Researchers at the University of Toronto have unveiled an AI-powered computer worm capable of autonomously adapting its attack methods as it moves through a network.
The proof-of-concept malware was built using publicly available open-weight AI models, showing that advanced offensive capabilities may no longer require access to cutting-edge AI systems or significant computing resources.
The research, published on June 2 as a preprint, was led by Nicolas Papernot of the University of Toronto and the Vector Institute, alongside Jonas Guan, Tom Blanchard, Hanna Foerster, Hengrui Jia, and Gabriel Huang. The team conducted all testing inside an isolated virtual environment and says it withheld key technical details to prevent abuse.
Unlike traditional worms, which rely on a fixed set of exploits, the prototype uses an AI agent capable of reconnaissance, reasoning, and tool use. When it encounters a new device, it analyzes the system, identifies vulnerabilities, and generates a tailored attack strategy before replicating itself on the next target. The researchers describe the approach as a shift from pre-programmed exploitation to goal-directed decision-making.
cleverhans.io
In their experiments, the researchers deployed the worm in a simulated corporate network containing Linux, Windows, and IoT devices. The malware successfully propagated by exploiting a variety of known vulnerabilities, weak credentials, and configuration mistakes rather than relying on previously unknown “zero-day” flaws. The team reported that the worm reached roughly half of a 33-host test network within five days.
cleverhans.io
A key finding was that the worm could operate using a relatively small open-weight large language model running on a single GPU. Once a machine was compromised, its computing resources were added to the worm's infrastructure, allowing infected systems to help power future attacks. According to the researchers, this effectively reduces the attacker's operational costs as the infection spreads.
Because the prototype runs entirely on locally hosted open-weight models, safeguards implemented by commercial AI providers, such as content filtering, rate limits, and service restrictions, cannot prevent its operation.
Papernot argues that the cybersecurity community has largely focused on the risks posed by the most powerful frontier AI models while underestimating what smaller, freely available systems can accomplish when combined with autonomous agent frameworks.
The team notified Canadian science, security, and defense authorities before publication and intentionally omitted details such as the underlying model, reasoning architecture, and tooling framework. The worm was also not equipped with stealth or evasion features, though the researchers warn that future variants developed by threat actors could incorporate them.
While the prototype remains a research project, the researchers warn that organizations should prepare for increasingly adaptive malware that can rapidly incorporate newly disclosed vulnerabilities into attack campaigns.
To reduce risk, it is recommended to maintain aggressive patching practices, enforce strong passwords and multifactor authentication, adopt network segmentation and zero-trust architectures, and use automated vulnerability discovery tools to identify weaknesses before attackers do. As AI models become more efficient and accessible, the window for detecting and stopping worm attacks will shrink.
Leave a Reply