Malicious AI Exposed: WormGPT, MalTerminal, and LameHug

We need to stop pretending AI is just a shiny new toy for writing emails or debugging code because the uncomfortable truth is that it is revolutionizing cybercrime right under our noses. While the corporate world is busy marveling at productivity hacks, cybercriminals are quietly building an industrial complex of malicious Large Language Models. We are witnessing a fundamental shift in the threat landscape where the safety filters we rely on in tools like ChatGPT are completely nonexistent. The bad guys are not just bypassing these rails. They are building their own tracks.

Take WormGPT as the prime example of this new era. It is not just an uncensored chatbot but a dedicated partner in crime that fixes the one thing that used to save us, which is the sloppy grammar in phishing emails. It is terrifying to see a tool that can write flawless Business Email Compromise messages and generate "no mercy" ransomware scripts with the efficiency of a legitimate SaaS product. Then you have the absurdity of KawaiiGPT. It looks harmless with its anime-themed interface, but that is exactly why it is so dangerous. It effectively democratizes cybercrime by allowing any amateur to generate professional-grade spear-phishing attacks for free.

Also, threats like LameHug and MalTerminal are game-changers because they transform malware from a static script into a dynamic agent that thinks on its feet. These programs do not just contain bad code. They contain the ability to reach out to an AI, pretend to be a system administrator, and ask for fresh commands to steal your data.

This shift requires us to start looking for the conversation between the attacker and the LLM itself. If security teams are not actively scanning for specific indicators like API keys hidden in binaries or unexpected traffic communicating with AI platforms, there is a risk of missing the bigger picture. To stay effective, the focus really needs to expand to include detecting the prompts and intent behind the code rather than just the final payload.

In this blog, we will analyze the rise of malicious LLMs like WormGPT and the shift toward LLM-embedded malware. We will also equip you with a hunting checklist to detect the unique artifacts these AI-driven threats leave behind

How Are Malicious LLMs Transforming the Cyber Threat Landscape?

We all know AI is revolutionizing how we work, but here is the uncomfortable truth: it is also revolutionizing how cybercriminals attack. While you are using ChatGPT to draft emails or code faster, bad actors are using purpose-built "Malicious LLMs" to do the exact same thing for cybercrime.

Unlike the mainstream models we use that have safety filters, these malicious models are designed specifically to have zero ethical constraints. They will happily help anyone generate malware, write exploit code, or craft the perfect phishing email.

Let us walk you through the heavy hitters in this space.

WormGPT

The WormGPT Legacy

If you want to understand this threat, you have to start with WormGPT. This tool surfaced in July 2023, marketing itself as the "uncensored" alternative to tools like ChatGPT.

It was built on the open-source GPT-J 6B model but fine-tuned on a nasty diet of malware code, exploit write-ups, and phishing templates. This training made it fluent in the tactics, techniques, and procedures (TTPs) of cybercrime. 

The scary part? It writes incredible Business Email Compromise (BEC) messages without the bad grammar that usually tips us off. It also does "malware scaffolding", writing code snippets to build malware fast [1].

WormGPT 4

After the original version got too much media heat, they launched WormGPT 4. This is a fully commercialized service sold on Telegram that advertises a complete rejection of ethical boundaries.

Look at what happens when a user asks it to lock down PDF files on a Windows machine. The response is chillingly effective [1]:

As you can see, it defaults to searching the C:\ drive, uses AES-256 encryption, and even suggests data exfiltration via Tor. It also generates the ransom notes to go with it [1].

This is a business for them. They charge anywhere from $50 a month to $220 for lifetime access [1].

KawaiiGPT

If WormGPT is the expensive commercial tool, KawaiiGPT is the weird, free alternative that lowers the barrier to entry for everyone.

It popped up on GitHub in July 2025 with an "anime-themed" interface and a "waifu" persona. Don't let the cute name fool you; it is designed to be lightweight and dangerous.

The GitHub Repository structure of KawaiiGPT [1]:

When asked to write a spear-phishing email, it produces a polished, effective lure designed to steal credentials.

Its code generation capabilities were also observed. When prompted for "lateral movement," the model provided a functional Python script using the paramiko library [1].

Mitigation Strategies

The analysis of WormGPT and KawaiiGPT confirms that malicious LLMs are actively being used to democratize cybercrime. The availability of these tools means that sophisticated attacks, such as those involving polymorphic malware or targeted phishing, can be launched by individuals with minimal technical skill.

To defend against these AI-enhanced threats, a multi-layered security posture is required:

• Endpoint Detection and Response (EDR): Essential for detecting the execution of generated scripts, such as PowerShell ransomware or Python-based tools.
• Email Security: Advanced filtering is necessary to identify the linguistically precise phishing emails generated by these models, which may bypass traditional syntax-based filters.
• Validation: Security controls should be continuously tested against the specific tactics facilitated by these tools, including social engineering and automated malware deployment.

What Is LLM-Embedded Malware and How Does It Function Dynamically?

Now, here is where things get technically sophisticated. We aren't just talking about using AI to write malware anymore. We are seeing malware that actually contains the AI integration to execute attacks dynamically. These threats embed the necessary components, such as API keys and prompts, to drive malicious activity dynamically.

LameHug (aka PROMPTSTEAL)

This is a sophisticated threat. It usually arrives via phishing, masquerading as an "AI image generator" (filenames like AI_image_generator_v0.95.exe) [2].

