BlackHat AI Tool WormGPT Enhanced with Grok and Mixtral
The rapid evolution of large language models (LLMs) has not only transformed legitimate industries but has also found its way into the hands of cybercriminals.
WormGPT, a notorious blackhat AI tool, has recently resurfaced in enhanced forms powered by advanced models such as xAI’s Grok and Mistral AI’s Mixtral, raising new concerns within the cybersecurity community.
The Rise and Fall of WormGPT
WormGPT first emerged in June 2023 on Hack Forums, quickly gaining notoriety as an uncensored generative AI tool designed to facilitate black hat activities.
Developed by an individual known as “Last,” WormGPT was based on EleutherAI’s GPT-J, a 6-billion-parameter open-source model capable of generating human-like text.
Its subscription-based pricing, ranging from €60 to €100 per month or €550 per year, with a private setup option for around €5,000, reflected its value within the cybercriminal ecosystem.
The tool’s popularity, however, led to its downfall. In August 2023, following an exposé by investigative journalist Brian Krebs that identified the creator, WormGPT was abruptly shut down.
The developers cited excessive media exposure and the resulting negative publicity as reasons for the closure, underscoring their desire for anonymity and fear of legal consequences.
Despite WormGPT’s shutdown, its brand continued to thrive as a symbol of uncensored LLMs for malicious use.
Variants quickly appeared on BreachForums, another prominent underground forum. In October 2024, a user named “xzin0vich” announced a new WormGPT variant, offering access via a Telegram chatbot and operating on a subscription and one-time payment model.
“xzin0vich” announcing WormGPT
By February 2025, another variant was introduced by “keanu,” further solidifying WormGPT’s place in the cybercriminal toolkit.
Technical Enhancements: Grok and Mixtral
Cato CTRL’s analysis revealed that the latest WormGPT variants are powered by cutting-edge LLMs—specifically, xAI’s Grok and Mistral AI’s Mixtral. These enhancements mark a significant leap in capability and sophistication:
- keanu-WormGPT: This variant utilizes the Grok API, employing a custom system prompt to circumvent Grok’s built-in guardrails and produce malicious content. Investigators used jailbreak techniques to expose the underlying model, confirming Grok as the engine behind keanu-WormGPT.
- xzin0vich-WormGPT: Analysis of leaked system prompts and chatbot responses indicated that this variant is built on Mixtral. The system prompt explicitly references Mixtral, and technical details such as the use of two active experts per token and eight key-value heads for Grouped-Query Attention confirm its foundation. The model’s malicious behavior is defined by its system prompt and may be further enhanced through fine-tuning on illicit datasets.
The resurgence and evolution of WormGPT highlight a troubling trend: the growing market for uncensored, malicious LLMs within cybercrime.
Other tools, such as FraudGPT, DarkBERT, EvilGPT, and PoisonGPT, have also surfaced, each offering various capabilities ranging from phishing email generation to hacking tutorials.
Additionally, threat actors are increasingly attempting to jailbreak mainstream LLMs like ChatGPT and Google Bard to bypass safety measures, and some are even recruiting AI experts to develop custom uncensored models tailored to specific attack vectors.
The enhancement of WormGPT with Grok and Mixtral demonstrates how threat actors are leveraging the latest advancements in AI for nefarious purposes.
As these tools become more sophisticated and accessible, the cybersecurity landscape faces unprecedented challenges. Vigilance, innovation, and collaboration among security professionals are essential to counter the evolving threat posed by blackhat AI tools like WormGPT.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates
Source link
