GTIG: A New Stage of LLM Attacks and Crypto Targeting by North Korea

GTIG: A new stage of LLM attacks and crypto targeting by North Korea, the use of PROMPTFLUX and PROMPTSTEAL directly at runtime without recompilation, as well as expanding BIGMACHO delivery methods that threaten crypto wallets.

Stack 10% More on Your First BTCC Deposit

Start Trading

More on the Rapid Growth of the AI-Driven Hacker Ecosystem and Threats to the Crypto Industry

GTIG AI Threat Tracker highlights key indicators that adversaries have moved from purely "productivity" use of AI to code execution relying on LLMs at runtime, opening a class of autonomous adaptive malware where logic is loaded from the model rather than embedded in advance. They recorded the first families that generate scripts and functions on-demand, obfuscate themselves, and change behavior at runtime – PROMPTFLUX and PROMPTSTEAL.

PROMPTFLUX illustrates runtime dependence on LLMs. The VBScript dropper requests obfuscation techniques via the Gemini API and saves the rewritten version to Startup, also attempting to propagate via removable media and network shares. A "Thinking Robot" module was found that periodically queries "gemini-1.5-flash-latest" with a hardcoded key and a machine-parsable prompt requiring only VBScript code for antivirus evasion; responses are logged to %TEMP%\thinking_robot_log.txt. There is a variant with hourly full regeneration of the source while preserving the payload, API key, and self-regeneration logic.

PROMPTSTEAL has already been used in operations. The malware masquerades as an image generation application and, via the Hugging Face API, requests one-line Windows commands from the LLM Qwen2.5-Coder-32B-Instruct to collect system information and copy documents to a specified directory with subsequent exfiltration. This is the first recorded case of malware querying an LLM in the field; stolen API tokens are likely being used. New samples add obfuscation and change C2.

Massive Liquidity During Crypto Adoption Makes It a Primary Target

The UNC1069 cluster has become critical, using Gemini for research on crypto and on the location of wallet-application data, generating crypto lures and accompanying messages, including Spanish-language texts for meeting rescheduling and work-related pretexts. At later stages, this turns into attempts to obtain code for stealing cryptocurrency and to prepare fraudulent instructions disguised as software updates to extract credentials.

In the same line, there is the use of deepfakes impersonating figures in the crypto industry: the victim is led to install a fake "Zoom SDK", after which the BIGMACHO backdoor is delivered to the system. The North Korean group UNC4899 stood out here, also leveraging Gemini for development and operations, including assistance with C2 and obfuscation, expanding tools to edge devices and modern browsers.

A key point is that this is no longer experimentation with new technology but a whole ecosystem of methods and tools. The market for underground AI services is growing extremely rapidly: English- and Russian-language forums offer multifunctional tools for phishing, malware generation, and vulnerability discovery. The monetization model copies legitimate services – from freemium with ads to paid plans with image generation, API access, and Discord. All this significantly lowers the barrier to entry and scales campaigns without requiring a high technical level from operators.

The Priority of System Security Is as High as Ever

Since crypto adoption is proceeding extremely rapidly and attracts massive capital, it becomes a much more attractive target for attackers, who target funds directly rather than data, whose monetization is a separate step. Therefore, attackers are improving their methods and tools here as well, seeking the most efficient path to the main goal, the funds. This is another extremely loud signal for all companies to raise the priority of security as never before, and for security teams to refine their solutions in order to ensure not only the long-term viability but also the resilience of Web3. Stay tuned for the latest updates and opportunities in the decentralized finance, crypto industry, and blockchain developments.