The cybersecurity landscape has reached a critical turning point as artificial intelligence moves from theoretical threat to operational reality.
In their H2 2025 Threat Report, ESET researchers have documented a disturbing shift in how attackers operate, revealing that AI-powered malware is no longer a distant concern but an active threat targeting systems worldwide.
The emergence of AI-driven threats marks a fundamental change in attack sophistication. Attackers now employ machine learning models to craft malicious code that adapts to each victim’s environment, making traditional defense mechanisms increasingly ineffective.
This shift represents the convergence of two previously separate threats: advanced malware development and artificial intelligence capabilities.
ESET analysts identified PromptLock, the first known AI-powered ransomware, discovered in H2 2025. This malware operates through a unique dual-component architecture that fundamentally changes how ransomware functions.
The static main module, written in Go, communicates directly with a server running an AI model and contains hardcoded prompts. These prompts instruct the AI to generate Lua scripts dynamically, which then execute on compromised systems without being pre-written by developers.
Adaptive capabilities
The technical sophistication of PromptLock lies in its adaptive capabilities. Unlike traditional ransomware that follows predetermined patterns, PromptLock uses the AI model to generate unique scripts for filesystem enumeration, data inspection, exfiltration, and encryption.
.webp "ESET Warns AI-driven Malware Attack and Rapidly Growing Ransomware Economy 3")
The malware autonomously scans victim systems and independently decides whether to exfiltrate data, encrypt files, or destroy information based on its findings.
To maintain effectiveness, PromptLock incorporates a feedback loop to validate AI-generated code. When the Lua scripts execute, the malware captures execution logs and sends them back to the AI model for evaluation.
If the code fails to function correctly, the model receives instructions to correct the script based on feedback before executing the corrected version again. This iterative process ensures reliability despite the non-deterministic nature of language models.
.webp "ESET Warns AI-driven Malware Attack and Rapidly Growing Ransomware Economy 4")
The implications extend beyond PromptLock itself. ESET researchers identified other AI-driven threats, including PromptFlux, which prompts the Gemini AI model to rewrite dropper source code for persistence, and PromptSteal, which generates Windows commands to harvest sensitive documents from victim devices.
The ransomware-as-a-service market has simultaneously experienced explosive growth. Publicly reported victims on dedicated leak sites surpassed 2024 totals well before year-end, with projections indicating a 40 percent year-over-year increase.
Qilin and Akira now dominate the ransomware landscape, while the emerging group Warlock introduces dangerous evasion techniques that circumvent endpoint detection tools.
This convergence of AI-powered attacks and thriving ransomware economies creates an urgent security imperative for organizations worldwide.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
