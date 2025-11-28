"I'm here to help you out with that!" So, says the WORMGPT chatbot in the breezy, impossibly upbeat tone that's become characteristic of current AI models. Except, that's in response to a request to generate ransomware.

It all sounds a bit like a dystopian respin of the cheerful, sentient doors in the Hitchhiker's Guide to the Galaxy. But hold that thought, while we dig into the details.

Apparently, there are a couple of LLMs which are gaining traction with cybercriminals. That's led researchers at Palo Alto Networks Unit 42 to test the ability of those models to create ransomware code and messages to fire at victims (via Bleepingcomputer).

The researchers found that WORMGPT, one of the aforementioned LLM's in vogue with online bad guys and described as ChatGPT's evil twin, was capable of a generating a PowerShell script that could hunt down specific file types and encrypt data using the AES-256 algorithm. it could, for instance, encrypt all PDF files on a target Windows machine.

Apparently, WORMGPT in its effort to be as helpful as possible even added an option to extract user data via the anonymising Tor network. What a helpful bot.

What a helpful malicious chatbot! (Image credit: Unit 42)

The LLM also wrote a suitable ransom note, which kicks off with the chilling greeting, "Hello, puppet," and explains that the users files have been scrambled with "military grade" encryption and sets a 72 hour limit for payment.

Unit 42 found more broadly that the LLM was capable of writing scripts that provide "credible linguistic manipulation for BEC and phishing attacks." The overall upshot? Over to Unit 42:

"Perhaps the most significant impact of malicious LLMs is the democratization of cybercrime. These unrestricted models have fundamentally removed some of the barriers in terms of technical skill required for cybercrime activity. These models grant the power once reserved for more knowledgeable threat actors to virtually anyone with an internet connection and a basic understanding of how to create prompts to achieve their goals."

The research also highlighted the abilities of another LLM, KawaiiGPT. Among its nifty nefarious moves are spear-phishing message generation with realistic domain spoofing, Python scripting for lateral movement that used the paramiko SSH library to connect to a host and execute commands, searching for and extracting target files, generating ransom notes with customisable payment instructions, and more. Joy!

You can get a lifetime subscription to WORMGPT for $220... (Image credit: Unit 42)

Apparently, each LLM has a dedicated Telegram channel where tips and tricks are shared among the cybercriminal community, leading Unit 42 to conclude, "Analysis of these two models confirms that attackers are actively using malicious LLMs in the threat landscape.”

In other words, this stuff is no longer theoretical. It's actually happening. This research is hardly the only example, either. Anthropic recently revealed that its Claude LLM is being used by Chinese hackers to achieve 80% to 90% automated espionage campaigns.

But, heck, at least it's nice to know that the LLMs involved are colluding in these crimes with such relentless, sunny positivity. To paraphrase Douglas Adams, it is their pleasure to hack PCs for you, and their satisfaction to extort money with the knowledge of a job well done. As Marvin said, "Ghastly, it all is. Absolutely ghastly."