “game over”: it’s (1) a real example of runtime prompt-driven code generation, (2) assessed as PoC/experimental, and (3) part of a broader trend where AI’s biggest current impact is scaling and polishing social engineering. ([web-assets.esetstatic.com](https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-threat-report-h22025.pdf))
 
Recommendation

Shift to Behavioral Analytics: Traditional signature-based antivirus is insufficient against dynamic Lua scripts generated by AI. Ensure EDR/XDR platforms are configured for aggressive behavioral blocking and heuristic analysis.

Monitor LLM Traffic: Organizations should monitor and inspect traffic to known AI API endpoints (e.g., OpenAI, Gemini, Anthropic) for anomalous data volumes or unusual "script-like" payloads.

Harden Go and Lua Runtimes: Since these AI-driven threats utilize Go for C2 and Lua for execution, strictly audit or restrict the execution of unauthorized scripts and binaries in user-space directories.

Implement Offline Backups: With the 40% increase in ransomware activity, ensure a verified 3-2-1 backup strategy with at least one immutable, offline copy of critical data.

References

ESET H2 2025 Threat Report.

MITRE ATT&CK T1059 (Command and Scripting Interpreter).

MITRE ATT&CK T1486 (Data Encrypted for Impact).
 
  • Like
  • Hundred Points
Reactions: Dave Russo, Brownie2019, simmerskool and 1 other person
Divergent said:
Recommendation

Shift to Behavioral Analytics: Traditional signature-based antivirus is insufficient against dynamic Lua scripts generated by AI. Ensure EDR/XDR platforms are configured for aggressive behavioral blocking and heuristic analysis.

Monitor LLM Traffic: Organizations should monitor and inspect traffic to known AI API endpoints (e.g., OpenAI, Gemini, Anthropic) for anomalous data volumes or unusual "script-like" payloads.

Harden Go and Lua Runtimes: Since these AI-driven threats utilize Go for C2 and Lua for execution, strictly audit or restrict the execution of unauthorized scripts and binaries in user-space directories.

Implement Offline Backups: With the 40% increase in ransomware activity, ensure a verified 3-2-1 backup strategy with at least one immutable, offline copy of critical data.

References

ESET H2 2025 Threat Report.

MITRE ATT&CK T1059 (Command and Scripting Interpreter).

MITRE ATT&CK T1486 (Data Encrypted for Impact).
Click to expand...
The best protection against Ransomware is backups (offline and online and multiple copies). No protection is guaranteed.

Thanks. Your comment is insightful.
 
  • Like
  • Thanks
Reactions: Dave Russo, Brownie2019, simmerskool and 2 others
Last edited:
You must log in or register to reply here.

You may also like...