Overview
- ESET says it found the sample on Aug. 25 in VirusTotal submissions traced to the U.S., with no further origin details.
- Written in Go, the malware calls a local open-weights gpt-oss:20b model through the Ollama API to produce on-demand Lua scripts.
- The generated scripts can enumerate files, check contents including PII, exfiltrate data, and encrypt Windows, macOS, and Linux files using SPECK 128-bit.
- Indicators of compromise may differ between runs, and attackers could tunnel to a remote server running Ollama rather than host the model on victim networks.
- ESET’s screenshots show embedded prompts that instruct the LLM to craft scripts and ransom notes, while a data-destruction feature appears unfinished and there is no evidence of real-world deployments in ESET telemetry.