Malicious LLM testing shows WormGPT 4 and KawaiiGPT generating reusable ransomware, phishing, and lateral-movement code
Technical Analysis
Summary
Hide ▲
Show ▼
Malicious LLMs such as WormGPT 4 and KawaiiGPT are now generating reusable offensive code, raising the risk that low-skilled attackers can run ransomware, phishing, and lateral-movement operations. Testing showed WormGPT 4 could produce a Windows ransomware locker script with AES-256 and Tor exfiltration options, while KawaiiGPT 2.5 could draft spear-phishing, SSH remote execution, and data-exfiltration scripts. The outputs reduce the time and skill needed to assemble attack tooling and make phishing lures sound more natural. Their use through paid subscriptions, free local instances, and community channels suggests a maturing criminal ecosystem around AI-assisted abuse.
Related Happenings
Bluekit alliance reshapes ransomware ecosystem operations
Threat Actor Meta
H score25
First: 30.04.2026 21:58
Last: 30.04.2026 21:58
Sources 1
About this happening:
Bluekit's **AI-assisted** phishing kit has expanded into an **all-in-one** service, lowering the barrier for cybercriminal operators and signaling a more industrialized phishing m...
Bluekit alliance reshapes ransomware ecosystem operations
Threat Actor MetaAbout this happening: Bluekit's **AI-assisted** phishing kit has expanded into an **all-in-one** service, lowering the barrier for cybercriminal operators and signaling a more industrialized phishing m...
Latest development: 25.06.2026 18:00
Bluekit phishing-as-a-service added browser-in-the-middle (BitM) login theft and nearly 70 new hostnames over the past week. Netcraft said the kit now uses the open-source JavaScript library rrweb to serialize the page DOM and stream it over a WebSocket connection, while the live 5-second monitoring system and victim qualification checks remain in use.
Vidar infostealer market rise and distribution expansion
Malware Activity
H score30
First: 28.04.2026 22:07
Last: 28.04.2026 22:07
Sources 1
About this happening:
**Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...
Vidar infostealer market rise and distribution expansion
Malware ActivityAbout this happening: **Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...
Silver Fox South Asia phishing campaign
Campaign
H score34
First: 24.03.2026 18:00
Last: 24.03.2026 18:00
Sources 1
About this happening:
The **Silver Fox** campaign now includes **BYOVD** abuse of a previously unknown **WatchDog Anti-malware** driver, **amsdk.sys (version 1.0.600)**, to disable security tools on co...
Silver Fox South Asia phishing campaign
CampaignAbout this happening: The **Silver Fox** campaign now includes **BYOVD** abuse of a previously unknown **WatchDog Anti-malware** driver, **amsdk.sys (version 1.0.600)**, to disable security tools on co...
World Leaks RustyRocket malware activity
Malware Activity
H score38
First: 12.02.2026 15:30
Last: 12.02.2026 15:30
Sources 1
About this happening:
The **World Leaks** extortion group has added **RustyRocket**, a new **Rust** malware that helps it maintain **persistence** and **exfiltrate data** from victim networks. The tool...
World Leaks RustyRocket malware activity
Malware ActivityAbout this happening: The **World Leaks** extortion group has added **RustyRocket**, a new **Rust** malware that helps it maintain **persistence** and **exfiltrate data** from victim networks. The tool...
Geta RAT, Ares RAT, and DeskRAT cross-platform credential-theft activity
Malware Activity
H score23
First: 11.02.2026 16:52
Last: 11.02.2026 16:52
Sources 1
About this happening:
**Geta RAT**, **Ares RAT**, and **DeskRAT** are being deployed across **Windows and Linux** in phishing-led intrusions that enable **credential theft**, **persistent access**, and...
Geta RAT, Ares RAT, and DeskRAT cross-platform credential-theft activity
Malware ActivityAbout this happening: **Geta RAT**, **Ares RAT**, and **DeskRAT** are being deployed across **Windows and Linux** in phishing-led intrusions that enable **credential theft**, **persistent access**, and...
Timeline
-
27.11.2025 19:15 2 articles · 7mo ago
Unit 42 analyzes WormGPT 4 and KawaiiGPT offensive-code generation
Technical Analysis UpdatePalo Alto Networks Unit 42 analyzed WormGPT 4 and KawaiiGPT and found that both can generate malicious code, phishing lures, and lateral-movement tooling. WormGPT 4 produced a PowerShell ransomware locker for PDF files on Windows, with AES-256 encryption and an optional Tor exfiltration path, while KawaiiGPT 2.5 generated spear-phishing messages, SSH-based remote execution, and Windows data-exfiltration scripts.
Show sources
- Malicious LLMs empower inexperienced hackers with advanced tools — www.bleepingcomputer.com — 27.11.2025 19:15
- Malicious LLMs empower inexperienced hackers with advanced tools — www.bleepingcomputer.com — 27.11.2025 19:15