What kinds of problems are a good fit for The Dev Guys?

If the work sits at the intersection of AI, complex systems and real-world operations — and you care about reliability and long-term evolution — we're likely a good fit. If you mainly need brochure sites or simple CRUD apps, there are better, cheaper options for you.

Do you only do AI projects?

No. We design and build whole systems. AI is frequently a part of that, but we're equally comfortable doing non-AI architecture, platform work and rescue missions where AI may come later or not at all.

Will we be working with senior people or handed off to juniors?

You work directly with senior engineers and Dhaval himself. We stay small and selective precisely so we don't need delivery pyramids.

Can you work with our existing team?

Yes. Some of our best work happens when we operate as an embedded special-ops unit alongside your engineering, product and ops teams — designing, building and teaching as we go.

Where do you usually start in a messy situation?

We start with a diagnostic: mapping systems, workflows, data flows and failure modes. Then we design a thin slice that proves or disproves the riskiest assumptions as fast as is safely possible.

How do you think about AI safety and ethics?

We prioritise human control, explainability in sensitive contexts and clear bounds on what systems are allowed to do. We design for oversight, override and accountability — especially in regulated or high-impact domains.

PROMPTFLUX is a new class of AI-driven malware identified by Google Threat Intelligence Group that queries large language models like Gemini during execution, allowing it to adapt and change shape while attacking.

How does AI malware evade detection?

AI malware like PROMPTSTEAL uses LLMs to dynamically modify its behavior, signatures, and attack patterns in real-time, making traditional signature-based detection ineffective.

December 2, 2025•7 min read

When Malware Learned to 'Think': PROMPTFLUX & PROMPTSTEAL in 2025

How adaptive AI-driven malware is changing cybersecurity forever

AI MalwareCybersecurityLLMsThreat Intelligence

Dhaval Shah

Founder & CEO, The Dev Guys

In late 2025, cybersecurity reached a turning point. Google's Threat Intelligence Group (GTIG) and Darktrace uncovered a new class of malware that doesn't just run — it reasons. PROMPTFLUX and PROMPTSTEAL are designed to query large language models like Gemini during execution, transforming their identities as defenders react.

What Makes This Different

Until now, malware relied on pre-written logic. These new threats use AI in real time, making decisions, rewriting themselves, and continuing attacks even as detection systems adapt.

PROMPTFLUX

PROMPTFLUX is a VBScript-based dropper that repeatedly asks an LLM to rewrite its own code. Every rotation produces fresh obfuscation — changing filenames, code structure, and signatures — allowing it to slip past antivirus tools designed to detect known patterns.

Uses Gemini API calls at runtime
Rewrites itself hourly
Persists via Windows Startup folder
Spreads to removable and network drives

PROMPTSTEAL

PROMPTSTEAL, often delivered as a PyInstaller package, has been associated with advanced persistent threat actors. Instead of embedding fixed commands, it generates system reconnaissance and exfiltration actions on-demand through an LLM capable of writing code.

Executes dynamically generated commands
Context-aware reconnaissance
Targeted file collection and exfiltration
Hard to classify through static analysis

The Dawn of Adaptive AI Malware

This isn't AI helping attackers write malware — this is malware using AI while alive. It shifts from static threats to living software organisms that evolve with the environment they're attacking.

💡

Traditional signatures collapse when the malware no longer stays the same.

How Security Must Respond

Because these threats use AI as an execution layer, defenders must go beyond signature detection. Focus shifts to real-time behavior, credential protection, and limiting AI model misuse.

Monitor unexpected API calls to LLM providers
Encrypt and rotate developer tokens frequently
Use anomaly-based, behavior-driven detection
Adopt AI-powered security operations
Educate teams on social-engineering upgrades

A Dual-Use Technology Dilemma

LLMs enable innovation, but their flexibility also lowers the skill barrier for cybercrime. Polymorphic malware — once requiring elite adversaries — can now be assembled using a stolen billing token and a few prompts.

Final Thought

PROMPTFLUX and PROMPTSTEAL are early warning signs. We are entering an era where software attacks will be guided by models that can reason, rewrite, and react. To keep up, cybersecurity must become as adaptive as its adversaries.

About the author

Dhaval Shah

Founder & CEO, The Dev Guys

Founder, architect, and the first call for products that can’t afford to fail.

Dhaval has spent 25+ years helping founders and teams translate ambiguous ideas into precise systems. He leads The Dev Guys with a bias toward clarity, deep thinking, and high-craft execution.

View profile →

Want help building something like this?

We work with teams facing hard technical and architectural challenges. If what you've read resonates and you're building something complex, let's talk.

Start a conversation→

View all articles →

What Makes This Different

PROMPTFLUX

PROMPTSTEAL

The Dawn of Adaptive AI Malware

How Security Must Respond

A Dual-Use Technology Dilemma

Final Thought

Dhaval Shah

Want help building something like this?

More Articles