
Threat researchers have discovered the first AI-powered ransomware that uses LUA scripts to steal and encrypt data from Windows, MacOS and Linux systems.
The malware uses OpenAI's GPT-OSS:20B model via the Ollama API to dynamically generate malicious LUA scripts from hard-coded prompts.
How PromptLock works
According to researchers at ESET, Promptlock is written in Golang and uses the Ollama API to access the leading GPT-OSS:20B language model. LLM is hosted on a remote server, where threat actors connect through a proxy tunnel.
Malware uses hard coding prompts that tell the model to dynamically generate malicious LUA scripts, such as enumerating local file systems, inspecting target files, data removal, and file encryption.

Source: ESET
Researchers also mention the data destruction feature, but this feature has not been implemented.
For file encryption, PromptLock uses the LightWight Speck 128-bit algorithm, a rather unusual choice for ransomware that is primarily considered suitable for RFID applications.

Source: ESET
For now, it's a demo
ESET told BleepingComputer that PromptLock has not appeared on telemetry, but rather discovered it on Virustotal.
Cybersecurity companies believe PromptLock is a proof of concept or work in progress and is not an active ransomware in the wild.
Additionally, some indications indicate that this is a conceptual tool rather than a real threat to the presentation. It includes some clues including the use of weak encrypted cryptography (Speck 128-bit), hard-coding bitcoin addresses linked to Nakamoto Atoshi, and the fact that data destruction capabilities are not implemented.
After ESET released details about PromptLock, security researchers claimed that the malware was their project and somehow leaked.
Still, the appearance of PromptLock retains its importance in demonstrating that AIS can be weaponized in malware workflows, allowing it to lower the standard for cross-platform capabilities, operational flexibility, evasion, and entry into cybercrime.
This evolution came to light in July when Ukrainian certificates reported the discovery of Lamehug Malware, an LLM-driven tool that generates Windows shell commands using the Face API and Alibaba's Qwen-2.5-Coder-32B.
Lamehug, believed to be deployed by Russian hackers in the APT28 group, leverages API calls rather than Promptlock's proxy. Both implementations achieve the same practical results, but the latter is more complicated and dangerous.
46% of the environment have corrupted passwords, almost doubled from 25% last year.
Get Picus Blue Report 2025 and take a comprehensive look at more research findings on prevention, detection, and data removal trends.
