Analytics Story: PromptFlux
Description
PromptFlux is a POC malware sample that abuses Gemini-like services for command-and-control operations. It achieves persistence by dropping executables or scripts in startup folders and frequently accesses the Gemini API using hard-coded keys or unauthorized requests, often from non-standard processes. The malware also stages payloads, configuration files, or encrypted prompts in temporary directories such as TMP, leaving forensic artifacts. Detection involves monitoring these locations, tracking anomalous API calls, and observing unusual outbound traffic or process injections, enabling early identification and mitigation.
Why it matters
PromptFlux is currently a POC malware sample that abuses Gemini-like services for malicious command execution. It ensures persistence by dropping files in startup folders and staging payloads in temporary directories. The malware exploits Gemini API access to receive instructions or exfiltrate data, often using hard-coded keys or unauthorized requests. Its activity may include unusual outbound traffic, process injections, and script execution outside normal workflows. Monitoring these locations and API usage can help identify infections early and prevent further compromise.
Detections
| Name | Technique | Type |
|---|---|---|
| Executables Or Script Creation In Temp Path | Masquerading | Anomaly |
| Windows AI Platform DNS Query | DNS | Anomaly |
| Windows Boot or Logon Autostart Execution In Startup Folder | Registry Run Keys / Startup Folder | Anomaly |
Data Sources
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Sysmon EventID 11 |  Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Sysmon EventID 22 | Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
References
Source: GitHub | Version: 1