Malicious Tools Leveraging AI

November 4, 2025

Written by

Tam Doan

TAGS

AI, Cybersecurity, Threat Intelligence, Malware, WormGPT, SpamGPT, PromptLock, Xanthorox AI, Artificial Intelligence, Ransomware, Phishing, LLMs, Cyber Threats, Automation, Cybercrime, Generative AI, Offensive AI, Machine Learning, SOC, Threat Actors, Security Research, Exploits, Data Exfiltration, Adversarial AI, Deep Learning, Dark Web, Vulnerability Exploitation, Cyber Defense, AI in Cybersecurity, Emerging Threats, AI Security

AI Cyber Threats

The integration of artificial intelligence into attacks is transforming how threat actors conduct operations, making them faster and more efficient than ever before. Recent examples such as SpamGPT, PromptLock, WormGPT, and Xanthorox AI demonstrate how Large Language Models (LLMs) are being leveraged to create more advanced tools capable of exploiting victims on a large scale. These tools not only automate complex attack workflows but also adapt in real time, increasing the sophistication and reach of cyber threats.

SpamGPT

SpamGPT is a spam-as-a-service toolkit that automates phishing campaigns using generative AI. At the center of its operation is an integrated assistant called KaliGPT, which helps malicious actors generate and deploy phishing emails.

KaliGPT can suggest subject lines, create persuasive email content, recommend targeting strategies, and even provide templates for common scams. By combining texts that are generated by AI alongside automation and encryption, SpamGPT lowers the technical barrier to running large phishing operations.

A notable feature of this tool is a training module called SMTP Cracking Mastery. This program teaches users how to compromise Simple Mail Transfer Protocol (SMTP) servers, which are critical infrastructure for sending mass emails. The course covers techniques such as exploiting misconfigured servers, creating fake accounts, and stealing login credentials. This ultimately allows actors to set up the framework required to run sophisticated spam and phishing campaigns.

PromptLock

PromptLock represents a shift in ransomware development and can dynamically generate malicious components on demand.

Unlike traditional ransomware that relies on static code, PromptLock’s architecture uses a local LLM to create Lua scripts in real time. These scripts can perform tasks such as system enumeration, file inspection, data exfiltration, and encryption, all customized for the infected system.

PromptLock is designed to work across Windows, Linux, and macOS environments. Its ability to generate code dynamically makes it adaptable and harder to detect, marking a new era of ransomware powered by AI that can modify itself.

WormGPT

WormGPT is an uncensored large language model (LLM) tool designed to bypass the safety mechanisms found in AI models such as ChatGPT. Originally shut down, variants have resurfaced on underground forums like BreachForums, now powered by advanced architectures including xAI’s Grok and Mistral AI’s Mixtral. These systems enable malicious actors to automate phishing email generation, infostealer malware, and other attack scripts. Primarily accessed through Telegram chatbots and offered via subscriptions or single payments, WormGPT variants can generate malicious content at scale, including phishing emails to deceive victims and PowerShell scripts to extract Windows credentials, allowing threat actors to increase the effectiveness of their operations.

Xanthorox AI

Xanthorox AI is a platform designed for offensive cyber operations. Running entirely on local servers with a modular, multiple model architecture, it enables threat actors to operate offline, maintain full control over AI powered workflows, and reduce traceability and shutdown risks associated with cloud based services.

The platform integrates multiple specialized AI models, each optimized for distinct tasks, including automated code and malware generation, vulnerability exploitation, data analysis, file processing, web scraping, and visual and voice interpretation. Key modules such as Xanthorox Coder, Vision, and Reasoner Advanced allow malicious actors to automate coding and malware development, analyze images and screenshots, and perform reasoning tasks that simulate human decision making. By combining these capabilities, Xanthorox AI provides a tool capable of managing complete attack chains.

Conclusion

Together, tools such as SpamGPT, PromptLock, WormGPT, and Xanthorox AI demonstrate how threat actors are increasingly leveraging Large Language Models not only to automate the creation of phishing content and malware but also to develop adaptive attack campaigns, dynamically generating ransomware scripts with PromptLock, managing widespread email operations through SpamGPT, bypassing AI safeguards using WormGPT, and coordinating complex operations via Xanthorox AI.

Recommendations

  • Conduct regular scans for unauthorized AI model deployments or suspicious server workloads.
  • Restrict execution of unverified scripts and enforce application whitelisting to prevent unauthorized Lua, PowerShell, or other dynamic scripts from running.
  • Monitor for misuse of AI model APIs and chatbots within environment or networks for suspicious prompt injection behavior.

Sources:

https://www.varonis.com/blog/xanthorox-ai

https://hackread.com/wormgpt-returns-using-jailbroken-grok-mixtral-models/

https://www.varonis.com/blog/spamgpt

https://www.seqrite.com/blog/promptlock-first-ai-powered-ransomware/

© 2025 Morado Intelligence
Privacy PolicyTerms and Conditionsmorado@morado.io