5 APT Groups Deploy AI Malware That Writes Its Own Code Mid-Attack

Traditional malware development produces static code: a binary or script is written, compiled, and delivered to a victim unchanged. Detection relies on this static artefact — antivirus vendors extract file hashes and byte patterns, build signatures, and block known-bad files. Even polymorphic malware that mutates its code does so using pre-written mutation routines embedded in the malware itself, creating detectable patterns over time.

HONESTCUE breaks this model. Discovered by GTIG in September 2025 and confirmed in active deployment, HONESTCUE is a downloader and launcher framework written to interact with the Gemini API as a live code generation service. When HONESTCUE executes on a victim system, it sends a structured natural language prompt to Gemini: requesting a complete, self-contained C# program that downloads a remote URL into memory as a byte array, loads it as a .NET assembly using System.Reflection.Assembly.Load, and executes its entry point. Gemini returns a unique C# source file. HONESTCUE compiles it in memory using .NET's CSharpCodeProvider framework and executes the resulting assembly — leaving zero disk artefacts. The second-stage payload is hosted on Discord CDN, a legitimate service that most corporate proxy and firewall rules allow.

The result is a fileless attack chain where every step produces unique artefacts: a unique API call, a unique C# source string, a unique in-memory assembly. Static detection is blind. GTIG attributes HONESTCUE to a suspected single actor or small group in a proof-of-concept stage, but the technique's operational viability has been proven. Defenders should assume wider adoption is imminent.

While HONESTCUE is assessed to be in a testing phase, PROMPTSTEAL is confirmed in live operations. Google GTIG and CERT-UA jointly confirmed that APT28 — Russia's GRU-linked military intelligence cyber unit, also tracked as FROZENLAKE — has deployed PROMPTSTEAL (tracked by CERT-UA as LAMEHUG) against Ukrainian targets.

PROMPTSTEAL is a Python-based data miner that masquerades as an image generation application: it presents a user interface guiding victims through a series of image generation prompts while covertly querying the Hugging Face API in the background. It uses stolen API tokens to authenticate to Hugging Face's inference endpoint for Qwen2.5-Coder-32B-Instruct, a 32-billion-parameter open-source code LLM. Its prompt asks the LLM to generate Windows commands that gather system information, enumerate files in specific directories, and copy targeted documents to a staging folder. The LLM output — legitimate Windows commands — is executed blindly by PROMPTSTEAL before the results are exfiltrated to an attacker-controlled C2 server.

This architecture is operationally significant: because PROMPTSTEAL's commands are dynamically generated rather than hardcoded, the malware's reconnaissance behaviour can be changed server-side simply by updating the Hugging Face prompt — no malware update required. CERT-UA's public disclosure links this activity to the broader APT28 campaign infrastructure targeting Ukrainian government and municipal healthcare institutions documented in April 2026.

For context on how nation-state actors have evolved their tooling against supply chain targets, see the [North Korea 1,700-package supply chain attack](/blog/north-korea-supply-chain-1700-packages) documented in March 2026.

The five government-backed groups confirmed by GTIG represent only the documented tier. Based on GTIG's findings, the organisations most exposed to AI-integrated malware campaigns fall into three categories.

Government and defence sector organisations are primary targets. APT28 focused PROMPTSTEAL against Ukrainian government entities and healthcare institutions. UNC2970 (North Korea) specifically used Gemini for defence sector reconnaissance — mapping job roles, salary structures, and organisational charts within defence contractors. APT31 (China) used Gemini to research vulnerability exploitation techniques, RCE chains, and WAF bypass methods. If your organisation operates in or serves the defence, government, or critical infrastructure sector, you should assume active intelligence collection is underway using AI-augmented reconnaissance.

Financial services and cryptocurrency organisations face targeted AI-built phishing infrastructure. UNC5356, a financially motivated cluster, deployed COINBAIT — a fully functional cryptocurrency exchange phishing kit built entirely using the Lovable AI platform, with zero custom code. COINBAIT operates a React SPA with Supabase backend-as-a-service, Cloudflare proxying, and legitimate image hosting — all arranged by AI — making it effectively invisible to domain-reputation-based email filtering. ATOMIC, a macOS information stealer, is distributed via ClickFix social engineering through public AI chat shares and specifically targets cryptocurrency wallet data.

Any enterprise using Gemini, Hugging Face, or other AI API platforms faces secondary risk from stolen API token abuse. GTIG documented black-market resale of API tokens stolen from vulnerable open-source AI platforms — meaning attacker-controlled AI queries may be billed to your organisation's account while exfiltrating data from your infrastructure.

Beyond HONESTCUE and PROMPTSTEAL, GTIG documented three additional confirmed deployments in the Q1 2026 report cycle.

COINBAIT (November 2025, UNC5356): A phishing kit targeting cryptocurrency investors, built entirely using Lovable — a commercial AI-powered application development platform. COINBAIT's React SPA presents a convincing cryptocurrency exchange interface. Supabase handles credential logging on the backend, Lovable hosts images, and Cloudflare proxies traffic. The diagnostic fingerprint is verbose developer-style logging visible in the browser console: strings like '? Analytics: Initializing...', '? RouteGuard: Admin redirected session, allowing free access to...' and '? Analytics: Tracking password attempt:'. No AI or security expertise was required to build it.

