Google Threat Intelligence has identified PROMPTFLUX, an experimental VBScript-based malware that leverages Google’s Gemini API to dynamically rewrite its own code for real-time obfuscation and evasion. Disguised as installers, PROMPTFLUX queries the Gemini 1.5 Flash model to generate scripts that bypass antivirus detection, marking the first known use of just-in-time AI in malware. The malware attempts to persist by saving new versions to the Windows Startup folder and spreading to removable and network drives. While currently in testing and lacking active network compromise, Google has disabled related API keys and advises monitoring for unusual API traffic and restricting model access in enterprise environments. The discovery highlights a growing trend of AI-driven malware development, with threat actors increasingly using generative AI to adapt and evade defenses.