1. EachPod
EachPod

Promptlock – The First AI-Powered Malware | The Cyber Security Podcast

Author
Threat Talks
Published
Tue 16 Sep 2025
Episode Link
https://share.transistor.fm/s/f36d3dd5

First documented case: AI inside the breach.
Promptlock marks the first time malware has used AI during execution, not just in preparation. In this Threat Talks deep dive, Rob Maas (Field CTO, ON2IT) sits down with Yuri Wit (SOC Analyst, ON2IT) to break down how it works: a Go loader calling an attacker’s LLM in real time, generating fresh payloads that adapt on the fly.

This episode strips away sci-fi hype. You’ll see the psychology of an adversary that thinks mid-attack—and the Zero Trust defenses that box it in. When AI runs inside the kill chain, malware doesn’t just evolve. It crosses into super-malware.

  • (00:00) - — Cold open: “What if malware could think?”

  • (00:18) - — Welcome: Rob Maas & Yuri Wit

  • (00:41) - — First reaction to PromptLock

  • (01:02) - — How attackers already use AI (phishing, coding, negotiations)

  • (03:02) - — Why PromptLock is different: AI during execution

  • (03:35) - — How it works: Go → Ollama → LLM → Lua

  • (06:36) - — Proof-of-concept tells (the Satoshi wallet)

  • (07:55) - — Defense shift: hashes die, behavior wins

  • (10:40) - — Detecting LLM calls: SSL inspection realities

  • (11:26) - — Quick wins: block interpreters (Lua/Python/PowerShell)

  • (12:23) - — Zero Trust moves: default-deny egress & segmentation

  • (12:41) - — What’s next: dynamic exploits & on-demand EDR bypass

  • (16:21) - — Timelines & hardware: why adoption could accelerate

  • (18:21) - — Wrap-up & CTA

 

Key Topics Covered
• The first documented case of AI inside the breach — why Promptlock changes the game
• Promptlock’s core loop: calling an LLM mid-attack to generate fresh payloads.
• Why hash-based detection breaks against AI-powered malware detection, ever-changing scripts.
• Behavioral defense over signatures: EDR/XDR, sandboxing, and SSL inspection.
• Zero Trust in practice: block script interpreters, restrict egress, and shrink blast radius.

Additional Resources
ON2IT Zero Trust: https://on2it.net/zero-trust/
Threat Talks hub: https://threat-talks.com/
Ollama (referenced in episode): https://ollama.com/
The Rising Threat of Deepfakes: https://youtu.be/gmtZ_aYmQdQ

Guest & Host Links:
Rob Maas, Field CTO, ON2IT: https://www.linkedin.com/in/robmaas83/ 
Yuri Wit, SOC Specialist, ON2IT: https://www.linkedin.com/in/yuriwit/

Click here to view the episode transcript.


🔔 Follow and Support our channel! 🔔
=== 
► YOUTUBE: https://youtube.com/@ThreatTalks
► SPOTIFY: https://open.spotify.com/show/1SXUyUEndOeKYREvlAeD7E
► APPLE: https://podcasts.apple.com/us/podcast/threat-talks-your-gateway-to-cybersecurity-insights/id1725776520

👕 Receive your Threat Talks T-shirt
https://threat-talks.com/

🕵️ Threat Talks is a podcast created in collaboration with ON2IT and AMS-IX. Each episode features leading cybersecurity experts sharing real-world insights on emerging threats, trends, and defense strategies — helping organizations stay secure in today’s rapidly evolving digital world.

ON2IT website: https://on2it.net/
AMS-IX website: https://www.ams-ix.net/ams

Share to: