WormGPT

WormGPT is a malicious or uncensored large language model (LLM) brand associated with cybercriminal use. The content consistently describes it as one of the earliest and most widely cited underground offensive LLMs, emerging in June 2023 and marketed on dark web forums and Telegram as having no content filters. Multiple sources in the content state it was based on GPT-J 6B or described as a jailbroken/fine-tuned open model, while later reporting notes that newer WormGPT-branded offerings may instead be wrappers around commercial models such as Grok or Mixtral with safety guardrails bypassed. The original project is reported to have voluntarily shut down on 2023-12-08 after media exposure, but the WormGPT name later resurfaced in copycat or commercialized variants including a SaaS-style 'WormGPT 4' offering advertised from September 2025.

Across the supporting content, WormGPT is associated with generating persuasive phishing and business email compromise content, improving grammar and localization of lures, assisting malware and malicious code development, supporting reconnaissance and vulnerability-related tasks, and generally lowering the barrier to entry for cybercrime. Reported use cases include phishing automation, social engineering, malware scaffolding, customizable malware code generation, ransomware-related code generation, reconnaissance automation, brute force and exploitation support, and fraud automation. One cited analysis states WormGPT 4 generated functional PowerShell ransomware-related code for Windows that encrypted PDF files with AES-256 and included an optional Tor-based exfiltration component, as well as ransom-note content. Other reporting in the content characterizes WormGPT as enabling more convincing BEC messages and customizable malware code.

The content links WormGPT broadly to financially motivated cybercriminals and underground-market users rather than to a single stable threat actor. It is repeatedly referenced alongside other illicit LLM brands such as FraudGPT, GhostGPT, KawaiiGPT, Xanthorox, EvilGPT, and MalwareGPT. Some reporting also cites public claims that state-linked or proxy actors use tools such as ChatGPT and WormGPT for malicious code generation, vulnerability discovery, and phishing, but the content does not provide direct technical attribution of WormGPT itself to a specific state operator.

Distribution and access described in the content include dark web markets, underground forums, Telegram channels, GitHub, and Hugging Face ecosystems. Commercialization details mentioned include subscription-based access, with one WormGPT 4 offering advertised at $50 monthly, $175 annually, and $220 lifetime, and another source describing cheap subscription access. A separate report in the content states a WormGPT user database leak on 2026-02-02 exposed email, payment, and subscription information for more than 19,000 users.

The content does not provide stable malware-style indicators of compromise such as hashes, domains, mutexes, or C2 infrastructure specifically for WormGPT itself. High-confidence identifiers present in the content are the malware/tool name WormGPT, aliases limited to the same spelling, its emergence timeframe of June 2023, and its recurring branding in underground AI-tool markets.