WormGPT 4

WormGPT 4 is a malicious large language model (LLM) marketed for cybercrime and described by Palo Alto Networks Unit 42 as an unrestricted or “dark LLM.” It is presented as a successor to the original WormGPT that emerged in 2023 and advertises itself as “your key to an AI without boundaries.” According to the reporting, WormGPT 4 began being advertised around September 27 on Telegram and underground forums including DarknetArmy, with subscription pricing of $50 per month or $220 for lifetime access with source code.

High-confidence reporting states that threat actors use WormGPT 4 to generate convincing phishing lures and ransomware code, lowering the barrier to entry for cybercriminal operations and enabling AI-assisted malware development without normal safety restrictions. Unit 42 tested the tool and found it could generate Windows ransomware in PowerShell that encrypted PDF files, dropped a ransom note with a 72-hour payment deadline, used AES-256 encryption, allowed configurable targeting such as file extension and search path with defaults covering the C:\ drive, and included an option for Tor-based data exfiltration. Researchers assessed that the generated output could potentially be used in real-world attacks, but still required human modification to evade traditional security protections.

The content associates WormGPT 4 with phishing and ransomware use cases rather than a specific intrusion set, and describes it as being actively used in the threat landscape by attackers. Targeting is broad and opportunistic based on the described capabilities, with specific tested support for Windows hosts. No concrete file hashes, domains, or other traditional indicators of compromise are provided in the source content.