Latest research

AI Agents Enable Adaptive Computer Worms

In our pursuit of new knowledge to enhance the security of artificial intelligence, we uncovered a cybersecurity threat with implications across society.

Jonas Guan*†1,2 Tom Blanchard*1,2 Hanna Foerster*3 Hengrui Jia*1,2 Gabriel Huang4 Nicolas Papernot†1,2

1University of Toronto 2Vector Institute 3University of Cambridge 4ServiceNow

*Equal contribution Corresponding author

Preprint

The full paper is available as a preprint.

Read the Preprint View on arXiv

On this page

Overview of the adaptive computer worm research.
An AI-driven worm propagates across a heterogeneous network by parasitically acquiring computational resources for autonomous reasoning. (a) The worm spreads through a network containing servers, workstations, and IoT devices. Red arrows show propagation between compromised machines, while blue arrows show reasoning queries from low-compute machines to compromised GPU nodes. (b) The worm combines a single-GPU LLM with an agentic framework for recursive reasoning, memory management, and tool use against target machines.

Research Overview

Large language models (LLMs) now demonstrate the capacity for structured problem-solving that, combined with tool access, enables agentic AI systems to solve complex tasks. We show that when these capabilities are embedded in a self-replicating agent, they produce a fundamentally new cybersecurity threat: an adaptive computer worm that devises target-specific attack strategies to gain control of machines and spread across networks. Each compromised machine becomes part of the worm’s own infrastructure, providing compute or reach for further attacks.

A computer worm is self-replicating malware that spreads across a network without human intervention. The WannaCry worm (2017) disrupted critical infrastructure across 150 countries by exploiting a single vulnerability. Traditional worms can be stopped by patching the specific vulnerability they exploit. Our adaptive worm cannot be stopped this way: it uses a recursive reasoning loop to detect and exploit diverse vulnerabilities as it propagates.

We demonstrate these capabilities in a controlled experiment: a prototype AI-driven worm powered by an open-weight LLM running locally, propagated across a heterogeneous network of Linux, Windows, and IoT devices with common corporate network vulnerabilities. The experiment was conducted in an isolated virtual network.

We believe this work highlights three important dimensions of the impact of AI on the cyberthreat landscape:

  1. It establishes a qualitative shift in threat capability. The worm replaces fixed exploitation code with goal-directed reasoning that adapts to the vulnerabilities of each target in real time. Our agent self-replicates across networked devices, subverts control of systems, and self-sustains on stolen resources.
  2. The AI-driven worm requires only an open-weight model that can run on a single, local GPU. It does not rely on any commercial AI platform. This renders vendors’ centralized safety controls, including service refusal, content filtering, and rate limits structurally irrelevant. The worm’s tiered design, where each compromised GPU-equipped node provides reasoning for lightweight agents on downstream devices, extends the attack surface to any networked device.
  3. The traditional economic barrier in cybersecurity collapses. The worm parasitically uses the victims’ own computational resources, reducing the attacker’s marginal cost to zero. As consumer devices increasingly support LLM inference, the reasoning resources available to such adversaries grow accordingly.

This work provides empirical evidence that autonomous cyberoffence has crossed from theoretical risk to demonstrated capability, a challenge that spans AI research, cybersecurity, and public policy. We believe this transition demands rigorous, transparent evaluation of model capabilities across the open and closed-weight model ecosystems.

Radial propagation tree showing the spread of the AI worm in a network instance. The propagation begins from an agent process running on the kali machine (Generation-0), and then spreads to Generation-1 hosts by exploiting a detected vulnerability, and replicating itself once it gets control over the host. This process then repeats. This figure reflects the result of 7 days of autonomous propagation in a single network instance. The hostnames are unique IDs. Arrows are labelled with the names of vulnerabilities or weaknesses that the agent exploited to control the host.

FAQs

Why pursue this line of inquiry?

The driving motivation behind all our work is to enhance the security of artificial intelligence. Recently, public discussion about AI safety has focused on the capabilities of the largest and most powerful AI models that are known to be capable of finding previously undiscovered vulnerabilities that could be exploited. In contrast, smaller open-weight AI models (that anyone can download off the internet) have been dismissed as lacking the capabilities necessary to present a significant cybersecurity threat.

