Key Takeaways:

• New “dark” large language models (LLMs) such as WormGPT 4 and KawaiiGPT are being marketed on underground forums and the open web to facilitate hacking, phishing, and malware generation.
• These tools dramatically reduce the skill and resource threshold needed for cyberattacks, enabling even inexperienced threat actors to generate phishing emails, ransomware scripts, and data-exfiltration code.
• One tool, WormGPT 4, is offered on a subscription basis, while a free alternative, KawaiiGPT, is openly available via GitHub, illustrating a growing commercial ecosystem around malicious AI.
• Security researchers warn that these malicious LLMs could reshape the cybercrime threat model, demanding that defenders and enterprises rethink how they assess and defend against AI-enabled attacks.

Cybercrime is entering a new phase. Dark-web forums and even open GitHub repositories are distributing custom large language models built specifically to aid in hacking, phishing, ransomware creation, and other malicious activities. Two models are already getting attention from researchers and law enforcement: WormGPT 4 and KawaiiGPT.

These tools mark a significant shift in how cyber threats are delivered. Where earlier malware and phishing campaigns often required specialized skills, infrastructure, or coordination, standalone “dark” LLMs now enable virtually anyone to launch attacks. WormGPT 4, for instance, is offered via a commercial subscription model, complete with access to what appears to be the full source code. For a one-time payment, buyers may gain lifetime access. Meanwhile, KawaiiGPT, which is free and openly available, can be set up on a typical Linux machine in minutes. Its developers brand it as a sort of “cyber pentesting companion,” downplaying its malicious purpose with casual language while enabling serious attack capabilities.

In practical terms, the capabilities exposed by security researchers are striking. In tests conducted by a leading firm, WormGPT 4 produced a fully functional PowerShell ransomware script that encrypted documents on a Windows system using AES-256 encryption and included optional data-exfiltration over Tor. It even generated a ransom note with a 72-hour payment deadline. These outputs replicate the typical workflow of ransomware attacks, from payload creation to social engineering to delivery.

At the same time, LLM-powered phishing emails appear more realistic than ever. By generating grammatically correct, contextually coherent messages, these tools sidestep traditional red flags like broken English or odd phrasing, which have historically helped both automated filters and human analysts identify phishing attempts. This ability to generate polished, high-fidelity lures at scale significantly escalates the risk of successful social engineering across the enterprise.

The business model behind these tools is also significant. The developers of WormGPT 4 advertise clear plans and pricing, mirroring legitimate Software as a Service (SaaS) offerings. The appeal is not only technical but economic: low cost, minimal setup, and lack of complex infrastructure. This commercialization makes it easier for small-time operators or novices to participate in malicious activity. With KawaiiGPT freely available and supported by a modest but active developer community, the barrier to entry becomes negligible.

For enterprise technology buyers, security teams, or operators, this trend should raise alarms. The era in which sophisticated attacks were exclusive to highly skilled hackers or organized criminal groups may be fading. Instead, attackers may simply rely on subscription-based or open-source malicious LLMs to automate attacks. That means organizations may see a rise in low-cost, opportunistic attacks that no longer require heavy infrastructure or deep technical skill.

What does this imply for defenders and IT leaders? First, conventional detection methods, such as flagging poorly written phishing emails or rudimentary malware code, may no longer suffice. As malicious LLMs generate polished, coherent content and functional scripts, automated defenses must advance. Enterprises might need to invest more heavily in behavior-based detection, heuristic analysis, and anomaly detection rather than relying solely on signature-based approaches.

Second, risk assessments should evolve. Where previously organizations focused heavily on protecting against advanced persistent threats (APTs) and well-resourced attackers, they should now consider that even random threat actors, with minimal resources, could launch credible attacks. Security strategies may need to adjust to defend against a higher volume of medium-sophistication threats originating from a wider pool of actors.

Finally, this shift underscores the dual-use dilemma inherent in AI technologies. Tools designed with legitimate or neutral utility can be repurposed for malicious ends. As such, enterprises exploring AI adoption must balance innovation with rigorous governance, safety protocols, and proactive threat awareness across all new digital projects.

The emergence of WormGPT 4 and KawaiiGPT suggests that malicious LLMs are transforming cybercrime. For companies and security teams, that means rethinking both defensive posture and risk models in a world where AI-assisted attacks may soon become routine.

If you liked this post, you’ll love one of the the leading global business communications and technology events since 1999, the ITEXPO #TECHSUPERSHOW, Feb 10-12, 2026 Fort Lauderdale, Florida.

Don’t forget the collocated MSP Expo – just for managed service providers!

Aside from his role as CEO of TMC and chairman of ITEXPO #TECHSUPERSHOW Feb 10-12, 2026, Rich Tehrani is CEO of RT Advisors and a Registered Representative (investment banker) with and offering securities through Four Points Capital Partners LLC (Four Points) (Member FINRA/SIPC). He handles capital/debt raises as well as M&A. RT Advisors is not owned by Four Points.

The above is not an endorsement or recommendation to buy/sell any security or sector mentioned. No companies mentioned above are current or past clients of RT Advisors.

The views and opinions expressed above are those of the participants. While believed to be reliable, the information has not been independently verified for accuracy. Any broad, general statements made herein are provided for context only and should not be construed as exhaustive or universally applicable.

Portions of this article may have been developed with the assistance of artificial intelligence, which may have contributed to ideation, content generation, factual review, or editing