Threat Advisories:
CVE-2025-55177: WhatsApp Zero-Click Flaw Used in Targeted Campaigns Experimental AI Ransomware PromptLock Sparks Security Concerns NightSpire Ransomware Expands Reach with Aggressive Extortion Deadlines Operation HanKook Phantom: APT37’s Stealthy Espionage Campaign Storm-0501’s Shift to Cloud-Native Ransomware Salt Typhoon Cyber Attacks Hit 200 Organizations in the United States CVE-2025-7775: Actively Exploited Critical Flaw in Citrix NetScaler ZipLine Campaign Spins Web Around U.S. Supply Chain Manufacturers with MixShell August 2025 Linux Patch Roundup New SHAMOS Stealer Exploits One-Line Commands on macOS QuirkyLoader: A Silent Enabler of Modern Malware Families CVE-2025-43300: Zero-Day in Apple Image I/O Exploited in Targeted Attacks Static Tundra Fuels Espionage Campaigns Through an Old Cisco Bug Crypto24 Ransomware Disrupts Businesses Using Custom EDR Bypass GodRAT Reloaded: Legacy Code, Modern Tactics Noodlophile Stealer Advances with Obfuscation, Social Media Deception PS1Bot: The Modular Malware Lurking Behind Malvertising Microsoft’s August 2025 Patch Tuesday Roundup Charon Ransomware Encrypts Files Belonging to Middle East Industries CVE-2025-25256: Fortinet Rushes to Patch High-Risk FortiSIEM Vulnerability
🎧 Hive Force Labs: Critical Threats Affecting You This Week - 5 Minute Audio Intelligence Report
👥 Play Count: Loading...
Partner Program
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them.
IntegrationsSync with an abundant number of out-of-the-box integrations.
HiveForce LabsStrategic intelligence and operational expertise to ensure comprehensive security readiness at all levels.
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Case Studies
Whitepapers
Press Releases
connect
Webinars & Videos
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe
Platform
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them.
IntegrationsSync with an abundant number of out-of-the-box integrations.
HiveForce LabsStrategic intelligence and operational expertise to ensure comprehensive security readiness at all levels.
Solutions
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Case Studies
Whitepapers
Press Releases
connect
Webinars & Videos
Company
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe

Experimental AI Ransomware PromptLock Sparks Security Concerns

Amber | Attack Report
Download PDF

PromptLock: First Known AI-Powered Ransomware Raises Security Alarms

Summary

Discovered in August 2025, PromptLock ransomware is the first documented case of AI-powered ransomware written in Golang. Unlike traditional malware, PromptLock leverages large language models (LLMs), specifically OpenAI’s gpt-oss-20b model via the Ollama API, to dynamically generate malicious Lua scripts in real time.

Targeting Windows, macOS, and Linux, PromptLock demonstrates how AI can be exploited to create self-evolving ransomware. It employs the rare SPECK 128-bit encryption to lock files and generates automatic ransom notes containing demands and even the first Bitcoin address ever created. Although currently a proof-of-concept, PromptLock highlights the future threat of adaptive AI-driven malware and underscores the need for behavior-based detection over static signature defense.

Attack Details

PromptLock ransomware distinguishes itself from conventional ransomware through its AI-driven adaptability.

  • Dynamic Code Generation: Hard-coded prompts feed into gpt-oss-20b to generate Lua scripts that perform file system enumeration, data inspection, exfiltration, and encryption.

  • Cross-Platform Impact: Operates on Windows, macOS, and Linux, broadening its potential attack surface.

  • Uncommon Encryption: Uses the lightweight SPECK 128-bit encryption algorithm, rare in ransomware campaigns.

  • Automatic Ransom Notes: Generates ransom messages containing payment details, though as a proof-of-concept, no real transactions occur.

  • Evolving Malware: Each execution can modify its code, echoing polymorphic and fileless malware tactics, but now accelerated by AI.

  • Remote AI Processing: Attackers can tunnel compromised networks to a remote server hosting Ollama with gpt-oss-20b, eliminating the need for local AI model deployment.

Recommendations

  • Adopt Next-Generation Security Tools: Implement AI-powered security platforms, advanced behavioral detection, and automated response mechanisms to identify anomalies beyond static signatures.

  • Enhance Network Controls: Monitor for unauthorized LLM service connections, especially port 11434 activity linked to Ollama deployments. Apply strict network segmentation for critical assets.

  • Strengthen Behavioral Monitoring: Track Lua script execution, detect unusual data access behaviors, and correlate anomalous events for early identification of evolving threats.

  • Backup & Recovery Preparedness: Follow the 3-2-1 backup rule (three copies, two different devices, one offsite), maintain immutable offline backups, and regularly test recovery processes to ensure continuity in the event of ransomware deployment.

Indicators of Compromise (IoCs)

SHA1 Hashes

  • 24bf7b72f54aa5b93c6681b4f69e579a47d7c102

  • ad223fe2bb4563446aee5227357bbfdc8ada3797

  • bb8fb75285bcd151132a3287f2786d4d91da58b8

  • f3f4c40c344695388e10cbf29ddb18ef3b61f7ef

  • 639dbc9b365096d6347142fcae64725bd9f73270

  • 161cdcdb46fb8a348aec609a86ff5823752065d2

SHA256 Hashes

  • 2755e1ec1e4c3c0cd94ebe43bd66391f05282b6020b2177ee3b939fdd33216f6

  • 1612ab799df51a7f1169d3f47ea129356b42c8ad81286d05b0256f80c17d4089

  • b43e7d481c4fdc9217e17908f3a4efa351a1dab867ca902883205fe7d1aab5e7

  • 09bf891b7b35b2081d3ebca8de715da07a70151227ab55aec1da26eb769c006f

  • e24fe0dd0bf8d3943d9c4282f172746af6b0787539b371e6626bdb86605ccd70

  • 1458b6dc98a878f237bfb3c3f354ea6e12d76e340cefe55d6a1c9c7eb64c9aee

MITRE ATT&CK TTPs

  • Execution: T1059 (Command & Scripting Interpreter)

  • Defense Evasion: T1027 (Obfuscated Files), T1620 (Reflective Code Loading)

  • Discovery: T1083 (File Discovery)

  • Collection: T1005 (Data from Local System), T1119 (Automated Collection)

  • Exfiltration: T1041 (Exfiltration over C2 Channel), T1020 (Automated Exfiltration)

  • Command & Control: T1090 (Proxy)

  • Impact: T1486 (Data Encrypted for Impact), T1490 (Inhibit System Recovery), T1491.001 (Internal Defacement)

  • Resource Development: T1588.007 (Obtain AI Capabilities), T1587.001 (Malware Development)

References

What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox