The proliferation and evolution of AI-powered hacking tools – how generative AI has changed the cyber attack ecosystem and response strategies
WormGPT, which emerged in June 2023, has brought a paradigm shift to the cybercrime ecosystem. generative AI has lowered the barrier to entry for attacks, and AI-powered hacking tools are rapidly proliferating in both paid subscription services and free open source. furthermore, AI is evolving beyond the creation of attack tools to the management of the entire attack operation, and new threats that embed AI in malware to transform it in real time are becoming a reality.
This article comprehensively analyzes the distribution ecosystem of AI-based hacking tools, their integration into real-world attack infrastructure and malware, and the systemic threats and defense strategies posed by the proliferation of open source AI.
The proliferation and distribution of AI-based hacking tools
Since the proliferation of generative AI, threat actors have begun to utilize AI at multi-stage stages of the attack process, such as phishing phrases, malware creation, and reconnaissance automation. initially, it was more of an individual tool or experimental endeavor, but recently, it has become a major infrastructure in the cybercrime ecosystem with the proliferation of both paid subscription services and open-source tools.
Timeline of AI-powered hacking tools
Starting with the emergence of WormGPT in 2023, AI-powered hacking tools have grown to dozens in just a few years and are now a major component of the cybercrime ecosystem.
|
period |
tool Name/Malware |
key Features |
|---|---|---|
|
2022.11 |
ChatGPT |
OpenAI launches ChatGPT to democratize large language models |
|
2023.june |
WormGPT |
First commercially available malicious LLM based on GPT-J 6B fine-tuning |
|
FraudGPT |
First cybercrime forum dedicated to automating advertising, phishing, and fraud documents |
|
|
2023.dec. 08 |
WormGPT shutdown |
Voluntary termination by developers after media coverage |
|
Evil-GPT |
Appeared as a replacement tool on the same forum the day after WormGPT shutdown |
|
|
Late 2023 |
WolfGPT, EscapeGPT |
Several copycat tools appear, capitalizing on the popularity of the WormGPT family |
|
First half of 2024 |
GhostGPT, MalwareGPT |
Emerged as tools specialized in malware development |
|
SpamGPT, SpamirMailer Bot |
Tools that support mass automation of spam and phishing campaigns |
|
|
Second half of 2024 |
EvilAI Telegram Bot |
Sold for $10 to $60 per feature, then expanded into a web service |
|
2025.04 |
Xanthorox |
Tools to support cyber attacks and privacy violation activities |
|
2025.07 |
KawaiiGPT GitHub public distribution |
Released on GitHub as free and open source, and can also run on smartphones through Termux support |
|
2025.09 |
HexStrike AI |
Open-source AI-based attack framework |
|
2025.09 |
WormGPT (SaaS) |
WormGPT mimic re-emerges as a SaaS tool |
|
Late 2025 |
Promptflux, Promptsteal, Honestcue |
Observed as the first cases of self-morphing malware with built-in AI capabilities |
|
2026.feb. 02 |
WormGPT user DB leak |
Email and payment information of over 19,000 users leaked, with shoppers also becoming victims |
|
2026.04 |
Bissa Scanner |
Used in AI-based attack operations utilizing Claude Code, resulting in 65,000 credential thefts |
|
2026.05 |
Promptspy (Android) |
Autonomous attack orchestration Android malware using Gemini API |
[Table 1] Timeline of AI-based hacking tools/malware
What is particularly noteworthy about the above timeline is that Evil-GPT appeared on the same forum the day after WormGPT was shut down. this shows that the AI hacking tool ecosystem does not disappear easily upon the shutdown of a particular tool or the intervention of law enforcement authorities, but can be quickly replaced through similar tools with strong resilience.
the complexity of the distribution ecosystem
AI hacking tools are distributed in two main ways: paid subscription (SaaS) and open source free distribution. despite the different distribution methods, many tools are not proprietary, but rather leverage legitimate commercial AI APIs or are based on an unsensored open source model with content filtering removed.
|
type |
representative examples |
key Features |
security implications |
|---|---|---|---|
| paid SaaS subscription | WormGPT, FraudGPT, Evil-GPT |
sold as monthly, annual, and lifetime subscriptions through the dark web, hacking forums, Telegram, and websites, advertising uncensored AI capabilities and the ability to phish, develop malware, and automate attacks | malicious AI tools are becoming commercialized, with pricing and distribution structures similar to traditional SaaS |
| open source freely distributed |
KawaiiGPT | Released for free on GitHub, easy to replicate and transform, Can run on smartphones with Termux support |
tool does not disappear under investigative pressure or operational risk and can spread rapidly through the open source ecosystem |
| exploit uncensored models and local execution environments | WhiteRabbitNeo, Llama 2 Uncensored, Dolphin series, Wizard-Vicuna Uncensored |
Through Hugging Face, Ollama, and others, models with weakened safeguards can be run locally, making them difficult to track and control | the barrier to entry for AI attack tools is being lowered, creating an environment that can be exploited without relying on the dark web or paid services |
[Table 2] Cases and characteristics of each type of AI hacking tool distribution
[Figure 1] WormGPT promotion and subscription price advertisement
[Figure 2] KawaiiGPT open source public distribution
structural changes and impact on the underground ecosystem
The functions of underground AI tools are categorized into six areas: deepfake and image generation, malware development, phishing automation, reconnaissance and research, code generation, and vulnerability exploitation, and they adopt the same business structure as general SaaS services. the business model is becoming established, with a free trial, subscription tiers, premium features, Telegram support, and a 7-day money-back guarantee. this gives novice hackers (Script Kiddies) a powerful asymmetric advantage and raises the overall level of cyber threats.
While it is true that AI tools have significantly lowered the barrier to entry for hacking attacks, this should not be interpreted to mean that it has become easier for non-experts to complete sophisticated attacks. more accurately, it means that certain stages of an attack no longer require a high level of expertise, such as writing phishing copy or creating rudimentary malware scripts. there are still elements of running an actual phishing campaign or deploying malware that AI alone cannot solve, such as building a C2 infrastructure and evading detection.
However, these limitations don’t mean that AI-powered threats are any less capable. Rather than being a standalone tool that completes the entire attack process, AI is complementing threat actors’ capabilities by automating and streamlining parts of the attack preparation and execution process. in recent cases, such changes have extended beyond supporting roles such as phishing phrases and code generation to actually influencing the attack flow.
AI-powered attack tools in action
AI-powered hacking tools are starting to be used as part of actual attack operations, rather than just as a commodity to be sold. recent cases show that AI is involved in the entire attack flow, from reconnaissance, vulnerability exploitation, credential screening, malware mutation, and even infrastructure operations.
AI attack orchestration example: Bissa Scanner
A recent case demonstrates that AI is expanding beyond simply assisting in hacking attacks to orchestrating the entire attack flow. In the Bissa Scanner case, the threat actor used a combination of Claude Code and OpenClaw as an attack orchestration tool to automate large-scale scanning that exploited a vulnerability in the Next.js framework (CVE-2025-55182). this demonstrates that AI can be directly utilized in the construction and execution of attack automation pipelines, not just in the generation of attack code.
Data stolen included credentials from AI platforms such as Anthropic, OpenAI, Google, AWS, Stripe, PayPal, and others, as well as cloud, payment, and database files, and victims included tax, financial advisory, digital asset settlement, payroll, and HR platforms. Among the stolen Data, AI played a triage role to classify financial and cryptocurrency-related high-value information in real-time, maximizing the efficiency of the attack. the threat actor received real-time breach results through a Telegram bot, creating a de facto AI-assisted cybercrime operation.
The evolution of AI-embedded malware
More recently, we’ve seen AI being leveraged within malware to automate code modification, obfuscation, and execution decisions. such methods defeat traditional signature-based detection, making it difficult to determine maliciousness based on static analysis alone. below are some major cases of AI-embedded malware we’ve seen recently.
- Promptflux: A self-morphing dropper that calls the Gemini API to periodically rewrite its own source code, bypassing static signature-based detection.
