AI-Powered Penetration Testing Tool 'Villager' Raises Cybersecurity Concerns

AI-powered penetration tool downloaded 10K times

Shady, China-based company, all the apps needed for a fully automated attack - sounds totally legit Villager, a new penetration-testing tool linked to a suspicious China-based company and described by researchers as "Cobalt Strike's AI successor," has been downloaded about 10,000 times since its release in July. The package, published on Python Package Index, operates as a Model Context Protocol (MCP) client and integrates multiple security tools. It includes Kali Linux, which legitimate defenders use to automate penetration testing, and it contains hundreds of tools that can also be used to launch cyber attacks at scale. Villager also contains DeepSeek AI models to automate testing workflows, plus a ton of other AI tools like a database of 4,201 AI system prompts to generate exploits and other mechanisms to make it difficult to detect. "Like Cobalt Strike, it can be used for legitimate purposes but it is also ready to be used maliciously without expertise needed since it is fully automated," Dan Regalado, principal AI security researcher at Straiker, told The Register. "And we see downloads every day, not massively but consistently." In a report published today and shared with The Register, the AI security company's Regalado and fellow researcher Amanda Rousseau said they recorded an average of 200 downloads every three days during their investigation, totaling 9,952 downloads across multiple operating systems, including Linux, macOS, and Windows. And they traced the AI-powered pen-testing tool to a Chinese organization called Cyberspike. Like Cobalt Strike, it can be used for legitimate purposes but it is also ready to be used maliciously without expertise needed since it is fully automated Cyberspike first appeared in November 2023, when the domain cyberspike[.]top was registered under Changchun Anshanyuan Technology Co., which is listed as an AI and application software development provider. However, the company doesn't appear to have a website or any other indications to suggest that it's a legitimate business. Plus, Changchun Anshanyuan's earlier product line called Cyberspike was uploaded to VirusTotal in December 2023. After analyzing the binaries, Straiker discovered that the entire Cyberspike software suite was related to AsyncRAT, a remote-access trojan with capabilities including remote desktop access, Discord account compromise, keystroke logging, webcam hijacking, and other surveillance functions. "Our analysis confirms that Cyberspike integrated AsyncRAT into its red teaming product, with additional plugins to well-known hacktools like Mimikatz as well," Regalado and Rousseau wrote. "These integrations demonstrate how Cyberspike repackaged established hacktools and offensive tools into a turnkey framework designed for penetration testing and probably malicious operations." Regalado told The Register that no one has talked about Cyberspike previously. "We are the first ones," he said. "The company is very suspicious because it is registered in China with a valid physical place - but we do not think there is an office there - and there is no employee information," Regalado added. "Plus their website was shut down early in 2024. All the code from Villager has words in Chinese, and the creator is also from that country. But we can see that Villager is still using the company's domain, which suggests the team is still using the infrastructure." The Cyberspike crew released its new Villager pen-testing tool on PyPI on July 23. The author @stupidfish001, is a former capture the flag (CTF) player for the Chinese HSCSEC team, which is significant because these competitions in China provide a recruiting and training pipeline for skilled hackers and Beijing's cybersecurity and intelligence agencies looking to hire them. Villager itself includes several components for pen testing - or attacking someone's system, depending on who is using the AI framework. It uses MCP Client Service (Port 25989) for central message passing and coordination, along with a database of 4,201 AI system prompts to generate exploits and make real-time decisions. It also auto-creates isolated Kali Linux containers for network scanning, vulnerability assessment, and penetration testing. Villager also integrates with Pydantic AI to enforce formatting rules on AI outputs, and it configures a container to have a 24-hour, self-destruct feature to wipe activity logs and forensic evidence of the software tool. All of this makes it very easy to use Villager to launch attacks, both aimed at a single web application, in which it uses AI to adjust the exploit based on what it finds. According to the report: Or, it can develop a more complex, multi-tool attack chain: Regalado says he wants to make companies aware of this previously undocumented threat, and the speed at which attackers are adopting AI for nefarious purposes. "Attackers are moving really fast, automating attacks with AI," he said. "Defenders should be also using AI-based products to defend at the same speed." ®

AI-Powered Villager Pen Testing Tool Hits 11,000 PyPI Downloads Amid Abuse Concerns