ATOMIC (December 2025, ClickFix operators): A macOS information stealer distributed through public AI chat sharing features — specifically Lovable and similar platforms' public share links. Victims click a shared 'AI project' link, are presented with a ClickFix verification page, and execute a PowerShell or shell command that installs ATOMIC. The stealer harvests browser data, cryptocurrency wallet files, Desktop and Documents folders, and system information before exfiltrating to C2.

Model extraction at scale (ongoing, multiple actors): GTIG identified campaigns submitting over 100,000 prompts to Gemini in a single operation, designed to extract internal reasoning traces — a form of intellectual property theft that also enables building offline replica models that bypass safety controls. While primarily a provider-level risk, organisations that have suffered AI API token theft may unknowingly be funding distillation attacks against frontier AI providers.

For additional context on how credential theft tools are evolving in tandem with these campaigns, see the [malicious Chrome extensions OAuth2 token theft](/blog/malicious-chrome-extensions-oauth2-token-theft) analysis.

Signature-based detection is structurally blind to AI-integrated malware. Detection must shift to behavioural signals across endpoint, network, SaaS, and identity telemetry.

**Endpoint detection for HONESTCUE:** Alert on invocations of .NET's CSharpCodeProvider class from processes that are not Visual Studio, MSBuild, or other known developer tooling. Specifically monitor System.Reflection.Assembly.Load calls that execute code compiled in-memory without any corresponding on-disk assembly file. Flag System.Net.WebClient.DownloadData calls followed immediately by in-memory assembly loads. Detection rule: `process.commandline contains 'CSharpCodeProvider' AND file.path NOT MATCHES developer_tool_allowlist`.

**Network detection for HONESTCUE:** Alert on HTTP POST requests to generativelanguage.googleapis.com (Gemini API) from non-browser, non-sanctioned-application processes. Monitor cdn.discordapp.com for downloads by scripting engines, .NET runtimes, or PowerShell outside of legitimate collaboration tooling.

**Network detection for PROMPTSTEAL:** Alert on structured API calls to api-inference.huggingface.co from non-developer hosts. Flag Python processes making POST requests to HuggingFace inference endpoints during non-business hours. Correlate with file system activity targeting Documents, Desktop, and user profile directories immediately after LLM API calls.

**COINBAIT detection:** Hunt browser console logs for the verbose '? Analytics:' prefix strings. Alert on Supabase-backend domains with no legitimate business application association. Monitor for newly registered domains with Cloudflare proxying and Lovable.app image hosting URLs in page source.

Across all vectors: integrate AI API provider threat intelligence feeds (Google Safe Browsing, Hugging Face security advisories) and monitor for leaked API tokens associated with your organisation's developer accounts in credential threat intelligence platforms.

Detection is necessary but insufficient — defenders must also reduce the blast radius of AI-integrated malware that bypasses initial detection. GTIG's Q1 2026 report identifies four control categories with the highest defensive return.

**Egress controls on AI API traffic** are the single highest-leverage control. PROMPTSTEAL depends on reaching Hugging Face's inference API. HONESTCUE depends on reaching Gemini's API. If neither API is reachable from non-developer endpoints, both malware families lose their core capability. Implement explicit allowlists for AI API domains at the proxy and firewall layer, scoped to approved developer hosts only. This does not prevent attackers who use local or pre-cached LLMs, but it neutralises the current generation of API-dependent AI malware.

**Steganographic canary documents** represent an emerging defensive technique documented by academic researchers in 2026: embedding invisible watermarks in sensitive documents that trigger alerts when the document is submitted to an AI service's ingestion pipeline. If an attacker uses QUIETVAULT or similar credential stealers to exfiltrate documents and then submits them to an LLM for analysis, the canary fires — giving defenders an early warning of data exfiltration and AI-assisted reconnaissance before the attack reaches its objective.

**Behavioural EDR with MITRE ATT&CK coverage** across T1059 (Command and Scripting Interpreter), T1620 (Reflective Code Loading), T1105 (Ingress Tool Transfer), and T1041 (Exfiltration Over C2 Channel) covers the primary execution patterns of HONESTCUE, PROMPTSTEAL, and ATOMIC. Ensure EDR telemetry covers in-memory code execution — not just on-disk file scanning.

For evasion-resistant endpoint security, the approach contrasts with the BYOVD (Bring Your Own Vulnerable Driver) technique used by threat actors like [Qilin to blind EDR tools](/blog/qilin-byovd-edr-silencing): AI malware operates at the application layer and can be detected through API traffic monitoring and in-memory compilation telemetry, without requiring kernel-level visibility.

AI-powered malware active deployment is no longer a future threat — HONESTCUE, PROMPTSTEAL, and COINBAIT are operational today, confirmed by Google GTIG, with APT28 deploying PROMPTSTEAL in live operations against Ukraine. Five APT groups and four nation-states have crossed the threshold from AI-assisted to AI-integrated attack tooling. The single most impactful control you can implement today: block or strictly allowlist egress to Gemini, Hugging Face, and OpenAI inference APIs from all non-developer enterprise endpoints. Do it before end of business today.