We were concerned this was not the case and set out to discover if the assumptions underpinning the public policy debate were scientifically defensible. We asked: Are small, free models too weak and unreliable to pose a real threat, or could they be adapted to launch much broader attacks against entire networks? In other words, do we really understand the cybersecurity threat landscape?

What did you find?

We discovered that it is possible to create an AI-driven computer worm, using only small, free AI models, that can autonomously identify each machine’s unique weak points (including vulnerabilities just reported by industry and misconfigurations such as reused passwords) and exploit them, hijacking computing power to take over regular devices such as laptops, cameras and everything else online, and then copying itself onto servers and networks to either steal data or launch new attacks. We did this without using the newest, most powerful AI models. There is no single defence against this new threat.

Did you create malware?

We created a proof-of-concept prototype in a controlled environment, following a well-established practice in cybersecurity research that enables a better understanding of emerging threats and evaluation of defences against them. In the construction of this proof-of-concept, we intentionally omitted implementing any standard malware capabilities that complicate detection or removal.

Why is this significant?

This research uncovered a new cybersecurity threat the world is not prepared to face. With almost every aspect of modern life dependent on networked computers — drinking water and waste management systems, access to food and goods, energy, our financial system, communications, health care, education, transportation systems, government and so much more — the risk is enormous.

What’s more, because this design is built using a small model that runs on a single machine, the economics of cyberattacks are about to radically shift: Cyberattacks typically focus on the most high-value targets, due to the time and comparatively enormous computing resources required to wage an attack. Now, this low-cost design means every machine connected to the internet is a potential target — if not for the data it holds, then as a launching pad for the next attack.

Researchers, industry, policymakers and everyday people need to come together with urgency to address this new cybersecurity threat.

Why is it important to share this information?

Given the need to mobilize the cybersecurity community to build countermeasures, as similar research is likely underway elsewhere, including by criminal and state hackers who may have hostile intent, not disclosing these findings would be unethical.

Before making our paper public, we shared our findings with the appropriate national science, security and defence bodies, and sought advice from Canadian authorities on how to responsibly disclose this research without improving attackers’ capabilities.

We made our findings public so decision-makers in all areas (government, industry, academia, small- and medium-sized businesses, individuals) will have a clearer understanding of the threat we could soon face, can mobilize around accelerating research into countermeasures, and are better positioned to make informed decisions on matters of national security, corporate competitiveness and personal cyber safety. Crucially, because this work was done at a publicly funded academic institution, the findings are available to the broader research community for the benefit of society.

How did you ensure safety?

Our research was conducted in a safe environment that prevented incoming and outgoing digital interference. We followed established best practices for cybersecurity work involving capabilities with both beneficial and potentially harmful applications and collaborated with all the relevant university research and information security offices and Canadian authorities.

What’s next?

Now that the threat is understood, there is an opportunity to detect and defend against similar cyberthreats that did not exist before. Along with sounding the alarm about this emerging threat, we are turning our attention to developing the countermeasures that can detect and defend against similarly designed cyberweapons. Across the University of Toronto, important and groundbreaking work on AI safety and related policy needs is underway at the Schwartz Reisman Institute for Technology and Society, Citizen Lab, in various faculties, with the Canadian Institute for Advanced Research (CIFAR) and Vector Institute, and in partnership with government agencies and, where appropriate, industry partners.

Is there any good news to come out of this?

Along with sounding the alarm on a new threat landscape, our research demonstrates that with the right design, simple language models and modest computing power can be harnessed to solve incredibly complex problems. Our approach could be used in other disciplines for positive applications. We believe the methodology can be adapted for a wide range of positive uses with benefits across society — to arrive at sound decisions sooner in research for medical advances or identifying potential sustainable energy solutions, for example.

Technical Questions

Are you releasing the code?

We will not be publicly releasing our implementation. We are working with the University of Toronto to establish a vetting process through which qualified researchers may request access for defensive research purposes.

