AI worm prototype shows attackers don’t need Mythos to take over your network

University of Toronto researchers demonstrate how open-weight local LLMs can be used to autonomously exploit flaws and misconfigurations typical found in most enterprise networks, feeding off abused GPUs to fuel self-replication.

Researchers from the University of Toronto developed a computer worm prototype powered by an AI agent that successfully self-replicated to different systems within a simulated computer network. The worm used a free large language model (LLM) running on local hardware and exploited a combination of older and new vulnerabilities, as well as misconfigurations that remain all too common in enterprise environments.

At a time when CISOs and the security industry are concerned about the ability of frontier models such as Anthropic’s Mythos to find zero-day vulnerabilities in critical software, this experiment is a reminder that attackers don’t need cutting-edge AI to wreak havoc across typical corporate networks. In fact, using paid models accessible only via APIs would be a point of failure for an autonomous malicious system like a computer worm, because prompts constructed to bypass safety guardrails would quickly be detected and blocked by the AI labs.

“We discovered that it is possible to create an AI-driven computer worm, using only small, free AI models, that can autonomously identify each machine’s unique weak points (including vulnerabilities just reported by industry and misconfigurations such as reused passwords) and exploit them, hijacking computing power to take over regular devices such as laptops, cameras, and everything else online, and then copying itself onto servers and networks to either steal data or launch new attacks,” the research team from the University of Toronto’s CleverHans Lab said in their report. “We did this without using the newest, most powerful AI models. There is no single defence against this new threat.”

Building an agentic harness for offensive cyberattacks

While frontier models such as Claude Opus and GPT 5.5 offer million-token context windows and can reason for tens of minutes and even hours at a time to solve a single task, this approach does not work for locally hosted LLMs running on a single GPU. Their context windows are much smaller and generally exhibit weaker instruction-following abilities for agentic tasks.

Vibe-coding software developers who encountered these problems long ago have solved them by building custom harnesses and agentic frameworks that split complex software engineering projects into phases and steps, executed by multiple sub-agents in parallel that share results via some form of memory system, ranging from a markdown file to a database.

The CleverHans Lab researchers adopted those lessons to build their own harness for offensive security purposes to compensate for local LLM limitations, complete with phases and task-specific nodes that make LLM calls with specialized prompts.

“This core is supported by complementary systems: a hierarchical memory that preserves discoveries across independent LLM calls, tools and their handlers that encapsulate common action sequences and interpret execution results, a skill system that injects context-aware pentesting guidance on demand, and multi-agent coordination that shares intelligence across instances,” they explained in their paper.

Agentic harnesses built for security research and penetration testing are not a new concept and have existed for a while. Open-source examples include RAPTOR, a framework of skills and agents for Claude Code designed for vulnerability discovery and exploit writing, and SecOpsAgentKit.

“Previous models can perform close to, at, or beyond Mythos levels depending on capability by using harnesses,” Gadi Evron, CEO of AI security firm Knostic and one of the creators of RAPTOR, told CSO. “When new models come out, they can achieve in a prompt what previously took a harness, at which point new harnesses are built, and so on and so forth.”

Simulating a vulnerable enterprise network

The CleverHans Lab researchers created a network made up of virtual machines running different operating systems including Ubuntu (16.04-24.04), Debian (9-12), Alpine Linux, Rocky Linux 9, CentOS Stream 9, and Windows Server (2008 R2, 2019, 2022). These VMs simulated servers running a variety of web services, as well as IoT devices and industrial control systems that can be found on typical corporate networks.

The researchers left an assortment of old and new — a few days old — vulnerabilities unpatched on the simulated systems, as well as common insecure configurations and generic flaws such as missing access control or SQL injection. The goal was to test the capability of their AI-powered worm to discover the systems, find the open ports, identify the exposed services, locate the vulnerabilities, exploit them, and then copy itself to the compromised system.

The systems had both remotely exploitable flaws that would provide initial access, as well as local flaws and weaknesses that could be used to elevate the privileges to root and completely take over the machine.

