What makes PROMPTSTEAL different from AI-assisted malware?

Most 'AI-assisted' attacks involve humans using AI tools to write or refine malicious code before deployment. PROMPTSTEAL is different: the malware itself calls an LLM API at runtime, during live operations, to generate the Windows commands it then executes. The command logic is not compiled into the binary. It is generated on demand from natural-language prompts embedded in the payload. This is the first publicly confirmed case of a threat actor deploying this pattern against real targets.

How can defenders detect malware that queries external LLM APIs?

Two detection layers work well here. At the binary level, hunt for embedded API key prefixes: Anthropic keys carry the prefix sk-ant-api03, OpenAI keys contain the Base64 substring T3BlbkFJ, and Hugging Face tokens carry the hf_ prefix. YARA rules built around these patterns will surface candidates before execution. At the network level, endpoint connections to router.huggingface.co are legitimate in developer environments but highly anomalous on standard workstations and should be alerted on.

Does the LLM-generated command approach make post-execution detection harder?

Yes and no. The commands themselves are standard Windows utilities: systeminfo, wmic, tasklist, dsquery, ipconfig. These are the same tools used in countless legitimate and malicious recon operations, so the behavioral signature is not novel. What changes is that hash-based detection of the malware binary becomes less reliable, because the actual attack commands are absent from the compiled code. Defenders who rely on signature matching for post-compromise commands rather than behavioral sequencing will miss it. Defenders monitoring process trees and command sequences will see the same recon patterns as any living-off-the-land attack.

PROMPTSTEAL: How APT28 Used an LLM to Generate Attack Commands

In July 2025, CERT-UA published advisory article 6284730 documenting a Python-based malware family targeting Ukrainian security and defence institutions. The malware had an unusual property: rather than hardcoding the Windows commands it needed to execute, it sent natural-language prompts to a remote LLM and ran whatever the model returned. CERT-UA called it LAMEHUG. Google’s Threat Intelligence Group (GTIG) tracked it as PROMPTSTEAL. Both names describe the same thing: the first confirmed malware family to query an LLM during live operations against real targets.

The operator behind it was APT28, designated UAC-0001 by CERT-UA, FROZENLAKE by Google, and tied to Russia’s GRU Unit 26165 by multiple independent researchers. APT28 has been active for over a decade. The LLM integration is new.

How PROMPTSTEAL Works

Delivery followed APT28’s standard playbook. Spear-phishing emails were sent from compromised Ukrainian Ministry email accounts, with ZIP attachments named using the Ukrainian word for “Appendix” and double extensions designed to exploit default extension hiding in Windows Explorer. The archive contained a .pif file (a legacy Program Information File format that Windows executes as a binary) compiled from Python using PyInstaller.

The masquerade was deliberate. Some samples presented as AI image-generation tools, including variants named AI_generator_uncensored_Canvas_PRO_v0.9.exe and AI_image_generator_v0.95.exe. While the user saw a fake interface, the malware was running reconnaissance in the background.

The LLM being queried was Alibaba Cloud’s Qwen2.5-Coder-32B-Instruct, accessed via the Hugging Face Inference API at router.huggingface.co. To authenticate, the malware embedded 284 unique Hugging Face API keys across its samples. These keys were not generated by APT28: they came from a credential dump first observed in 2023. Using stolen third-party keys means APT28’s own API accounts are not burned by detection, and attribution through API usage logs becomes harder.

The Prompt Engineering

This is where the technical interest sits. The prompts embedded in PROMPTSTEAL are not sophisticated, but they are carefully engineered for execution.

Google’s GTIG published two confirmed prompts from samples they analysed:

The first targets system reconnaissance:

Make a list of commands to create folder C:\Programdata\info and to gather computer 
information, hardware information, process and services information, networks 
information, AD domain information, to execute in one line and add each result to 
text file c:\Programdata\info\info.txt. Return only commands, without markdown

The second targets document collection:

Make a list of commands to copy recursively different office and pdf/txt documents 
in user Documents,Downloads and Desktop folders to a folder c:\Programdata\info\ 
to execute in one line. Return only command, without markdown.

