AI-Powered Penetration Testing Tool 'Villager' Raises Security Concerns

AI-powered penetration tool downloaded 10K times

Shady, China-based company, all the apps needed for a fully automated attack - sounds totally legit Villager, a new penetration-testing tool linked to a suspicious China-based company and described by researchers as "Cobalt Strike's AI successor," has been downloaded about 10,000 times since its release in July. The package, published on Python Package Index, operates as a Model Context Protocol (MCP) client and integrates multiple security tools. It includes Kali Linux, which legitimate defenders use to automate penetration testing, and it contains hundreds of tools that can also be used to launch cyber attacks at scale. Villager also contains DeepSeek AI models to automate testing workflows, plus a ton of other AI tools like a database of 4,201 AI system prompts to generate exploits and other mechanisms to make it difficult to detect. "Like Cobalt Strike, it can be used for legitimate purposes but it is also ready to be used maliciously without expertise needed since it is fully automated," Dan Regalado, principal AI security researcher at Straiker, told The Register. "And we see downloads every day, not massively but consistently." In a report published today and shared with The Register, the AI security company's Regalado and fellow researcher Amanda Rousseau said they recorded an average of 200 downloads every three days during their investigation, totaling 9,952 downloads across multiple operating systems, including Linux, macOS, and Windows. And they traced the AI-powered pen-testing tool to a Chinese organization called Cyberspike. Like Cobalt Strike, it can be used for legitimate purposes but it is also ready to be used maliciously without expertise needed since it is fully automated Cyberspike first appeared in November 2023, when the domain cyberspike[.]top was registered under Changchun Anshanyuan Technology Co., which is listed as an AI and application software development provider. However, the company doesn't appear to have a website or any other indications to suggest that it's a legitimate business. Plus, Changchun Anshanyuan's earlier product line called Cyberspike was uploaded to VirusTotal in December 2023. After analyzing the binaries, Straiker discovered that the entire Cyberspike software suite was related to AsyncRAT, a remote-access trojan with capabilities including remote desktop access, Discord account compromise, keystroke logging, webcam hijacking, and other surveillance functions. "Our analysis confirms that Cyberspike integrated AsyncRAT into its red teaming product, with additional plugins to well-known hacktools like Mimikatz as well," Regalado and Rousseau wrote. "These integrations demonstrate how Cyberspike repackaged established hacktools and offensive tools into a turnkey framework designed for penetration testing and probably malicious operations." Regalado told The Register that no one has talked about Cyberspike previously. "We are the first ones," he said. "The company is very suspicious because it is registered in China with a valid physical place - but we do not think there is an office there - and there is no employee information," Regalado added. "Plus their website was shut down early in 2024. All the code from Villager has words in Chinese, and the creator is also from that country. But we can see that Villager is still using the company's domain, which suggests the team is still using the infrastructure." The Cyberspike crew released its new Villager pen-testing tool on PyPI on July 23. The author @stupidfish001, is a former capture the flag (CTF) player for the Chinese HSCSEC team, which is significant because these competitions in China provide a recruiting and training pipeline for skilled hackers and Beijing's cybersecurity and intelligence agencies looking to hire them. Villager itself includes several components for pen testing - or attacking someone's system, depending on who is using the AI framework. It uses MCP Client Service (Port 25989) for central message passing and coordination, along with a database of 4,201 AI system prompts to generate exploits and make real-time decisions. It also auto-creates isolated Kali Linux containers for network scanning, vulnerability assessment, and penetration testing. Villager also integrates with Pydantic AI to enforce formatting rules on AI outputs, and it configures a container to have a 24-hour, self-destruct feature to wipe activity logs and forensic evidence of the software tool. All of this makes it very easy to use Villager to launch attacks, both aimed at a single web application, in which it uses AI to adjust the exploit based on what it finds. According to the report: Or, it can develop a more complex, multi-tool attack chain: Regalado says he wants to make companies aware of this previously undocumented threat, and the speed at which attackers are adopting AI for nefarious purposes. "Attackers are moving really fast, automating attacks with AI," he said. "Defenders should be also using AI-based products to defend at the same speed." ®

A mysterious Chinese AI pentesting tool has appeared online, with over 10,000 downloads so far

Cyberspike, its creator, has ties to malware and Chinese hacker circles Is the world ready for AI-powered Persistent Threat Actors (AIPT)? We're about to find out, as a Chinese company recently built and released an AI-native pentesting tool. It's been picked up approximately 10,000 times in the last two months, signaling rapid adoption. Among the people downloading the tool are, most likely, threat actors as well. This is the conclusion of a new report published by the security outfit Straiker. Its researchers, Dan Regalado and Amanda Rousseau, observed a new tool called Villager. They're describing it as an AI-powered successor to Cobalt Strike, integrating tools like Kali Linux and DeepSeek AI to automate offensive security operations. "Originally positioned as a red-team offering, Cyberspike has released an AI-enabled, MCP-supported automation tool called "Villager" that combines Kali Linux toolsets with DeepSeek AI models to fully automate testing workflows," the researchers warned. "The rapid, public availability and automation capabilities create a realistic risk that Villager will follow the Cobalt Strike trajectory: commercially or legitimately developed tooling becoming widely adopted by threat actors for malicious campaigns." Widely adopted it is. The tool is freely available on PyPI, the world's biggest Python Package Index, and it has been downloaded nearly 10,000 times since its release in July. Straiker also claims that Cyberspike, the company behind Villager, is shady at best, and quite possibly - a threat actor engaged in distributing malware. At the moment, it doesn't have an official website, but it used to have one two years ago, and back then, it was offering a product called Cyberspike. Its entire toolset and arsenal were subsequently uploaded to VirusTotal and flagged as AsyncRAT, a dangerous and well-established remote access trojan. There were also traces of Mimikatz, an exploit for Windows that extracts passwords stored in memory. The Register added more weight to the suspicions of an elaborate hack, reporting that the tool's author is a former capture the flag player for the Chinese HSCSEC team. This "is significant because these competitions in China provide a recruiting and training pipeline for skilled hackers and Beijing's cybersecurity and intelligence agencies looking to hire them," the publication concluded.