In what is reportedly a world-first, ESET researchers have discovered PrompLock, a generative AI-powered ransomware implant currently in development.
The researchers described it as the “first known AI-powered ransomware.” It utilizes generative AI to execute attacks via a freely available large language model (LLM) that operates locally through an application programming interface (API).
However, ESET emphasized that PromptLock was not observed in actual attacks and is instead considered a proof-of-concept (PoC) or a work in progress.
PromptLock AI Ransomware Characteristics
According to an August 26 report published by ESET, the PromptLock ransomware was developed in Golang and has been observed in both Windows and Linux variants submitted to VirusTotal.
What sets this malware apart is its use of OpenAI’s locally hosted gpt-oss:20b model through the Ollama API to dynamically generate malicious Lua scripts, which are then executed on infected systems.
Rather than downloading the entire multi-gigabyte model, the attacker establishes a proxy or tunnel from the compromised network to a remote server running the Ollama API with the model preloaded.
This approach aligns with the ‘Internal Proxy’ technique (MITRE ATT&CK T1090.001), a tactic increasingly adopted in contemporary cyberattacks for evasion and persistence, said ESET researchers in a thread on X.
#ESETResearch has discovered the first known AI-powered ransomware, which we named #PromptLock. The PromptLock malware uses the gpt-oss:20b model from OpenAI locally via the Ollama API to generate malicious Lua scripts on the fly, which it then executes 1/6 pic.twitter.com/wUZS7Fviwi
— ESET Research (@ESETresearch) August 26, 2025
The Lua scripts generated from hardcoded prompts are cross-platform, capable of running on Windows, Linux and macOS.
These scripts perform filesystem enumeration, target file inspection, data exfiltration and encryption.
Depending on the detected user files, the malware may exfiltrate sensitive data, encrypt it or potentially destroy it. However, the destruction functionality appears to be not yet implemented, ESET researchers noted.
The Bitcoin address embedded in the prompt traces back to Satoshi Nakamoto, the pseudonymous creator of Bitcoin.
For encryption, PromptLock employs the SPECK 128-bit algorithm.
While several indicators suggest this sample is likely a PoC or an early-stage development rather than a fully operational threat active in the wild, the discovery warrants attention from the cybersecurity community.
AI Exploited: Claude Used for Extortion, Fraud, and Ransomware
In another threat intelligence report published on August 27, GenAI company Anthropic revealed sophisticated attempts by bad actors to exploit its LLM Claude for malicious cyber operations, many of which were detected and disrupted before execution.
The report details eight case studies, including three standout examples of AI-driven attack methods.
The first case involved a cybercriminal group that leveraged Claude Code to automate large-scale data theft and extortion campaigns, targeting over 17 organizations. The AI was used to make real-time tactical decisions, craft customized ransom demands and streamline extortion workflows.
In a separate operation, North Korean threat actors exploited Claude to create convincing fake identities, pass technical interviews and secure fraudulent remote IT jobs at legitimate tech companies. The scheme was designed to generate revenue for the North Korean regime.
The report also exposes a case where a cybercriminal used Claude to develop, refine and distribute multiple ransomware variants, each equipped with advanced evasion techniques, strong encryption and anti-recovery mechanisms.