Hackers are deploying a new AI-native penetration testing tool for sophisticated attacks in an industry first, according to new research.
Cybersecurity firm Straiker has warned that ‘Villager’, a tool developed by a China-based red team project known as Cyberspike, is already being used to automate attacks under the guise of penetration testing.
Villager leverages the Kali Linux toolsets and DeepSeek v3 to automate attacks, and is easily accessible via the official Python Package Index (PyPI).
Based on user prompts it can exploit vulnerabilities in a given domain, launch attacks using multiple tools to ensure a victim is breached, and establish persistence for attackers in compromised systems.
“The framework's most dangerous innovation lies not in any single capability, but in how it seamlessly integrates multiple attack vectors through intelligent task orchestration,” wrote Dan Regalado, principal AI security researcher at Straiker, and Amanda Rousseau, member of technical staff at Straiker.
“By combining containerized Kali environments, browser automation, direct code execution, and a 4,201-prompts vulnerability database, all coordinated by AI decision-making, the framework dramatically lowers the technical barrier for conducting complex attacks.”
Researchers at Straiker compared Villager to Cobalt Strike, a legitimate penetration testing tool that has been widely used by hackers for illegitimate purposes.
In March, Fortra and Microsoft announced an “aggressive campaign” against hackers using Cobalt Strike across over 200 malicious domains. Malicious use of the tool on a daily basis dropped 80% as a result.
Villager pen testing tool is a step above Cobalt Strike
Unlike the scripted attacks possible via Cobalt Strike, the AI-powered Villager is capable of complex attacks based on natural language prompts.
For example, researchers noted that when Villager detects a victim’s domain using WordPress, it will launch an attack using the WordPress vulnerability scanner WPScan, for which it creates a custom Kali container.
If an API endpoint is detected, on the other hand, Villager may use browser automation to attempt a breach through a victim’s authentication workflow.
Each successful step is verified by the tool, which can dynamically adapt its vector depending on the context of the attack. Similarly, each Kali Linux container Villager creates, which can contain a range of cybersecurity tools, has built-in mechanisms to wipe themselves after 24 hours to prevent detection.
The tools’s command and control (C2) system, accessed via its Python-based FastAPI connection, ensures each attack is broken into manageable subtasks that are handled by its AI model.
Outputs are standardized using the data validation library Pydantic, researchers added. This ensures each decision Villager makes is reliable and follows on from its previous steps.
All of this points to an organic, sophisticated methodology that opens the door to more attacks from inexperienced attackers, researchers warned. Since it was published on PyPI in July 2025, Villager has been downloaded more than 10,000 times.
The authors at Straiker warned the tool could lead to more automated attacks by hackers using off the shelf tools. They also cautioned that attacks of this kind could speed up the rate at which attackers can discover new vulnerabilities and exploit them, shrinking the detection and response window for cybersecurity teams.
Straiker tracked Cyberspike as having first appeared on a domain established in November 2023, by the supposed AI firm Changchun Anshanyuan Technology Co.
The authors wrote that no evidence of such a company exists on Chinese social media, though archived pages show it sold Cyberspike as a remote administration tool (RAT) in 2023.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- Hackers are duping developers with malware-laden coding challenges
- Anthropic admits hackers have 'weaponized' its tools
- Hackers are using AI to dissect threat intelligence reports and ‘vibe code’ malware
-
What does modern security success look like for financial services?Sponsored As financial institutions grapple with evolving cyber threats, intensifying regulations, and the limitations of ageing IT infrastructure, the need for a resilient and forward-thinking security strategy has never been greater
-
Yes, legal AI. But what can you actually do with it? Let’s take a look…Sponsored Legal AI is a knowledge multiplier that can accelerate research, sharpen insights, and organize information, provided legal teams have confidence in its transparent and auditable application
-
'It's slop': OpenAI co-founder Andrej Karpathy pours cold water on agentic AI hype – so your jobs are safe, at least for nowNews Despite the hype surrounding agentic AI, OpenAI co-founder Andrej Karpathy isn't convinced and says there's still a long way to go until the tech delivers real benefits.
-
Nvidia CEO Jensen Huang says future enterprises will employ a ‘combination of humans and digital humans’ – but do people really want to work alongside agents? The answer is complicated.News Enterprise workforces of the future will be made up of a "combination of humans and digital humans," according to Nvidia CEO Jensen Huang. But how will humans feel about it?
-
‘I don't think anyone is farther in the enterprise’: Marc Benioff is bullish on Salesforce’s agentic AI lead – and Agentforce 360 will help it stay top of the perchNews Salesforce is leaning on bringing smart agents to customer data to make its platform the easiest option for enterprises
-
This new Microsoft tool lets enterprises track internal AI adoption rates – and even how rival companies are using the technologyNews Microsoft's new Benchmarks feature lets managers track and monitor internal Copilot adoption and usage rates – and even how rival companies are using the tool.
-
Salesforce just launched a new catch-all platform to build enterprise AI agentsNews Businesses will be able to build agents within Slack and manage them with natural language
-
The tech industry is becoming swamped with agentic AI solutions – analysts say that's a serious cause for concernNews “Undifferentiated” AI companies will be the big losers in the wake of a looming market correction
-
Microsoft says 71% of workers have used unapproved AI tools at work – and it’s a trend that enterprises need to crack down onNews Shadow AI is by no means a new trend, but it’s creating significant risks for enterprises
-
Huawei executive says 'we need to embrace AI hallucinations’News Tao Jingwen, director of Huawei’s quality, business process & IT management department, said firms should embrace hallucinations as part and parcel of generative AI.
