Researchers at the University of Toronto’s CleverHans Lab have developed a self-replicating AI worm powered by an open-weight LLM, demonstrating how advanced malware can operate without commercial AI services while adapting attacks across networks.
Researchers at the University of Toronto’s CleverHans Lab have built a self-replicating AI worm powered by a small, free, open-weight large language model (LLM), demonstrating that sophisticated AI-powered malware no longer requires commercial AI infrastructure.
Unlike traditional worms that rely on pre-programmed exploits, the malware can reason its way through networks, devise new attack strategies, and carry a copy of its LLM to compromised machines. Each infected host provides both persistence and additional computing resources, allowing the worm to sustain itself using victims’ infrastructure.
The researchers said the worm operates entirely on locally hosted open-weight models, meaning commercial AI safeguards such as service refusal, content filtering, and rate limiting offer little protection. They also noted that safety guardrails can be bypassed when attackers control the execution environment.
Tested across a 33-host virtual network comprising Linux servers, Windows systems, and IoT devices, the worm identified an average of 31.3 vulnerabilities, escalated privileges on 23.1 hosts, and spread to 20.4 hosts over 15 seven-day trials. It successfully exploited vulnerabilities including Copy Fail, Dirty Frag, and a Marimo remote code execution flaw by reading public advisories and generating exploits at runtime.
“The traditional economic barrier in cyber security collapses,” the researchers wrote. “The worm parasitically uses the victims’ own computational resources, reducing the attacker’s marginal cost to zero.”
The University of Toronto is not publicly releasing the prototype, restricting access to vetted defensive-security researchers.
