This DeepSeek-powered pen testing tool could be a Cobalt Strike successor – and hackers have downloaded it 10,000 times since July
‘Villager’ is a China-developed tool that can dynamically adapt attacks to breach the domains and devices of victims
Hackers are deploying a new AI-native penetration testing tool for sophisticated attacks in an industry first, according to new research.
Cybersecurity firm Straiker has warned that ‘Villager’, a tool developed by a China-based red team project known as Cyberspike, is already being used to automate attacks under the guise of penetration testing.
Villager leverages the Kali Linux toolsets and DeepSeek v3 to automate attacks, and is easily accessible via the official Python Package Index (PyPI).
Based on user prompts it can exploit vulnerabilities in a given domain, launch attacks using multiple tools to ensure a victim is breached, and establish persistence for attackers in compromised systems.
“The framework's most dangerous innovation lies not in any single capability, but in how it seamlessly integrates multiple attack vectors through intelligent task orchestration,” wrote Dan Regalado, principal AI security researcher at Straiker, and Amanda Rousseau, member of technical staff at Straiker.
“By combining containerized Kali environments, browser automation, direct code execution, and a 4,201-prompts vulnerability database, all coordinated by AI decision-making, the framework dramatically lowers the technical barrier for conducting complex attacks.”
Researchers at Straiker compared Villager to Cobalt Strike, a legitimate penetration testing tool that has been widely used by hackers for illegitimate purposes.
In March, Fortra and Microsoft announced an “aggressive campaign” against hackers using Cobalt Strike across over 200 malicious domains. Malicious use of the tool on a daily basis dropped 80% as a result.
Villager pen testing tool is a step above Cobalt Strike
Unlike the scripted attacks possible via Cobalt Strike, the AI-powered Villager is capable of complex attacks based on natural language prompts.
For example, researchers noted that when Villager detects a victim’s domain using WordPress, it will launch an attack using the WordPress vulnerability scanner WPScan, for which it creates a custom Kali container.
If an API endpoint is detected, on the other hand, Villager may use browser automation to attempt a breach through a victim’s authentication workflow.
Each successful step is verified by the tool, which can dynamically adapt its vector depending on the context of the attack. Similarly, each Kali Linux container Villager creates, which can contain a range of cybersecurity tools, has built-in mechanisms to wipe themselves after 24 hours to prevent detection.
The tools’s command and control (C2) system, accessed via its Python-based FastAPI connection, ensures each attack is broken into manageable subtasks that are handled by its AI model.
Outputs are standardized using the data validation library Pydantic, researchers added. This ensures each decision Villager makes is reliable and follows on from its previous steps.
All of this points to an organic, sophisticated methodology that opens the door to more attacks from inexperienced attackers, researchers warned. Since it was published on PyPI in July 2025, Villager has been downloaded more than 10,000 times.
The authors at Straiker warned the tool could lead to more automated attacks by hackers using off the shelf tools. They also cautioned that attacks of this kind could speed up the rate at which attackers can discover new vulnerabilities and exploit them, shrinking the detection and response window for cybersecurity teams.
Straiker tracked Cyberspike as having first appeared on a domain established in November 2023, by the supposed AI firm Changchun Anshanyuan Technology Co.
The authors wrote that no evidence of such a company exists on Chinese social media, though archived pages show it sold Cyberspike as a remote administration tool (RAT) in 2023.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- Hackers are duping developers with malware-laden coding challenges
- Anthropic admits hackers have 'weaponized' its tools
- Hackers are using AI to dissect threat intelligence reports and ‘vibe code’ malware
-
Concerns are mounting over the cognitive impact of AI as workers report experiencing ‘brain fry’ – and it’s causing "increased employee errors, decision fatigue, and intention to quit"News Research from Boston Consulting Group backs earlier studies in highlighting the negative cognitive impact of AI at work
-
If you thought RTO battles were bad, wait until AI mandates start taking hold across the industryOpinion Forcing workers to adopt AI under the threat of poor performance reviews and losing out on promotions will only create friction
-
Sam Altman just said what everyone is thinking about AI layoffsNews AI layoff claims are overblown and increasingly used as an excuse for “traditional drivers” when implementing job cuts
-
Google says hacker groups are using Gemini to augment attacks – and companies are even ‘stealing’ its modelsNews Google Threat Intelligence Group has shut down repeated attempts to misuse the Gemini model family
-
Why Anthropic sent software stocks into freefallNews Anthropic's sector-specific plugins for Claude Cowork have investors worried about disruption to software and services companies
-
B2B Tech Future Focus - 2026Whitepaper Advice, insight, and trends for modern B2B IT leaders
-
What the UK's new Centre for AI Measurement means for the future of the industryNews The project, led by the National Physical Laboratory, aims to accelerate the development of secure, transparent, and trustworthy AI technologies
-
Half of agentic AI projects are still stuck at the pilot stage – but that’s not stopping enterprises from ramping up investmentNews Organizations are stymied by issues with security, privacy, and compliance, as well as the technical challenges of managing agents at scale
