Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
Malware

Xanthorox

Xanthorox is an AI-enabled offensive cyber tool advertised for cyberattack and privacy-violation activities. The provided content places its emergence in April 2025 and lists it alongside underground or openly distributed malicious LLM-style tools such as WormGPT, GhostGPT, FraudGPT, EvilGPT, KawaiiGPT, HexStrike AI, and BruteForce AI. It is described as being marketed as a custom AI for cyber offensive purposes and as having no content filter, but reporting cited in the content states that investigation found it was powered by several third-party and commercial AI products, including Gemini, rather than being a novel proprietary model. More broadly, the content characterizes tools in this category as supporting offensive workflows such as phishing automation, malware development, reconnaissance, code generation, vulnerability exploitation, and privacy-invasive activity. No specific infection vector, malware payload behavior, victimology, targeted industry, threat actor attribution, or concrete IOCs unique to Xanthorox are provided in the content.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

3 distinct techniques documented for this family, organized by ATT&CK tactic.

Reconnaissance

1 technique
T1590Gather Victim Network InformationEvidence1

key capabilities have been segmented into phishing automation, malware development, reconnaissance, brute force, vulnerability exploitation, and social engineering.

Initial Access

1 technique
T1566PhishingEvidence2

So they are useful for generating phishing content or simple malware stubs...

Other

1 technique
T1656ImpersonationEvidence1

key capabilities have been segmented into phishing automation, malware development, reconnaissance, brute force, vulnerability exploitation, and social engineering.

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
intezer blogNews
Jun 3, 2026
How attackers are gaining access to LLM inference - Intezer

Cyber-oriented LLM marketed on underground forums for offensive use without content filtering; described as useful for phishing content or simple malware stubs.

Read more
ahnlab asec blogNews
May 27, 2026
The proliferation and evolution of AI-powered hacking tools - how generative AI has changed the cyber attack ecosystem and response strategies - ASEC

AI-enabled tool used to support cyber attacks and privacy-violating activity.

Read more
ahnlab asec blogNews
May 21, 2026
The proliferation and evolution of AI-powered hacking tools - from dark web distribution to autonomous attacks - ASEC

AI-based hacking tool referenced as part of the ecosystem of offensive AI tools distributed on dark web and other platforms.

Read more
bank info securityNews
Feb 13, 2026
State Hackers Turn Google AI Into Attack Acceleration Tool

Advertised as an AI-enabled offensive cyber toolkit; investigation indicates it is largely a wrapper around third-party/commercial AI services (including Gemini) rather than a standalone model.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping3

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.