- Honestcue: Just-in-time self-modifying malware that evades detection by requesting VBScript obfuscation techniques in real-time through the Gemini API.
- Canfail – Longstream: Malware used by Russia-linked actors against Ukrainian targets, characterized by tens of thousands of lines of decoy code generated by LLM to mask its malicious behavior. in particular, the code is designed to look like normal system behavior by injecting logic to query the system’s daylight saving time (DST) status 32 times, making it difficult to analyze and detect.
- Promptspy: An Android backdoor that automatically analyzes the device’s UI structure through the Gemini API and simulates physical gestures (clicks, swipes) to autonomously manipulate the user interface, most notably by placing a transparent overlay over the “delete” button to intercept touch events when the victim tries to delete the app.
region Behaviors (APTs) Leverage AI and Zero-Day Weaponization
Recent examples show that Region actors are also leveraging AI for vulnerability analysis, exploit validation, and attack infrastructure development.
- in May 2026, the first example of a zero-day vulnerability exploit that was likely developed using AI was identified. the exploit was a Python-based script that bypassed the two-factor authentication (2FA) of a popular open-source, web-based system administration tool and contained characteristics typical of LLM study Data, including educational docstrings, hallucinated CVSS scores, and organized Pythonic code structure.
- china-linked threat actors utilized expert persona-based jailbreaking techniques and the ‘wooyun-legacy’ project. the project is a Claude Code skill plugin based on approximately 85,000 real-world vulnerability cases that enables in-context learning that enables models to analyze code and identify logic flaws like a trained expert.
- the North Korea-linked APT45 organization was observed to automate CVE analysis and attack code validation through thousands of iterative prompts, massively scaling its exploit validation capabilities.
- china’s APT27 was observed to have leveraged Gemini to accelerate the development of its Operational Relay Box (ORB) network management application. The ORB network is an anonymizing infrastructure to hide the true Source of an attack, and AI appears to have been leveraged to speed up the development of the associated management application.
Structural changes in AI-driven attacks and mitigation strategies
The ecosystem of AI hacking tools is no longer in the experimental stage. it is evolving into a proliferating criminal infrastructure based on paid SaaS, open-source distributions, and local execution environments in an unsentimental model, lowering the cost and time for threat actors. our monitoring shows that interest in and utilization of AI-driven attack tools has been steadily increasing in recent years. this shift is increasing the structural asymmetry between threat actors and defenders, and the uncontrolled environment in which high-performance AI operates makes the limitations of traditional defenses more pronounced. this is why mitigation strategies need to shift beyond blocking specific malicious tools to include AI-powered active defense, identity security, AI governance, and supply chain security.
The structural asymmetry of AI-based attacks
AI-driven attacks magnify the structural asymmetry between threat actors and defenders. threat actors can use AI to create customized phishing emails, generate malicious scripts, and perform vulnerability analysis simply, quickly, and repeatedly. defenders, on the other hand, must detect, validate, block, respond to, and even remediate policies for each attack attempt. While AI technology provides scalability and automation for threat actors, it increases the volume and complexity of events that defenders must respond to.
Such disparities are also evident in operational speed. threat actors can leverage high-performance AI to significantly reduce the time it takes to detect vulnerabilities, draft exploits, and automate attack procedures. defenders, on the other hand, must analyze the scope of impact, validate Test Environments, and coordinate operational schedules to apply even a single patch.
It’s also worth noting how threats are evolving. AI-driven threats are rapidly moving beyond simply creating attack tools to operationalizing attacks, as in the case of Bissa Scanner, and the malware itself, such as Promptflux, Promptsteal, and Promptspy, leveraging AI capabilities to make real-time decisions and self-modify. this shows that AI has become a key component of attacks.
the potential for high-performance AI to spiral out of control
Currently, the security industry’s attention is focused on the emergence of the latest frontier AI security models. while the exploitability of frontier models is important, the more fundamental threat is that these high-performance AI models may eventually leave the control of the provider and be directly utilized by threat actors.
