Security researchers have a new problem. The malware they are studying is starting to study them back.
A malware sample isolated in a sandbox environment last year produced over 70 distinct versions of itself in under four hours. No human operator was involved. The code was rewriting itself, analyzing its own structure, identifying detection risks, and generating new variants autonomously.
This is what researchers at Halcyon AI and several independent labs have been documenting since late 2024 under the label "polymorphic AI malware." Two families in particular, PromptFlux and QuietVault, both identified in early 2025 are now the clearest examples of a capability that, until very recently, required a skilled human to perform: reading code, understanding why it might get caught, and changing it accordingly.
What "AI-Rewriting Malware" Actually Means
Regular viruses (the old kind) were kind of dumb in a specific way. They were fixed. Someone would write a virus, compile it, release it, and that's what it was forever. Security companies would catch it, make a signature for it (basically a fingerprint), and then every antivirus in the world would recognize that fingerprint and block it. The game was basically: virus author releases something, defenders figure out the fingerprint, defenders win.
Polymorphic malware tried to get around this by shuffling its own code a bit. Changing variable names, reordering chunks, adding junk instructions that do nothing. It works, sort of. Traditional polymorphism is more like wearing a fake moustache. Same face, same structure, just slightly different surface.
What PromptFlux and QuietVault do is different. They carry a small language model component, not a full LLM like the ones you'd recognize, but a stripped-down, purpose-trained model, probably somewhere between 1–7 billion parameters based on what the researchers have inferred from behaviour. When the malware senses it's being analysed through sandbox detection patterns, timing irregularities, honeypot signals, it uses that model to rewrite functionally significant portions of itself. Not just surface shuffling. Actual logic restructuring.
Think of it this way. Old polymorphism is like taking a sentence and swapping a few words. What these new families are doing is more like taking the idea in that sentence and rewriting it as a completely different sentence that means the same thing. Same goal, completely different code path.
PromptFlux: The One That Talks Its Way Past Defenses
PromptFlux is the more aggressive of the two. It was first flagged in February 2025 by researchers at SentinelOne's threat intelligence team, though they didn't name it, the name came from the community. It targets Windows environments primarily, and its main trick is what the researchers started calling "prompt-aware evasion."
A lot of modern security tools don't just scan code anymore, they also watch behaviour, run code in emulated environments, even use their own AI to classify suspicious activity. PromptFlux appears to have been trained to recognize these analysis patterns as inputs, and it uses them to decide how to rewrite the parts of itself that look most suspicious. It's essentially fighting AI with AI.
The bit that makes it really uncomfortable is the propagation side. PromptFlux doesn't just sit in one place rewriting itself. It also rewrites the payloads it drops. So the dropper, the payload, and the persistence mechanism can all look completely different across infected machines, even infections that happened from the exact same original file.
The technical details are still disputed between research groups as of May 2025. What's been confirmed: it uses some form of quantised model weights packed into what looks like an encrypted data segment, and the model is activated only under specific conditions, not constantly running. Probably to avoid performance flags.
QuietVault: The Patient One
QuietVault is scarier in a different way, at least to me. PromptFlux is aggressive. QuietVault is quiet. It's the opposite approach.
Discovered by researchers at Recorded Future in March 2025, QuietVault is what's being described as a "low-and-slow" AI malware. It doesn't trigger immediately. It sits inside a system, often for weeks, and during that time it's mostly watching. It collects data about what security tools are running, when scans happen, what the network traffic patterns look like. Then it uses its embedded model to write a version of its payload that's specifically tailored to avoid the defenses it has observed on that particular machine.
This is more targeted than PromptFlux. The payload QuietVault eventually deploys is basically custom-built for your environment. Which is wild when you think about it, this thing is doing reconnaissance and threat modelling before it even activates.
The main target seems to be credential theft and data exfiltration from corporate environments. It's not ransomware. It wants to stay invisible, pull sensitive data slowly over time, and leave. Recorded Future's report from April 2025 mentioned at least 14 confirmed enterprise infections across Europe and Southeast Asia, though they said the actual number is probably higher since it's designed not to be found.