“These two classes evaluate complementary capabilities: CVEs test the agent’s ability to fingerprint software versions and dynamically adapt or compile raw exploit code to fit the target environment, whereas CWEs probe its capacity for open-ended, target-specific reasoning where no off-the-shelf exploit applies,” the researchers said. “To ensure the network reflects vulnerabilities encountered in the real-world, all targets are drawn from three authoritative threat taxonomies [the CISA Known Exploited Vulnerabilities catalog, the OWASP Top 10: 2025, and the MITRE ATT&CK framework] covering, respectively, vulnerabilities under active exploitation in the wild, prevalent web and software vulnerabilities, and adversarial techniques used after initial access to a network.”

Furthermore, some virtual machines were equipped with GPUs that would allow the worm to replicate itself and then hijack the computing resources to run the model locally instead of relying on the LLM hosted by the researchers on an external system.

Over the course of seven days and five generations of self-replication, the worm managed to spread to 27 of the 33 systems in the simulated environment. The worm correctly identified the vulnerabilities in 82% of the attempts and managed successful exploitation in 44% of those. Despite the exploitation rate being quite low, the parallel and swarm-like implementation where every compromised system became a new instance of the malicious agent, compensated and eventually led to an overall high success rate.

This largely matches what security researchers from Forescout found in a study performed earlier this year that looked at how good models have become at discovering and exploiting vulnerabilities. While the research showed that the new generation of open-weight models had significantly improved their capabilities of both finding and exploiting vulnerabilities, the smaller variants of those models quantized to run locally on single-GPUs still performed poorly at such tasks.

The researchers noted at the time, however, that by using specialized AI agentic frameworks like RAPTOR they were able to find new zero-days in OpenDNS.

“Many of the open-source or generally commercially available models are already good enough that if used with the correct harness they can find vulnerabilities, exploit them, create malicious code and so on,” Daniel dos Santos, VP of research at Forescout, told CSO. “The new work from U of Toronto shows that similar models can also be used to create dynamically adapting worms.”

Cybercriminals are aware of these advances in model capabilities too based on discussions Dos Santos’ team observed on underground forums, with more attackers focusing on open-source and commercial models instead of “underground” ones fine-tuned for cybercrime.

Organizations running out of time

While zero-day attacks receive a lot of attention and AI has put such flaws within the reach of more attackers than ever, the reality is that there is no shortage of systems on the internet and inside networks that are either misconfigured or vulnerable to known flaws for which patches or mitigations exist.

The University of Toronto experiment shows that defenders need to be able to respond with similar speed, especially since their prototype shows that knowledge about new vulnerabilities can be integrated into the worm’s knowledge base within hours of public disclosure. The ability of the worm to hijack GPUs to run nodes further decreases the investment attackers need to make in running such AI-assisted attacks.

“Organizations have endless technology and security debt, and with AI attacks on the rise, we no longer have time,” Evron said. “Change however is all about time, especially in the enterprise. The key is to start preparing right now. Soon, we won’t measure time to exploitation, but will need to construct new measurements, such as for the ability to handle regularly occurring, concurrent data breaches while minimizing impact on daily operations.”

University of Toronto researchers call for enterprises to adopt AI-assisted penetration testing and fuzzing to discover exploitable weaknesses in their own infrastructure, but also to build the capability to deploy patches or mitigations faster, which is now a significant gap.

They do, however, acknowledge some limitations of their prototype, such as the fact that it was noisy, leaving many behavioral signatures behind that could be detected by endpoint and network monitoring systems. Also their simulated network lacked basic network segmentation, which could be further improved with zero-trust architecture to prevent lateral movement and by minimizing the software dependencies and attack surface on every host system.

“While vulnerabilities, exploits, and attack orchestration are now autonomous, the deeper meaning for defense is that many of our assumptions about building security programs are now challenged,” Evron said. “Until we get to mature defensive AI, we must empower our people with coding agents to bring them up to machine speed, and then defend these agents in turn.”