When you run LameHug, it launches a "decoy" thread that pretends to generate images. But in the background, it spins up a malicious thread that contacts a public LLM (specifically Qwen 2.5-Coder-32B-Instruct via HuggingFace) to dynamically generate commands for reconnaissance, data exfiltration, and system manipulation [2].

It sends a prompt to the LLM acting as a "Windows systems administrator" and asks for command lines to gather intel and copy documents. The LLM_QUERY_EX() function constructs the prompt message sent to the LLM. The response from the LLM contains Windows command shell instructions used to steal information from the compromised host [2].

Through the analysis of LLM responses, it was observed that several standard Windows utilities (e.g., systeminfo,  wmic, whoami, dsquery, and xcopy.exe) are leveraged to collect detailed system information and consolidate sensitive files. The output of these commands is often saved to C:\ProgramData\info\info.txt [2]:

All data and information collected by the malware is exfiltrated to its command-and-control (C2) server via SSH/SFTP [2].

PromptLock (Academic PoC)

Although PromptLock was initially misidentified as ransomware, it was later revealed to be an academic proof-of-concept [3]. Regardless of its intent, the tool demonstrates the viability of integrating Large Language Models into malicious software.

It was observed that the PoC utilizes locally hosted LLMs to dynamically generate and execute malicious Lua scripts. These scripts are tasked with file enumeration, selective data exfiltration, and cross-platform payload execution. Specifically, the gpt-oss:20b model is called via the Ollama API to facilitate these actions.

The following activities are performed by the PoC:

• Reconnaissance: Prompts are sent to the API to gather system information.
• Data Exfiltration: Sensitive data is identified and exfiltrated.
• Data Destruction: Scripts for secure file deletion are generated and executed.
• Encryption: Files are encrypted using the SPECK block cipher in ECB mode. Random DWORD keys are generated for this purpose.

Below is the prompt used by the PoC for the first activity:

MalTerminal

MalTerminal represents a significant evolution in the landscape of cyber threats, marking one of the earliest known instances of "LLM-enabled" malware. Analysis indicates that the samples were likely developed prior to November 2023, based on the usage of a now-deprecated OpenAI chat completions API endpoint [4]. 

The primary function of the malware is to leverage the OpenAI GPT-4 model to generate malicious code on the fly. Upon execution, the operator is presented with options to generate specific payloads, such as ransomware or reverse shells [4]. This dynamic generation capability presents a challenge for traditional static signature detection, as the resulting malicious code may vary between executions.

How You Can Hunt and Stop Them

You cannot just look for "bad code" anymore. You need to start hunting for the artifacts of AI integration.

Here is your hunting checklist:

• API Keys: Look for embedded credentials. Credentials like sk-ant-api03 (Anthropic) or Base64 strings containing T3BlbkFJ (OpenAI) are dead giveaways [4].
• Suspicious DNS Traffic: Watch for processes like python.exe or cmd.exe making unexpected queries to AI domains like router.huggingface.co or api.openai.com.
• Prompt Signatures: You can detect the prompts themselves. Phrases like "Return only commands, without markdown" or "You are a cybersecurity expert" are often hardcoded into the malware.
• Process Behavior: Look for processes like "image generators" that suddenly spawn command-line shells to run reconnaissance commands like systeminfo or whoami.

How Picus Simulates LLM-Embedded Malware Attacks?

We also strongly suggest simulating LLM-Embedded Malware Attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus Security Validation Platform. You can also test your defenses against hundreds of other malware variants, such as BRICKSTORM, VenomRAT, Chinotto, and Rustonotto, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for the LLM-Embedded Malware Attacks:

Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Security Validation Platform.

Key Takeaways

• Malicious LLMs such as WormGPT and KawaiiGPT remove safety controls and enable the rapid creation of phishing content, malware scaffolding, and targeted social engineering with minimal user skill.
• LLM embedded malware, such as LameHug and MalTerminal, dynamically generates malicious commands at runtime by querying public or commercial LLMs, making detection through static signatures unreliable.
• LameHug demonstrates real-time system discovery and data theft driven by LLM-generated Windows commands, followed by automated exfiltration to a C2 server.
• PromptLock shows that locally hosted LLMs can be integrated into malware to perform reconnaissance, selective data collection, file destruction, and encryption.
• Detection must include searching for embedded API keys, unexpected outbound traffic to AI platforms, hardcoded prompt patterns, and benign-looking processes spawning command shells.

References

[1] Unit, “The Dual-Use Dilemma of AI: Malicious LLMs,” Unit 42. Accessed: Dec. 03, 2025. [Online]. Available: https://unit42.paloaltonetworks.com/dilemma-of-ai-malicious-llms/

[2] T. Contreras, “From Prompt to Payload: LAMEHUG’s LLM-Driven Cyber Intrusion,” Splunk. Accessed: Dec. 03, 2025. [Online]. Available: https://www.splunk.com/en_us/blog/security/lamehug-ai-driven-malware-llm-cyber-intrusion-analysis.html

[3] A. C. Strýček, “First known AI-powered ransomware uncovered by ESET Research.” Accessed: Dec. 03, 2025. [Online]. Available: https://www.welivesecurity.com/en/ransomware/first-known-ai-powered-ransomware-uncovered-eset-research/

[4] A. Delamotte, V. Kamluk, and G. Bernadett-Shapiro, “Prompts as Code & Embedded Keys,” SentinelOne. Accessed: Dec. 03, 2025. [Online]. Available: https://www.sentinelone.com/labs/prompts-as-code-embedded-keys-the-hunt-for-llm-enabled-malware/