📰 Originally published on Securityelites — AI Red Team Education — the canonical, fully-updated version of this article.

Mandiant’s M-Trends 2026 report — released this week — named two malware families that represent a genuinely new category of threat in 2026: PROMPTFLUX and PROMPTSTEAL. These are not AI-assisted malware where humans use AI to write malicious code. They are malware families that actively query large language models during execution — using AI as part of their attack logic to evade detection and adapt in real time. My analysis of why this matters and what it changes for defenders.

What You’ll Learn

What PROMPTFLUX and PROMPTSTEAL are and how they differ from AI-generated malware
How querying an LLM mid-execution helps malware evade detection
Why traditional signature-based detection fails against this category
The defensive adaptations required to detect LLM-querying malware
What IBM calls “Slopoly” malware and the broader AI malware landscape

⏱️ 12 min read ### PROMPTFLUX — AI Malware Guide 2026 1. What PROMPTFLUX and PROMPTSTEAL Are 2. How LLM-Querying Malware Works 3. Why Signature Detection Fails 4. Slopoly — The AI Malware Ecosystem 5. Defensive Adaptations for AI Malware PROMPTFLUX represents the offensive convergence of the LLM capabilities I covered in What Is an LLM? with the adversarial ML techniques from Adversarial Machine Learning 2026. For the full AI malware picture including how AI is used to write malware, see Can AI Write Malware?

What PROMPTFLUX and PROMPTSTEAL Are

The key distinction I want to establish immediately: PROMPTFLUX is not malware written by AI. It is malware that uses AI during its execution. That’s a fundamentally different threat category. Traditional AI-generated malware (what IBM calls “Slopoly”) uses AI at the development stage — a human uses an LLM to help write malicious code, then deploys it. PROMPTFLUX and PROMPTSTEAL query LLMs during the attack itself, in real time, to make dynamic decisions about how to proceed.

PROMPTFLUX vs AI-GENERATED MALWARE — THE DISTINCTIONCopy

Traditional AI-generated malware (Slopoly)

Stage: development — human uses LLM to write malware code
Runtime: no LLM dependency — runs without AI after deployment
Detection: still detectable by behaviour-based AV (once behavioural pattern is known)

PROMPTFLUX / PROMPTSTEAL (LLM-querying malware)

Stage: runtime — malware queries LLM during execution to get instructions
Runtime: LLM is part of the attack logic — malware adapts based on AI responses
Detection: behaviour is dynamic and changes per-environment → evades signature/behaviour profiles

Source

M-Trends 2026: “malware families like PROMPTFLUX and PROMPTSTEAL actively query
large language models mid-execution to evade detection”
Released: March 2026, Mandiant/Google Threat Intelligence

How LLM-Querying Malware Works

My model for how LLM-querying malware evades detection by using AI during execution. The key insight is that the malware’s attack behaviour is not fixed at compile time — it’s generated at runtime by an external AI. This means every execution in a different environment can produce a different behaviour profile, which is precisely what defeats the detection approaches defenders currently rely on. The malware doesn’t have a fixed behaviour — it makes API calls to an LLM and uses the response to decide what to do next. This is adversarial use of the same flexibility that makes LLMs useful for legitimate software.

LLM-QUERYING MALWARE — EXECUTION MODELCopy

Execution flow (conceptual, based on M-Trends disclosure)

1. Malware installs and gains initial foothold
2. Reconnaissance phase: collects environment data (AV present, OS version, network config)
3. LLM query: sends environment context to LLM API: “Given [environment details], what evasion technique should I use to avoid detection by [AV product]?”
4. AI response: returns specific evasion recommendation for that environment
5. Malware implements the AI-recommended evasion and proceeds with attack

Why this breaks traditional detection

Signature-based: no fixed code pattern to match — LLM-generated evasion varies per environment
Behaviour-based: behaviour profile changes each run based on AI output
Sandbox analysis: sandbox environment ≠ target environment → different AI response → different behaviour

What PROMPTSTEAL specifically targets

PROMPTSTEAL: focused on extracting IP via “distillation attacks” (M-Trends 2026)
Target: proprietary ML models — extracting specialised training data and logic
Method: systematic querying to reconstruct the proprietary model

securityelites.com

LLM-Querying Malware vs Traditional Malware — Detection Comparison

Detection Method
Traditional Malware
PROMPTFLUX-type
Signature matching
✅ Detects known patterns
❌ No fixed signature
Behaviour baseline
✅ Consistent behaviour
❌ Dynamic per environment
Sandbox analysis
✅ Reproduces in sandbox
❌ Different AI response in sandbox
LLM API traffic monitoring
N/A
✅ Detects LLM queries
Network egress analysis
✅ C2 traffic patterns
⚠️ LLM API traffic looks legitimate

📸 Detection method effectiveness against traditional vs LLM-querying malware. Three of the four standard detection approaches fail or degrade significantly against PROMPTFLUX-type malware. The only new effective detection method — LLM API traffic monitoring — requires defenders to build capability they didn’t previously need. My priority for any SOC upgrading their detection capability in 2026: add LLM API egress monitoring to the detection stack.

Why Signature Detection Fails

The adversarial ML and evasion concepts I covered in earlier guides — how AI classifiers can be fooled by carefully crafted inputs — come together in PROMPTFLUX in a way that makes the evasion more robust than any previous technique. Traditional malware evasion involves obfuscation — the code does the same thing but looks different. LLM-querying malware evasion involves adaptation — the code actually does something different based on the environment, and the AI determines what that different thing should be.

📖 Read the complete guide on Securityelites — AI Red Team Education

This article continues with deeper technical detail, screenshots, code samples, and an interactive lab walk-through. Read the full article on Securityelites — AI Red Team Education →

This article was originally written and published by the Securityelites — AI Red Team Education team. For more cybersecurity tutorials, ethical hacking guides, and CTF walk-throughs, visit Securityelites — AI Red Team Education.