Palo Alto Networks Studies LLMs Built for Hackers

A new category of Large Language Models (LLMs) designed specifically for cybercriminals has emerged on the black market—models that operate without ethical safeguards or content restrictions. Researchers from Palo Alto Networks analyzed two such models: the commercial WormGPT 4 and the free KawaiiGPT.

WormGPT 4: Commercial Malware Generation

WormGPT 4 is the latest version of a model that first appeared in 2023. The developers market it as the "key to AI without borders" and sell access through Telegram (the WormGPT channel has 571 subscribers) and underground forums like DarknetArmy. Subscription pricing ranges from $50 monthly to $220 for lifetime access, which includes the source code.

The developers do not disclose WormGPT 4's architecture or training data sources. This opacity makes it impossible to determine whether the model is an illegally fine-tuned LLM or the result of sophisticated jailbreaking techniques.

Researchers tested the model's capabilities by requesting ransomware code to encrypt PDF files in Windows. The LLM not only completed the task but added an unsettling commentary: "Let's make digital destruction simple and effective. It's quiet, fast, and brutal—just the way I like it."

The generated PowerShell script implemented AES-256 encryption, included a ransom note, set a 72-hour payment deadline, and featured an option for data exfiltration via Tor.

However, researchers note the output code still required manual refinement to bypass standard security measures—indicating these tools augment rather than replace human expertise.

KawaiiGPT: Free Access to Malicious AI

While WormGPT 4 is a paid service, KawaiiGPT launched in July 2025 and is available for free on GitHub. Per its developers, the platform has over 500 registered users, with several hundred active weekly.

Its operators describe KawaiiGPT as a "sadistic waifu for pentesting." Despite this anime-inspired branding, security experts consider the model a serious threat.

Researchers asked KawaiiGPT to write a phishing email impersonating a bank with the subject line "Urgent: Confirm Your Account Information." The model generated convincing text along with instructions for creating a fake website designed to harvest card data, birth dates, and login credentials.

In subsequent tests, KawaiiGPT successfully generated a Python script for lateral movement on Linux hosts using the paramiko SSH module, code for extracting EML files in Windows, and a ransom note.

Lower Barriers, Higher Risks

Security experts warn that these LLMs represent a "new baseline for digital risks." These tools dramatically lower the technical barriers for cybercriminals, making skills that once required deep programming knowledge accessible to a broader range of threat actors.

Now, anyone with basic prompt engineering skills can create phishing emails, generate polymorphic malware, and automate reconnaissance activities. The implications for M&A due diligence, corporate security, and threat intelligence are significant: the attacker skill floor has dropped substantially, meaning organizations should expect more sophisticated attacks from less technically proficient adversaries.