Researchers from the University of Toronto, Vector Institute, University of Cambridge, and ServiceNow demonstrated an AI-powered worm capable of generating attack strategies and spreading autonomously across networks. The proof-of-concept malware runs on infected machines using open-weight models rather than cloud services, marking a departure from earlier AI-driven threats. The researchers argue the work shows AI-driven cyberattacks have moved beyond theory, with the worm able to identify vulnerabilities, devise tailored attack paths, compromise systems, and replicate itself while adapting tactics to different targets.
The research paper describes what the team characterizes as a fundamental shift from traditional worms. "We must prepare for autonomous generative adversaries," the researchers wrote. "Malware systems that propagate without human operators and are defined not by fixed exploit code, but by the capacity to reason about targets, adapt to observations, and synthesize attack logic in real time."
Computer worms are self-replicating malware that spread automatically across vulnerable networks. Historical worm outbreaks including ILOVEYOU in 2000 and WannaCry in 2017 infected millions of computers worldwide, disrupting critical services and causing billions of dollars in damage. More recently, the Shai-Hulud malware showed how self-propagating attacks can spread online, infecting software used by major companies including OpenAI and Mistral.
Researchers Test AI Worm in Isolated Network Environment
The team tested the worm in an isolated virtual network containing 33 Linux, Windows, and IoT systems seeded with common vulnerabilities. Across 15 experiments, the worm identified an average of 31.3 vulnerabilities, successfully compromised 23.1 hosts, and spread to roughly 20 machines during seven days of autonomous operation.
In some tests, the malware reached seven generations of self-replication. The researchers found the system could exploit vulnerabilities disclosed after the model's training cutoff by ingesting newly published security advisories at runtime, allowing it to incorporate information that was not part of the model's original training data.
AI Worm Operates Without Cloud Infrastructure
According to the study, what sets this AI-powered worm apart from earlier versions is its ability to adapt to different targets using a large language model to identify vulnerabilities and generate attack strategies in real time rather than relying on a fixed set of exploits.
"Traditional worms, like WannaCry, exploited predetermined vulnerabilities, and their spread can be halted by patching those vulnerabilities," the researchers wrote. "Here we show that artificial intelligence agents enable a fundamentally new threat: a worm that generates tailored attack strategies to each target it encounters."
Unlike many AI applications, the worm did not depend on access to AI cloud services. Rather than relying on cloud infrastructure from providers such as AWS, Microsoft Azure, or Google Cloud, the malware ran AI models directly on compromised machines. As it spread, infected systems effectively became part of its computing infrastructure.
Research Team Withholds Technical Details to Prevent Misuse
While the testing was conducted in a controlled environment, the authors acknowledged the dual-use nature of the work and intentionally withheld some technical details to reduce the risk of misuse.
"Ahead of releasing this preprint, we edited the manuscript to ensure that the presentation of our method balances the depth of detail needed for the community to study this novel threat with the risk of a malicious actor using our method for creating malware," the researchers said.
The researchers said the project is intended to better understand the risks posed by adaptive computer worms and provide evidence of how far AI-enabled cyber capabilities have progressed. "Addressing this threat will therefore require coordinated action across the research, security, industry, and policy communities: evaluation frameworks that test harness-level capabilities, detection systems tuned to the behavioural signatures of autonomous agents, and regulatory measures that account for the decentralized nature of open-weight inference," they wrote.
FAQ
What did researchers demonstrate in the AI worm study?
Researchers from the University of Toronto, Vector Institute, University of Cambridge, and ServiceNow demonstrated a proof-of-concept AI-powered worm that can identify vulnerabilities, generate attack strategies, and spread autonomously across networks while adapting its tactics to different targets.
How did the AI worm perform in testing?
Across 15 experiments in an isolated virtual network containing 33 systems, the worm identified an average of 31.3 vulnerabilities, successfully compromised 23.1 hosts, and spread to roughly 20 machines during seven days of autonomous operation. In some tests, the malware reached seven generations of self-replication.
Why did the research team withhold technical details?
The authors acknowledged the dual-use nature of the work and intentionally withheld some technical details to reduce the risk of a malicious actor using their method for creating malware, while still providing sufficient depth for the community to study the novel threat.
