Malicious LLMs are letting even unskilled hackers to craft dangerous new malware

News
By published

Two chatbots found to be designed exclusively for cybercrime

Two robotic faces in green and red indicating a good bot and a bad bot representing the positive and negative impacts of AI and chatbots.
(Image credit: Shutterstock)
  • Hackers use untethered LLMs such as WormGPT 4 and KawaiiGPT for cybercrime
  • WormGPT 4 enables encryptors, exfiltration tools, and ransom notes; KawaiiGPT crafts phishing scripts
  • Both models have hundreds of Telegram subscribers, lowering cybercrime entry barriers

Most generative AI tools in use today are not unrestricted - for example, they are not allowed to teach people how to make bombs, or how to commit suicide - and they are also not allowed to facilitate cybercrime.

While some hackers try to “jailbreak” the tools by working around those guardrails with smart prompts, others simply build their own, completely untethered Large Language Models (LLM), to be used for cybercrime exclusively.

Cybersecurity researchers from Palo Alto Networks’ Unit42 have analyzed two such models, to see how capable they are, and to better understand the tools at every cybercriminal’s disposal. The conclusion is that some of the tools are quite powerful, allowing even low-skilled hackers to run sophisticated, damaging attacks.

Attacking Discord?

The specific models are called WormGPT 4 and KawaiiGPT. The former is a successor to the WormGPT LLM which was discontinued in September 2025, and is a paid tool that criminals can get for $50 a month (or $220 for a lifetime license). The latter is a free, community-powered alternative.

The free one is not as good as the paid one, Unit 42 said, but added that it’s still rather robust and capable of crafting convincing phishing messages and automating lateral movement with ready-to-run scripts. The paid model is even more troubling, since the researchers managed to build a fully functioning encryptor malware, a data exfiltration tool, and a “chilling and effective” ransom note.

These are most likely not the only two tools of their kind on the internet, but they seem to be popular. Both LLMs apparently have hundreds of subscribers on Telegram and are being actively used in various attacks.

“Analysis of these two models confirms that attackers are actively using malicious LLMs in the threat landscape,” Unit 42 concluded, warning that the barrier for entry into cybercrime has never been lower.

Via BleepingComputer

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.