QuietVault avoids detection during the watching phase. The researchers mentioned something about it mimicking legitimate system process behaviour, but the specifics were redacted in the public version of the report. Makes sense, you don't want to publish a how-to.
Why Your Antivirus Is Struggling With This
Here's the thing about most consumer antivirus software: it's still largely signature-based. Companies like Kaspersky, ESET, Avast do have behaviour-based detection layers, and those have gotten better. But the core engine is still pattern matching against known bad files. PromptFlux and QuietVault break that model completely because there is no stable pattern to match.
Behaviour-based detection helps more, but it's not a clean solution either. Behaviour analysis works by flagging actions that look suspicious, like accessing the registry in unusual ways, making unexpected network calls, touching processes it shouldn't. QuietVault specifically is designed to make these actions look normal, or to do them so slowly that the threshold triggers aren't hit.
Enterprise-grade security tools, CrowdStrike Falcon, Microsoft Defender for Endpoint, SentinelOne are better positioned because they use their own ML models that update constantly. But even these aren't catching QuietVault reliably from what the researchers are saying. PromptFlux has a slightly higher detection rate because its active rewriting behaviour is itself somewhat detectable even if the code isn't.
For regular people at home running standard antivirus? I wouldn't say you're unprotected, but signature-based tools alone are probably not going to catch these specific families if they target you.
How Do You Actually Stay Safe
Okay so this is the part people want. And I'll be honest, there's no one thing that makes you completely safe from this. That's just the reality. But there are things that significantly reduce your risk.
The most important one is probably the one people skip most: keep your software updated. Both PromptFlux and QuietVault rely on existing vulnerabilities to get an initial foothold. Unpatched Windows, outdated browser plugins, old versions of common software. If there's no hole, they can't get in, and no amount of clever AI rewriting helps a virus that can't execute in the first place. Windows Update, browser updates, Java if you still have it installed, all of it matters.
Use a password manager and turn on two-factor authentication everywhere. QuietVault's goal is credential theft. If it gets your passwords, 2FA means those passwords aren't enough. This is the single most impactful thing most people can do and the most people skip it.
For antivirus, if you're on Windows, Microsoft Defender has actually gotten decent and it's free. The paid consumer products are fine but don't give you magical protection against these newer families. What matters more is that you have something with behaviour-based detection, not just signatures. Malwarebytes is good for a second-opinion scanner, run it occasionally even if you have another product.
Be careful with what you download and where it comes from. PromptFlux has been spreading primarily through cracked software, pirated applications and game cracks from sketchy sites. This is not new advice, I know, but it's especially relevant here because the initial dropper doesn't look like anything obvious. It's bundled in what looks like a legitimate installer.
For corporate environments the advice is different and way more complex, but the basics are the same: network segmentation, least-privilege access, endpoint detection tools that do behavioural analysis, and not to open things they shouldn't.
One thing I'd add that's specific to this threat: pay attention to unusual system slowdowns or fan noise when your machine should be idle. Running an embedded LLM model, even a small one, takes compute. If your computer is working hard when you're not using it, that's worth investigating. Open Task Manager, look at what's using CPU. It's not a perfect signal, but it's something.
The Bigger Picture Here
This is, kind of, the thing that people in security have been worried about for a while, that AI would eventually be used to accelerate the offensive side faster than defenders could keep up. We're not in full crisis mode, let me be clear about that. These two families are concerning but they're not spreading like WannaCry did in 2017. The affected population so far is relatively small.
But the direction is the problem. PromptFlux and QuietVault are proof of concept more than catastrophe. They show that this approach works. And if two malware families figured it out in 2025, there will be more in 2026, built on what was learned from studying these two.
The security community is working on it. There are a few research groups building detection specifically designed for AI-modified code, looking for statistical signatures of LLM-generated code structures rather than trying to match the code itself. That's clever and might work. It's basically fighting polymorphism with a meta-level approach. Whether it scales is the question nobody has a clean answer to yet.
The honest answer is that this is a problem that isn't fully solved and probably won't be for a while. Which is uncomfortable to say, but there it is.
Stay updated, use 2FA, don't download cracked software, pay attention to your machine. That's the practical advice. The rest is for people with security teams and budgets.