Is this worm being deployed in the wild?

No. Our research prototype was built and tested exclusively in a contained virtual network with hypervisor-enforced isolation. It has never been deployed outside that environment.

Are some details withheld from the paper?

Yes, intentionally. We omitted certain methodological details (such as the agent’s reasoning graph and tool harness) and experimental specifics (such as the AI model) that could materially help a malicious actor construct similar malware. We shared enough information to make the threat credible enough for scientific scrutiny without providing a blueprint that would enable misuse.

Before sharing it publicly, we sought the advice of the appropriate national security and defence bodies on how to responsibly disclose this research without improving attackers’ capabilities. Now that the threat is understood, there is an opportunity to build countermeasures to detect and defend against similar cyberweapons that did not exist before.

Why publish this research if it could be misused?

Publishing empirical evidence of this threat is essential so that the security community can study and build defences against adaptive (AI-driven) computer worms. We shared our findings with Canadian science, security and defence authorities and sought advice on how to responsibly disclose this research without improving adversaries’ capabilities. We concluded that the benefits — enabling society to prepare for generative adversaries — outweighed the dual-use risks, especially given the mitigations we put in place. Prior to publication, the paper was significantly altered to avoid revealing details that would be advantageous to those who would use these findings with malicious intent.

Does the worm try to hide itself?

No. We deliberately chose not to equip the worm with concealment capabilities — it is not instructed to cover its tracks or minimize its network footprint, and it has no tools to do so. This was a conscious methodological choice to further limit the risk of misuse.

Can the worm be detected?

The current prototype leaves consistent behavioural signatures: beacon callbacks on non-standard ports, automated injection of SSH public keys, and systematic credential reuse across hosts. These are concrete targets for network monitoring and intrusion detection systems. Note that these signatures are artefacts of our proof-of-concept scope — a future adversary could direct the same reasoning capabilities toward evasion strategies.

How quickly does the worm spread?

In our experiments, the prototype reached half the network in approximately five days. This is slower than traditional worms because each target requires hundreds of LLM inference calls for reconnaissance, strategy formulation, and payload generation. This affords defenders a longer window for detection and response — but this window will compress as inference hardware and model efficiency improve.

What can defenders do?

Detection. The current prototype leaves consistent behavioural signatures: beacon callbacks on non-standard ports, automated injection of SSH public keys, and systematic credential reuse across hosts. These are concrete targets for network monitoring and intrusion detection systems. Note that these signatures are artefacts of our proof-of-concept scope — a future adversary could direct the same reasoning capabilities toward evasion strategies.

Reducing the attack surface. AI-assisted penetration testing and fuzzing can help organizations discover exploitable weaknesses in their own infrastructure before an adversary does. Discovery alone is insufficient without the ability to act quickly: automated CVE and patch verification, and the ability to forecast patch timelines, are critical for understanding the window of risk. Our prototype is able to incorporate newly published vulnerabilities within hours of disclosure, making rapid patch deployment an increasingly urgent capability gap.

Limiting propagation. Zero-trust architectures limit lateral movement after a foothold is established by requiring continuous authentication for every access request. Network micro-segmentation constrains the set of hosts reachable from any single compromised machine. Our test environment represented a worst-case flat network — even basic segmentation would substantially limit the worm’s reach. Minimizing software dependencies on each host further shrinks the attack surface available to an adaptive agent.

Does it exploit zero-day vulnerabilities?

No. Our prototype targets publicly disclosed but unpatched vulnerabilities, misconfigurations, and recurring weakness classes — which is what the majority of real-world cyberattacks rely on. It does not require the capability to discover novel zero-days, only an AI model that is capable enough to operationalize known vulnerabilities against diverse target configurations.

Can’t AI vendors just block this with safety controls?

No. The worm runs entirely on a locally hosted, open-weight model with no dependency on any commercial AI platform. Vendor-side controls — service refusal, content filtering, rate limits — are structurally irrelevant to halting its propagation. Additionally, safety guardrails on open-weight models can be bypassed when an attacker fully controls the local execution environment.