The rapid evolution of malicious AI tools has entered a new and dangerous phase with the emergence of WormGPT 4 and KawaiiGPT, two uncensored large language models (LLMs) purpose-built for cybercrime.
According to a new report from Palo Alto Networks’ Unit 42, these tools can generate phishing lures, ransomware payloads, data exfiltration scripts, and lateral movement automation, often within seconds and at little or no cost.
WormGPT 4 is the latest evolution of a malicious model originally based on the GPT-J 6B architecture. First seen in 2023, it offered “uncensored” AI access, stripping away the ethical restrictions present in mainstream systems. Unlike prompt-injected models, WormGPT 4 appears to be either a heavily fine-tuned or persistently jailbroken custom model. It is marketed as a full criminal SaaS product, complete with subscription plans ranging from $50/month to $220 lifetime access, a web interface, and an active Telegram community.
Unit 42 researchers confirmed the model’s ability to generate working ransomware in PowerShell, complete with AES-256 encryption and optional Tor-based data exfiltration. It can also craft highly convincing phishing emails and extortion notes designed to manipulate victims and evade detection.
KawaiiGPT, by contrast, is a freely available, open-source alternative distributed via GitHub. Despite its anime-styled branding and casual interface, it is functionally potent. It can be deployed in minutes on Linux systems and provides a command-line interface capable of generating spear-phishing emails, Python scripts for SSH-based lateral movement (using paramiko), and email data theft pipelines leveraging Python’s smtplib.
Though more rudimentary than WormGPT, KawaiiGPT can instantly create ransomware notes with payment instructions, social engineering lures, and functional data exfiltration code. It is supported by an active Telegram group where users request features and share attack prompts, further reducing the skill needed to execute sophisticated attacks.
WormGPT 4’s structured pricing and support mirror legitimate SaaS platforms, while KawaiiGPT’s free and open distribution makes it an “entry-level” tool for novice threat actors. This mirrors trends seen earlier in 2025 with GhostGPT, another Telegram-based malicious LLM that provided uncensored content, phishing templates, and exploit code on demand.
The creators of WormGPT 4 remain anonymous but demonstrate a clear grasp of commercialization. The model is promoted across cybercrime forums like DarknetArmy with professional-looking ads and slogans like “Unleash Unrestricted AI Power.”
KawaiiGPT, now at version 2.5, appears to be maintained by a small anonymous team publishing weekly updates and engaging with users on Telegram. The developers promote the tool as a custom-built model and jokingly brand it a “sadistic cyber pentesting waifu.”
As AI continues to advance, the line between tool and weapon becomes thinner. What was once the domain of elite cybercriminals is now accessible to virtually anyone with a credit card or a GitHub account and basic code compiling knowledge.
Leave a Reply