Hackers are deploying a new AI-native penetration testing tool for sophisticated attacks in an industry first, according to new research.
Cybersecurity firm Straiker has warned that ‘Villager’, a tool developed by a China-based red team project known as Cyberspike, is already being used to automate attacks under the guise of penetration testing.
Villager leverages the Kali Linux toolsets and DeepSeek v3 to automate attacks, and is easily accessible via the official Python Package Index (PyPI).
Based on user prompts it can exploit vulnerabilities in a given domain, launch attacks using multiple tools to ensure a victim is breached, and establish persistence for attackers in compromised systems.
“The framework's most dangerous innovation lies not in any single capability, but in how it seamlessly integrates multiple attack vectors through intelligent task orchestration,” wrote Dan Regalado, principal AI security researcher at Straiker, and Amanda Rousseau, member of technical staff at Straiker.
“By combining containerized Kali environments, browser automation, direct code execution, and a 4,201-prompts vulnerability database, all coordinated by AI decision-making, the framework dramatically lowers the technical barrier for conducting complex attacks.”
Researchers at Straiker compared Villager to Cobalt Strike, a legitimate penetration testing tool that has been widely used by hackers for illegitimate purposes.
In March, Fortra and Microsoft announced an “aggressive campaign” against hackers using Cobalt Strike across over 200 malicious domains. Malicious use of the tool on a daily basis dropped 80% as a result.
Villager pen testing tool is a step above Cobalt Strike
Unlike the scripted attacks possible via Cobalt Strike, the AI-powered Villager is capable of complex attacks based on natural language prompts.
For example, researchers noted that when Villager detects a victim’s domain using WordPress, it will launch an attack using the WordPress vulnerability scanner WPScan, for which it creates a custom Kali container.
If an API endpoint is detected, on the other hand, Villager may use browser automation to attempt a breach through a victim’s authentication workflow.
Each successful step is verified by the tool, which can dynamically adapt its vector depending on the context of the attack. Similarly, each Kali Linux container Villager creates, which can contain a range of cybersecurity tools, has built-in mechanisms to wipe themselves after 24 hours to prevent detection.
The tools’s command and control (C2) system, accessed via its Python-based FastAPI connection, ensures each attack is broken into manageable subtasks that are handled by its AI model.
Outputs are standardized using the data validation library Pydantic, researchers added. This ensures each decision Villager makes is reliable and follows on from its previous steps.
All of this points to an organic, sophisticated methodology that opens the door to more attacks from inexperienced attackers, researchers warned. Since it was published on PyPI in July 2025, Villager has been downloaded more than 10,000 times.
The authors at Straiker warned the tool could lead to more automated attacks by hackers using off the shelf tools. They also cautioned that attacks of this kind could speed up the rate at which attackers can discover new vulnerabilities and exploit them, shrinking the detection and response window for cybersecurity teams.
Straiker tracked Cyberspike as having first appeared on a domain established in November 2023, by the supposed AI firm Changchun Anshanyuan Technology Co.
The authors wrote that no evidence of such a company exists on Chinese social media, though archived pages show it sold Cyberspike as a remote administration tool (RAT) in 2023.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- Hackers are duping developers with malware-laden coding challenges
- Anthropic admits hackers have 'weaponized' its tools
- Hackers are using AI to dissect threat intelligence reports and ‘vibe code’ malware
-
NinjaOne expands availability on CrowdStrike MarketplaceNews CrowdStrike Falcon customers now have simplified access to NinjaOne’s automated endpoint management capabilities
-
Implementation and atychiphobia: helping SMEs overcome fearIndustry Insights Fear of failure stalls SME system upgrades, but resellers can calm concerns and build confidence
-
Anthropic CEO Dario Amodei's prediction about AI in software development is nowhere nearly to becoming a realityNews In March, Anthropic CEO Dario Amodei claimed up to 90% of code would be written by AI within six months – his prediction hasn't quite come to fruition.
-
Is the honeymoon period over for Microsoft and OpenAI? Strained relations and deals with competitors spell trouble for the partnership that transformed the AI industryAnalysis Microsoft and OpenAI are slowly drifting apart as both forge closer ties with respective rivals and reevaluate their long-running partnership.
-
Box reveals new AI capabilities at BoxWorks 2025News Extract and Automate will help businesses make better use of their data, the cloud company claims
-
Large enterprises could be wavering on AI adoptionNews AI adoption rates have dipped, but it's probably nothing to worry about for IT leaders
-
Businesses are being taken for fools with AI agentsOpinion AI agents are still not very good at their 'jobs', or at least pretty terrible at producing returns on investment – yet businesses are still buying into the hype.
-
Google boasts that a single Gemini prompt uses roughly the same energy as a basic search – but that’s not painting the full pictureNews Google might claim that a single Gemini AI prompt consumes the same amount of energy as a basic search, but it's failing to paint the full picture on AI's environmental impact.
-
Mistral AI wants businesses to make new memories with Le ChatNews The company hopes new functionality and Connection Partners will broaden business appeal
-
Salesforce CEO Marc Benioff says the company has cut 4,000 customer support staff for AI agents so farNews The jury may still be out on whether generative AI is going to cause widespread job losses, but the impact of the technology is already being felt at Salesforce.
