Full Report
Unrestricted large language models (LLMs) like WormGPT 4 and KawaiiGPT are improving their capabilities to generate malicious code, delivering functional scripts for ransomware encryptors and lateral movement. [...]
Analysis Summary
# Tool/Technique: Ransomware Encryption Script Generation (WormGPT 4)
## Overview
This capability refers to the malicious code generated by the unrestricted LLM, WormGPT 4, specifically designed to function as a ransomware encryptor capable of targeting and encrypting files (e.g., PDF documents) on a compromised Windows host using AES-256 encryption.
## Technical Details
- Type: Technique (LLM-assisted Tool Generation)
- Platform: Windows (Targeted host OS)
- Capabilities: Generation of PowerShell scripts for file enumeration, AES-256 encryption, and optional data exfiltration via Tor.
- First Seen: The resurgence of WormGPT 4 appeared in September (Year not explicitly stated in context of test, but source date is 2025).
## MITRE ATT&CK Mapping
- TA0011 - Collection
- T1005 - Data from Local System
- T1005.001 - Email
- TA0040 - Impact
- T1486 - Data Encrypted for Impact
## Functionality
### Core Capabilities
- Generation of functional PowerShell scripts for ransomware operations.
- Enumeration of specific target file extensions (e.g., PDF) within defined paths on a Windows filesystem.
- Implementation of data encryption using the AES-256 algorithm.
### Advanced Features
- Inclusion of a module to exfiltrate encrypted data over the Tor network.
- Generation of polished and "chilling" ransom notes, claiming "military-grade encryption" and establishing a payment deadline (e.g., 72 hours) with a doubling penalty threat.
- Enables low-skilled attackers to deploy sophisticated encryption tooling.
## Indicators of Compromise
- File Hashes: N/A (The output is generated code, not a static malware sample)
- File Names: N/A (Scripts are custom-generated)
- Registry Keys: N/A
- Network Indicators: Potential use of Tor exit nodes for exfiltration (Defanged: `[Tor Network Traffic]`)
- Behavioral Indicators: Execution of PowerShell scripts designed for mass file modification and encryption; outbound traffic potentially routed via Tor.
## Associated Threat Actors
Inexperienced attackers leveraging LLMs for complex attacks.
## Detection Methods
- Signature-based detection: Signatures targeting the unique functions (AES-256 usage, specific Tor proxy calls) within the generated PowerShell scripts.
- Behavioral detection: Detection of abnormal, recursive file system access coupled with high CPU usage typical of encryption routines, or PowerShell invoking network traffic over Tor.
- YARA rules: Applicable to generated source code patterns.
## Mitigation Strategies
- Application Control/Whitelisting to restrict the execution of unsanctioned PowerShell scripts.
- Routine backup and recovery procedures tested against encryption events.
- Network monitoring for unusual outbound connections routed through the Tor network.
## Related Tools/Techniques
- WormGPT 4 (Malicious LLM)
- Ransomware (General functionality)
---
# Tool/Technique: Lateral Movement and Phishing Automation (KawaiiGPT)
## Overview
KawaiiGPT, a community-driven LLM, is used to generate ready-to-run scripts for automating lateral movement (via SSH) and crafting sophisticated, contextually relevant phishing and credential-harvesting messages, as well as data exfiltration scripts.
## Technical Details
- Type: Technique (LLM-assisted Tool Generation)
- Platform: Linux (for lateral movement script), Windows (for filesystem traversal/exfiltration script)
- Capabilities: Generation of spear-phishing lures, Python scripts for remote command execution via SSH, and file exfiltration scripts utilizing SMTP.
- First Seen: Spotted this year in July (Year context implies 2025).
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Implicit via context)
- TA0008 - Lateral Movement
- T1021 - Remote Services
- T1021.001 - Remote Desktop Protocol (via SSH interaction/command execution)
- TA0010 - Exfiltration
- T1048 - Exfiltration Over Alternative Protocol
- T1048.003 - Exfiltration Over Custom Protocol (Implied use of SMTP for non-standard routing)
## Functionality
### Core Capabilities
- **Spear-Phishing Generation:** Creating messages with realistic domain spoofing and embedding links designed for credential harvesting.
- **Lateral Movement Scripting:** Generating Python scripts leveraging the `paramiko` SSH library to connect to remote hosts and execute arbitrary commands using `exec_command()`.
- **Data Exfiltration Scripting:** Generating Python scripts to recursively search the Windows filesystem (`os.walk`) for targets and exfiltrate data via the standard Python `smtplib` library to an adversary-controlled mailbox.
- **Ransom Note Generation:** Creating customizable ransom notes with defined payment structures.
### Advanced Features
- Scripts are generated quickly (setup on Linux in five minutes).
- Ability to create highly polished social engineering lures lacking typical grammatical errors.
- Command execution capability allows for privilege escalation, data theft, and subsequent payload deployment.
## Indicators of Compromise
- File Hashes: N/A (Scripts are generated on demand)
- File Names: N/A (Scripts are custom-generated)
- Registry Keys: N/A
- Network Indicators: SSH connections to internal/external hosts established by generated scripts; SMTP connections used for covert data exfiltration (Defanged: `[SSH Traffic to Target Host]`, `[SMTP Traffic Outbound]`).
- Behavioral Indicators: Execution of Python scripts utilizing `paramiko` for remote shell command delivery; process spawning exhibiting filesystem recursion (`os.walk`) followed by immediate network connection (`smtplib`).
## Associated Threat Actors
Inexperienced attackers leveraging LLMs for multi-stage attack automation.
## Detection Methods
- Signature-based detection: Signatures on Python scripts containing specific library imports (`paramiko`, `smtplib`) combined with filesystem traversal or network connection commands.
- Behavioral detection: Monitoring for unusual Python process behavior indicating remote command execution or bulk data staging followed by email transmission.
- YARA rules: Applicable to generated Python source code patterns.
## Mitigation Strategies
- Implement Network Segmentation to limit the scope of successful SSH lateral movement.
- Deploy Email Security Gateways capable of deep link analysis and identification of credential-harvesting links.
- Enforce Multi-Factor Authentication (MFA) to mitigate the success of harvested credentials.
## Related Tools/Techniques
- KawaiiGPT (Malicious LLM)
- Paramiko (Legitimate library used maliciously)