A new artificial intelligence (AI)-powered penetration testing tool linked to a China-based company has attracted nearly 11,000 downloads on the Python Package Index (PyPI) repository, raising concerns that it could be repurposed by cybercriminals for malicious purposes. Dubbed Villager, the framework is assessed to be the work of Cyberspike, which has positioned the tools as a red teaming solution to automate testing workflows. The package was first uploaded to PyPI in late July 2025 by a user named stupidfish001, a former capture the flag (CTF) player for the Chinese HSCSEC team. "The rapid, public availability and automation capabilities create a realistic risk that Villager will follow the Cobalt Strike trajectory: commercially or legitimately developed tooling becoming widely adopted by threat actors for malicious campaigns," Straiker researchers Dan Regalado and Amanda Rousseau said in a report shared with The Hacker News. The emergence of Villager comes shortly after Check Point revealed that threat actors are attempting to leverage another nascent AI-assisted offensive security tool called HexStrike AI to exploit recently disclosed security flaws. With the advent of generative AI (aka GenAI) models, threat actors have capitalized on the technology for social engineering, technical, and information operations in ways that have likely contributed to increased speed, access to expertise, and scalability. One key advantage to relying on such tools is that they lower the barrier to exploitation, and cut short the amount of time and effort required to pull off such attacks. What once required highly skilled operators and weeks of manual development can be automated using AI, offering bad actors assistance with crafting exploits, payload delivery, and even infrastructure setup. "Exploitation can be parallelized at scale, with agents scanning thousands of IPs simultaneously," Check Point noted recently. "Decision-making becomes adaptive; failed exploit attempts can be automatically retried with variations until successful, increasing the overall exploitation yield." The fact that Villager is available as an off-the-shelf Python package means it offers attackers an easy way to integrate the tool into their workflows, Straiker noted, describing it as a "concerning evolution in AI-driven attack tooling." Cyberspike first appeared in November 2023, when the domain "cyberspike[.]top" was registered under Changchun Anshanyuan Technology Co., Ltd., an AI company supposedly based in China. That said, the only source of information about what the company does comes from a Chinese talent services platform called Liepin, raising questions about who is behind it. Snapshots of the domain captured on the Internet Archive reveal that the tool is marketed as a network attack simulation and post-penetration test tool to help organizations evaluate and strengthen their cybersecurity posture. Once installed, Cyberspike has been found to incorporate plugins that are components of a remote access tool (RAT), enabling invasive victim surveillance and control using remote desktop access, Discord account compromise, keystroke logging, webcam hijacking, and other monitoring functions. Further analysis has uncovered similarities with a known RAT called AsyncRAT. "Cyberspike integrated AsyncRAT into its red teaming product, with additional plugins to well-known hacktools like Mimikatz as well," Straiker said. "These integrations demonstrate how Cyberspike repackaged established hacktools and offensive tools into a turnkey framework designed for penetration testing and probably malicious operations." Villager appears to be the latest offering from Cyberspike. Operating as a Model Context Protocol (MCP) client, it integrates with Kali Linux toolsets, LangChain, and DeepSeek's AI models to automate testing workflows, handle browser-based interactions, and issue commands in natural language that can then be converted into their technical equivalents. Besides leveraging a database of 4,201 AI system prompts to generate exploits and make real-time decisions in penetration testing, the AI-native penetration testing framework automatically creates isolated Kali Linux containers for network scanning, vulnerability assessment, and penetration testing, and destroys them after a period of 24 hours, effectively covering up traces of the activity. "The ephemeral nature of these containers, combined with randomized SSH ports, makes AI-powered attack containers difficult to detect, complicating forensic analysis and threat attribution," the researchers noted. Command-and-control (C2) is accomplished by means of a FastAPI interface that processes incoming tasks, while the Python-based Pydantic AI agent platform is used to standardize outputs. "Villager reduces skill and time required to run sophisticated offensive toolchains, enabling less-skilled actors to perform more advanced intrusions," the researchers said. "Its task-based architecture, where AI dynamically orchestrates tools based on objectives rather than following rigid attack patterns, marks a fundamental shift in how cyber attacks are conducted." Increased frequency and speed of automated reconnaissance, exploitation attempts, and follow-on activity could raise detection and response burdens across the enterprise." "Its task-based architecture, where AI dynamically orchestrates tools based on objectives rather than following rigid attack patterns, marks a fundamental shift in how cyber attacks are conducted."

A mysterious Chinese AI pentesting tool has appeared online, with over 10,000 downloads so far

Cyberspike, its creator, has ties to malware and Chinese hacker circles Is the world ready for AI-powered Persistent Threat Actors (AIPT)? We're about to find out, as a Chinese company recently built and released an AI-native pentesting tool. It's been picked up approximately 10,000 times in the last two months, signaling rapid adoption. Among the people downloading the tool are, most likely, threat actors as well. This is the conclusion of a new report published by the security outfit Straiker. Its researchers, Dan Regalado and Amanda Rousseau, observed a new tool called Villager. They're describing it as an AI-powered successor to Cobalt Strike, integrating tools like Kali Linux and DeepSeek AI to automate offensive security operations. "Originally positioned as a red-team offering, Cyberspike has released an AI-enabled, MCP-supported automation tool called "Villager" that combines Kali Linux toolsets with DeepSeek AI models to fully automate testing workflows," the researchers warned. "The rapid, public availability and automation capabilities create a realistic risk that Villager will follow the Cobalt Strike trajectory: commercially or legitimately developed tooling becoming widely adopted by threat actors for malicious campaigns." Widely adopted it is. The tool is freely available on PyPI, the world's biggest Python Package Index, and it has been downloaded nearly 10,000 times since its release in July. Straiker also claims that Cyberspike, the company behind Villager, is shady at best, and quite possibly - a threat actor engaged in distributing malware. At the moment, it doesn't have an official website, but it used to have one two years ago, and back then, it was offering a product called Cyberspike. Its entire toolset and arsenal were subsequently uploaded to VirusTotal and flagged as AsyncRAT, a dangerous and well-established remote access trojan. There were also traces of Mimikatz, an exploit for Windows that extracts passwords stored in memory. The Register added more weight to the suspicions of an elaborate hack, reporting that the tool's author is a former capture the flag player for the Chinese HSCSEC team. This "is significant because these competitions in China provide a recruiting and training pipeline for skilled hackers and Beijing's cybersecurity and intelligence agencies looking to hire them," the publication concluded.