← Back to Security Blog
Security Briefing 10 min read

PromptSpy: First AI-Powered Malware + BeyondTrust Ransomware Surge

PromptSpy marks the dawn of AI-powered malware — the first Android trojan using Google Gemini at runtime. BeyondTrust CVE-2026-1731 (CVSS 9.9) actively exploited in ransomware campaigns. Deutsche Bahn hit by massive DDoS. French bank registry FICOBA breached exposing 1.2M accounts. Microsoft patches 6 zero-days.


PromptSpy: The AI Malware Era Begins

First Malware Using Generative AI at Runtime

ESET researchers discovered PromptSpy — the first Android malware that uses Google Gemini AI to analyze device screens and generate persistence instructions in real-time. This isn't theoretical; it's deployed and active.

Traditional malware follows pre-programmed logic. PromptSpy thinks. It captures device screenshots, sends them to Google Gemini, and receives AI-generated instructions for:

Critical Implication

AI-powered malware can adapt to devices it has never seen before. Static security rules cannot keep pace. Organizations need AI-powered security to counter AI-powered threats.


BeyondTrust CVE-2026-1731 — Active Ransomware Exploitation

CVSS 9.9 — Actively Exploited in Ransomware Attacks

BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) are under mass exploitation. CISA added to KEV with urgent patching required.

Attribute Details
CVE CVE-2026-1731
CVSS 9.9 CRITICAL
Impact Execute OS commands as site user
Status Actively exploited in ransomware campaigns
Attribution Palo Alto Unit 42

Attack Chain Observed

  1. Network reconnaissance
  2. Web shell deployment
  3. C2 establishment
  4. Backdoor installation
  5. Lateral movement
  6. Data theft → Ransomware deployment

Targeted Sectors: Financial services, legal, high-tech, higher education, healthcare

Targeted Geographies: United States, France, Germany, Australia, Canada


🇫🇷 France Banking Database Breach — 1.2 Million Accounts

Government Credentials Compromised

French Finance Ministry's national banking database breached. 1.2 million bank accounts exposed since end of January 2026.

Data Exposed Impact
Bank account numbers Financial fraud risk
Account holder names Identity theft
Addresses Physical security risk
Tax IDs (some) Tax fraud risk

Attack vector: Credential theft → Government access → National database

NIS2 Implication: Government credentials = single point of failure. NIS2 requires credential hygiene and access controls.


NIS2 Registration Deadline: March 6, 2026

2 Weeks Until Deadline — 29,000 German Companies Affected

BSI portal registration requires ELSTER certificate which takes 5-10 business days to process. Act NOW or miss the deadline.

Affected Sectors


🇩🇪 Deutsche Bahn DDoS Attack

Germany's largest rail operator experienced massive DDoS attack disrupting information and booking systems. Under NIS2, critical infrastructure operators face mandatory reporting and substantial fines for inadequate resilience.


Today's Numbers

Metric Value
Microsoft zero-days 6
BeyondTrust CVSS 9.9
French accounts breached 1.2M
German companies affected by NIS2 29,000
Days until NIS2 deadline 14

Today's Priorities

  1. PATCH: BeyondTrust RS/PRA — Active ransomware exploitation (CVSS 9.9)
  2. PATCH: Microsoft February patches — 6 zero-days under exploitation
  3. REGISTER: NIS2 BSI portal — Request ELSTER certificate TODAY
  4. REVIEW: Mobile security posture — PromptSpy represents new AI threat class
  5. ASSESS: Credential management — France breach shows single point of failure risk

AI Threats Require AI Defense

PromptSpy proves malware is evolving faster than static rules can handle. KENSAI uses AI-powered vulnerability detection to stay ahead of adaptive threats.

Start Free Security Scan

Stay secure. Stay vigilant.

🗡️ KENSAI Security Team