Tuesday, April 1, 2025
HomeChatGPTWormGPT - A ChatGPT Themed Hacking Tool Used to Launch Cyber Attack

WormGPT – A ChatGPT Themed Hacking Tool Used to Launch Cyber Attack

Published on

SIEM as a Service

Follow Us on Google News

WormGPT, a black-hat-based tool has been recently launched by cybercriminals and has the potential to conduct various social engineering as well as Business Email Compromise (BEC) attacks. This tool has no limitations towards its use and has no boundaries.

The use of generative AI has seen a remarkable reach in recent times. With the release of ChatGPT in November 2022, there have been several AI tools created and refined for multiple purposes. However, here comes a time in which a new AI has been released specifically designed for Black Hats.

Business email compromise, commonly referred to as CEO fraud or whaling, attacks businesses by impersonating senior executives or reliable partners.

BEC Attacks Revolutionised by WormGPT

As per reports, threat actors have been using ChatGPT and other AI-based tools for generating malicious email that seems legitimate enough to convince an employee in giving sensitive information. 

https://twitter.com/p4c3n0g3/status/1679898049030782977

In a forum of cybercriminal discussions, there has been evidence that threat actors rely on ChatGPT for composing BEC emails. Even hackers with low fluency in other languages can use these AI-generative emails for conducting such attacks.

Another discussion mentioned “Jailbreaks” for tools like ChatGPT. These are specially crafted prompts that can make ChatGPT give out sensitive information beyond the scope of its use. It can even provide inappropriate content or generate harmful code.

WormGPT
Jailbreak discussion (Source: Slashnext)

WormGPT

WormGPT was also found on a cybercriminal discussion forum, which was mentioned to be specially designed as a blackhat alternative to other GPTs. It is designed with GPTJ (Generative Pre-trained Transformer-J) language models with a range of features and code formatting capabilities.

WormGPT
WormGPT

In an experiment conducted with WormGPT where it was asked to generate a BEC email for pressurizing an account manager for paying a fraudulent invoice. The results were extremely harmful since they generated a convincing, grammatical error-free, and persuasive email which would convince any employee.

It is recommended for organizations train their employees about these kinds of phishing emails and have appropriate email filters in place for preventing such AI-generative email-based attacks.

Also Read:

https://cybersecuritynews.com/burpgpt
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Rockwell Automation Vulnerability Allows Attackers to Execute Arbitrary Commands

Rockwell Automation has identified a critical flaw in its Verve Asset Manager software, exposing industrial systems...

Check Point Confirms Data Breach, Says Leaked Information is ‘Old’

Cybersecurity giant Check Point has confirmed that a recent post on a notorious dark...

CrushFTP Security Vulnerability Under Attack After PoC Release

A recently disclosed security vulnerability in CrushFTP, identified as CVE-2025-2825, has become the target...

CISA Warns of Cisco Smart Licensing Utility Credential Flaw Exploited in Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a security advisory warning organizations...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Operation HollowQuill – Weaponized PDFs Deliver a Cobalt Strike Malware Into Gov & Military Networks

In a recent revelation by SEQRITE Labs, a highly sophisticated cyber-espionage campaign, dubbed Operation...

Earth Alux Hackers Use VARGIET Malware to Target Organizations

A new wave of cyberattacks orchestrated by the advanced persistent threat (APT) group Earth...

“Lazarus Hackers Group” No Longer Refer to a Single APT Group But a Collection of Many Sub-Groups

The term "Lazarus Group," once used to describe a singular Advanced Persistent Threat (APT)...