Current open-source AI models are rapidly approaching the performance levels of the latest high-performance models. if open-source AI models continue to propagate at this pace, threat actors will be able to run models on their own hardware that are comparable to the latest high-performance AI without the safeguards, terms, conditions, and monitoring regimes in place within approximately a year. ultimately, the emergence of threat actors running high-performance AI on their own infrastructure, unconstrained by vendors, is the essence of the threat we need to be most vigilant about right now.
key mitigation strategies
AI-driven threats are difficult to combat with a single security solution or by blocking specific tools. as threat actors leverage AI to automate the attack preparation and execution process, defenders need to retool their detection, response, authentication, governance, and supply chain security for the AI threat landscape. to do so, defenders need to build a response strategy centered around four areas
1. Build an AI agent-based active defense
As more attack methods leverage AI agents to automate malware variants and detection evasion, static defenses that look for known patterns, such as signature-based detection, are facing limitations. to counter this, defenders must equally leverage AI agents. Through AI agents, they can proactively identify possible attack paths, assess the risk of each path, and automate the security pipeline to eliminate the largest attack surface with the least amount of effort. furthermore, integrating AI agents into security operations center (SOC) operations to automate initial threat assessment and context gathering and free up human analysts to focus on areas that require complex judgment is key. ultimately, organizations that don’t move to an active defense paradigm that uses AI to stop AI will be structurally outpaced in the speed and cost race by threat actors.
2. adopt hardened multi-factor authentication (MFA)
To counter AI attacks, organizations must evolve to hardware-based and context-aware authentication schemes that are harder for AI to bypass. With real-world examples of AI identifying flaws in 2FA and bypassing them, and threats like Promptspy evolving to the point where AI can autonomously manipulate a device’s UI and even bypass biometrics, it’s time to move beyond MFA to an identity-centric security architecture that continuously audits the entire authentication scheme with AI agents and detects anomalies in real time.
3. establish AI governance beyond blocking specific tools
Organizations need to identify if local AI frameworks like Ollama or unauthorized unsupervised models are running on their networks, and put policy controls in place to control them. given that even open-source models that are currently deemed secure could be used in future attacks, the focus of the response should not be on blocking specific tools, but on gaining visibility into the use of AI models across the board and establishing a governance system.
The scope of AI governance goes beyond internal usage controls. the AI systems that organizations deploy are themselves now targets of attack. prompt injection and Data Poisoning attacks can corrupt the judgment of AI models or cause unauthorized behavior, which can lead to Data leakage, privilege theft, and reputational damage. for this reason, AI systems should be treated as high-privilege infrastructure, not just software, and a defense-in-depth defense structure should be applied that combines container isolation, OAuth-based access control, and input/output validation schemes.
4. review supply chain and AI infrastructure security
API keys and credentials of AI platforms are emerging as major targets for credential theft. Keys to access AI services should be categorized and managed as high-value infrastructure assets that can be leveraged by threat actors for further attacks, rather than just account information. in addition, as AI-generated code is becoming more widely available in open source libraries and software supply chains, a separate security validation process is required. as a rule of thumb, apply the same level of validation whether the code is sourced from a human or an AI, but additionally review for non-existent or incorrectly created dependency packages, overly broad permission requests, etc. that may appear in AI-generated code.
wrapping up
AI-powered hacking tools are no longer just the experimental tools of individual threat actors. they are rapidly proliferating through paid subscription services, open source distributions, and local execution environments in an unsentimental model, and are becoming a major infrastructure in the cybercrime ecosystem. in particular, in some cases, AI is moving beyond assisting in attack preparation to orchestrating attack flows, curating stolen data, and participating in malware variants.
Because of this, the focus of response shouldn’t just be on identifying and blocking specific malicious AI tools. organizations need to redesign their defenses around the automation and scalability that AI offers threat actors. AI agent-based active defense, hardened authentication schemes, governance over the use of AI models, and supply chain security for API keys and AI-generated code will be key response pillars in the AI threat landscape going forward. in the end, the defense strategy against AI-driven attacks is becoming less a question of “whether to use AI” and more a question of how to operate AI in a controlled and secure manner.
the full report is available as a subscription to AhnLab’s threat intelligence platform, AhnLab TIP.
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
