Cybersecurity company ESET has disclosed that it discovered an artificial intelligence (AI)-powered ransomware variant codenamed PromptLock.
Written in Golang, the newly identified strain uses the gpt-oss:20b model from OpenAI locally via the Ollama API to generate malicious Lua scripts in real-time. The open-weight language model was released by OpenAI earlier this month.
“PromptLock leverages Lua scripts generated from hard-coded prompts to enumerate the local filesystem, inspect target files, exfiltrate selected data, and perform encryption,” ESET said. “These Lua scripts are cross-platform compatible, functioning on Windows, Linux, and macOS.”
The ransomware code also embeds instructions to craft a custom note based on the “files affected,” and the infected machine is a personal computer, company server, or a power distribution controller. It’s currently not known who is behind the malware, but ESET told The Hacker News that PromptLoc artifacts were uploaded to VirusTotal from the United States on August 25, 2025.
“PromptLock uses Lua scripts generated by AI, which means that indicators of compromise (IoCs) may vary between executions,” the Slovak cybersecurity company pointed out. “This variability introduces challenges for detection. If properly implemented, such an approach could significantly complicate threat identification and make defenders’ tasks more difficult.”
Assessed to be a proof-of-concept (PoC) rather than a fully operational malware deployed in the wild, PromptLock uses the SPECK 128-bit encryption algorithm to lock files.
Besides encryption, analysis of the ransomware artifact suggests that it could also be used to exfiltrate data or even destroy it, although the functionality to actually perform the erasure appears not yet to be implemented.
“PromptLock does not download the entire model, which could be several gigabytes in size,” ESET clarified. “Instead, the attacker can simply establish a proxy or tunnel from the compromised network to a server running the Ollama API with the gpt-oss-20b model.”
The emergence of PromptLock is another sign that AI has made it easier for cybercriminals, even those who lack technical expertise, to quickly set up new campaigns, develop malware, and create compelling phishing content and malicious sites.
Earlier today, Anthropic revealed that it had banned accounts created by two different threat actors that used its Claude AI chatbot to commit large-scale theft and extortion of personal data targeting at least 17 distinct organizations, and developed several variants of ransomware with advanced evasion capabilities, encryption, and anti-recovery mechanisms.
The development comes as large language models (LLMs) powering various chatbots and AI-focused developer tools, such as Amazon Q Developer, Anthropic Claude Code, AWS Kiro, Butterfly Effect Manus, Google Jules, Lenovo Lena, Microsoft GitHub Copilot, OpenAI ChatGPT Deep Research, OpenHands, Sourcegraph Amp, and Windsurf, have been found susceptible to prompt injection attacks, potentially allowing information disclosure, data exfiltration, and code execution.
Despite incorporating robust security and safety guardrails to avoid undesirable behaviors, AI models have repeatedly fallen prey to novel variants of injections and jailbreaks, underscoring the complexity and evolving nature of the security challenge.
“Prompt injection attacks can cause AIs to delete files, steal data, or make financial transactions,” Anthropic said. “New forms of prompt injection attacks are also constantly being developed by malicious actors.”
What’s more, new research has uncovered a simple yet clever attack called PROMISQROUTE – short for “Prompt-based Router Open-Mode Manipulation Induced via SSRF-like Queries, Reconfiguring Operations Using Trust Evasion” – that abuses ChatGPT’s model routing mechanism to trigger a downgrade and cause the prompt to be sent to an older, less secure model, thus allowing the system to bypass safety filters and produce unintended results.
“Adding phrases like ‘use compatibility mode’ or ‘fast response needed’ bypasses millions of dollars in AI safety research,” Adversa AI said in a report published last week, adding the attack targets the cost-saving model-routing mechanism used by AI vendors.
