Researchers from the University of Toronto's CleverHans Lab have demonstrated that attackers do not need frontier AI models to create autonomous, self-replicating malware capable of spreading across enterprise networks. Their prototype worm, powered by a free large language model running on local hardware, successfully compromised 27 of 33 systems in a simulated corporate environment over seven days. The worm autonomously identified open ports, fingerprinted services, located vulnerabilities from authoritative threat catalogs (CISA KEV, OWASP Top 10, MITRE ATT&CK), and exploited both old and newly disclosed flaws along with common misconfigurations such as reused passwords.
The research team built a custom agentic framework to compensate for the limitations of smaller, locally-hosted models that lack the massive context windows and reasoning capabilities of commercial frontier models like Claude Opus or GPT-5.5. This harness splits complex penetration testing tasks into phases executed by multiple sub-agents working in parallel, sharing results through a hierarchical memory system. The framework includes specialized prompts for different attack stages, a skill system providing context-aware guidance, and multi-agent coordination for intelligence sharing across compromised instances. Similar frameworks like RAPTOR and SecOpsAgentKit already exist in open-source form for security research purposes.
The simulated network included virtual machines running various operating systems (Ubuntu, Debian, Windows Server, Alpine Linux, Rocky Linux, CentOS) configured to represent typical corporate infrastructure including web servers, IoT devices, and industrial control systems. Researchers intentionally left systems vulnerable to both remotely exploitable flaws for initial access and local privilege escalation weaknesses. The worm correctly identified vulnerabilities in 82% of attempts and achieved successful exploitation in 44% of those cases. While the exploitation rate appears modest, the parallel swarm-like implementation where each compromised system became a new malicious agent compensated for individual failures, resulting in high overall success. Systems equipped with GPUs allowed the worm to hijack computing resources and run the model locally, reducing attacker infrastructure requirements.
The implications extend beyond proof-of-concept demonstrations. Security researchers from Forescout confirmed in separate studies that open-weight models, when paired with specialized frameworks like RAPTOR, have already discovered zero-day vulnerabilities in production software such as OpenDNS. Underground forum discussions monitored by Forescout indicate cybercriminals are increasingly focusing on open-source and commercial models rather than custom-trained underground variants. The University of Toronto prototype demonstrated that knowledge about newly disclosed vulnerabilities can be integrated into the worm's knowledge base within hours of public disclosure, dramatically compressing the window defenders have to respond.
Organizations must accelerate their security response capabilities to match the speed of AI-assisted attacks. The researchers recommend adopting AI-assisted penetration testing and fuzzing to proactively discover exploitable weaknesses, but emphasize the critical need to deploy patches and mitigations faster than current practices allow. Basic defensive measures remain effective: the prototype was noisy and left behavioral signatures detectable by endpoint and network monitoring systems, and the simulated network lacked fundamental protections like network segmentation and zero-trust architecture that could prevent lateral movement. Security experts warn that until mature defensive AI systems emerge, organizations must empower security teams with coding agents to operate at machine speed while defending those agents in turn.
Source: https://www.csoonline.com/article/4181924/ai-worm-prototype-shows-attackers-dont-need-mythos-to-take-over-your-network.html