Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Malicious LLM testing shows WormGPT 4 and KawaiiGPT generating reusable ransomware, phishing, and lateral-movement code

Technical Analysis
First reported
Last updated
Happening score
H score 26
1 unique sources, 1 articles

Summary

Hide ▲

Malicious LLMs such as WormGPT 4 and KawaiiGPT are now generating reusable offensive code, raising the risk that low-skilled attackers can run ransomware, phishing, and lateral-movement operations. Testing showed WormGPT 4 could produce a Windows ransomware locker script with AES-256 and Tor exfiltration options, while KawaiiGPT 2.5 could draft spear-phishing, SSH remote execution, and data-exfiltration scripts. The outputs reduce the time and skill needed to assemble attack tooling and make phishing lures sound more natural. Their use through paid subscriptions, free local instances, and community channels suggests a maturing criminal ecosystem around AI-assisted abuse.

Related Happenings

Vidar infostealer market rise and distribution expansion

Malware Activity
First: 28.04.2026 22:07 Last: 28.04.2026 22:07 Sources 1

About this happening: **Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...

Open Happening

Silver Fox South Asia phishing campaign

Campaign
First: 24.03.2026 18:00 Last: 24.03.2026 18:00 Sources 1

About this happening: The **Silver Fox** campaign now includes **BYOVD** abuse of a previously unknown **WatchDog Anti-malware** driver, **amsdk.sys (version 1.0.600)**, to disable security tools on co...

Open Happening

World Leaks RustyRocket malware activity

Malware Activity
First: 12.02.2026 15:30 Last: 12.02.2026 15:30 Sources 1

About this happening: The **World Leaks** extortion group has added **RustyRocket**, a new **Rust** malware that helps it maintain **persistence** and **exfiltrate data** from victim networks. The tool...

Open Happening

Geta RAT, Ares RAT, and DeskRAT cross-platform credential-theft activity

Malware Activity
First: 11.02.2026 16:52 Last: 11.02.2026 16:52 Sources 1

About this happening: **Geta RAT**, **Ares RAT**, and **DeskRAT** are being deployed across **Windows and Linux** in phishing-led intrusions that enable **credential theft**, **persistent access**, and...

Open Happening

VolkLocker ransomware-as-a-service with free-decryption flaw

Malware Activity
First: 15.12.2025 07:33 Last: 15.12.2025 07:33 Sources 1

About this happening: The **CyberVolk**-linked **VolkLocker** ransomware-as-a-service has resurfaced with a flaw that lets victims **decrypt files without paying**. The **Golang** ransomware targets **...

Open Happening

Timeline

  1. 27.11.2025 19:15 2 articles · 6mo ago

    Unit 42 analyzes WormGPT 4 and KawaiiGPT offensive-code generation

    Technical Analysis Update

    Palo Alto Networks Unit 42 analyzed WormGPT 4 and KawaiiGPT and found that both can generate malicious code, phishing lures, and lateral-movement tooling. WormGPT 4 produced a PowerShell ransomware locker for PDF files on Windows, with AES-256 encryption and an optional Tor exfiltration path, while KawaiiGPT 2.5 generated spear-phishing messages, SSH-based remote execution, and Windows data-exfiltration scripts.

    Show sources
    Open in new tab