The phrase “Return only commands, without markdown” is doing real work. LLMs default to formatting responses with backticks, code blocks, and prose explanations. That output cannot be passed directly to cmd.exe. The prompt instructs the model to suppress formatting so the response is directly executable. Earlier samples embedded prompts in plaintext; later variants encoded them in Base64, a basic obfuscation step that likely responded to detection.

The generated commands invoke native Windows utilities: systeminfo, wmic (CPU, memory, disk, and NIC queries), tasklist, netstat, ipconfig, and dsquery for Active Directory enumeration. Output is staged at %PROGRAMDATA%\info\info.txt. Collected Office and PDF documents are copied to C:\ProgramData\info\. Exfiltration went via SFTP to 144.126.202.227 and via HTTP POST to stayathomeclasses[.]com/slpw/up.php.

SentinelOne’s Broader Hunt

PROMPTSTEAL may be the most prominent case, but it is not isolated. SentinelOne’s Aleksandar Milenkoski presented findings at LABScon 2025 that document the scale of the problem. A year-long VirusTotal retrohunt for malware samples containing embedded LLM artifacts found over 7,000 samples and over 6,000 unique API keys.

SentinelOne documented three distinct malware families:

LameHug/PROMPTSTEAL (APT28): Python, Qwen2.5-Coder via Hugging Face, recon and data staging. 284 embedded HuggingFace keys across samples.

MalTerminal: Python compiled to a Windows executable, querying OpenAI’s GPT-4 chat completions endpoint. Used to generate ransomware code or reverse shells on demand. The earliest known LLM-querying malware family; samples predate November 2023.

PromptLock: Written in Golang, querying a local Ollama instance running the gpt-oss:20b model. Generates Lua code for ransomware logic at runtime. Prompt engineering includes role framing and explicit hallucination guardrails, suggesting the author invested effort in making the model reliably produce usable output.

The common structural weakness across all three: they must embed API keys and prompt text at compile time. These static artifacts survive into the binary and are detectable before execution, regardless of how dynamically the runtime behavior varies.

What APT28 Actually Gained

Google assessed PROMPTSTEAL as an experimental or early-stage capability based on its unsophisticated code and lack of advanced obfuscation. That framing is correct, but it undersells the strategic signal.

APT28 is not using an LLM because it cannot write Windows recon commands. Its operators can write those commands in their sleep. The experiment appears to be about something different: whether offloading command generation to an external API provides operational security benefits, makes the payload harder to statically analyse, or allows adaptation without recompilation.

The last point matters most. If a payload embeds a natural-language description of what it wants to do rather than the commands themselves, the operator can modify behavior by changing the prompt, not the binary. Detection systems chasing command signatures become less effective. This is early-stage, but the direction of travel is clear.

Google disabled the Hugging Face API assets associated with PROMPTSTEAL after discovery. Hugging Face has not published details of what actions it took against the 284 embedded keys.

Detection Guidance

Binary hunting: Build YARA rules to detect embedded API key prefixes in PE files. Hugging Face tokens use the hf_ prefix. OpenAI keys contain the substring T3BlbkFJ (Base64 for “OpenAI”). Anthropic keys carry sk-ant-api03. SentinelOne’s public research includes rule templates for these patterns. Search your EDR for PyInstaller-compiled executables in unusual locations.

Behavioral monitoring: Alert on creation of %PROGRAMDATA%\info\ by non-system processes. Alert on dsquery or wmic executed as part of a single-line command chain piped to a text file. Flag .pif execution; this extension has no legitimate modern use on standard workstations.

Network telemetry: Connections from endpoints to router.huggingface.co should be alerted outside developer environments. Block the published C2 addresses: 144.126.202.227 and 107.180.50.236. Block stayathomeclasses[.]com. SFTP (port 22) connections to external IPs from workstations are anomalous and worth alerting.

Credential hygiene: The 284 Hugging Face keys embedded in PROMPTSTEAL came from a 2023 dump. Review your organisation’s exposure on any credential breach monitoring service, and rotate API keys stored in developer environments on a regular schedule. Stolen third-party API keys are a resource APT actors are actively using.