top of page

WormGPT: the malicious chatbot slithering across the cyber security landscape

ChatGPT has revolutionised interactive dialogue generation, but a darker side has emerged with the arrival of WormGPT, the malicious AI-driven tool developed by EleutherAI.

WormGPT, based on the 2021 GPTJ large language model, is a specialised variant designed for malicious purposes. Unlike its acclaimed counterpart, this variation lacks guardrails to prevent unlawful or malicious usage, making it a destructive weapon in the hands of adversaries.

Trained on datasets related to malware, this offensive tool offers unlimited character support, chat memory retention, and code formatting, amplifying its potential for harm.

Attackers are primarily using WormGPT for phishing campaigns, particularly Business Email Compromise (BEC) attacks.

WormGPT enables the generation of convincing and personalised emails, aiding in deceiving targets into disclosing sensitive information or sending money. It is particularly advantageous for threat actors whose primary language is not English, as it enhances the authenticity of their emails, making them appear more convincing to recipients.

It can also be employed for spear phishing and social engineering attacks, allowing attackers to tailor deceptive messages to specific individuals or organisations.

Additionally, WormGPT's versatility makes it useful for developing customised malware and carrying out various forms of email-based scams and credential harvesting.

One of the most concerning aspects of WormGPT is its ability to speed up the kill chain - the series of stages a cybercriminal goes through to execute an attack. By leveraging WormGPT, hackers can automate the generation of personalised, deceptive emails. This accelerates the reconnaissance and weaponisation phases of an attack, allowing adversaries to conduct malicious activities much quicker than previously.

WormGPT also empowers individuals with limited expertise to execute intricate attacks, thereby intensifying the risk and broadening the scope of the threat landscape.

Remediation & Mitigation

Understanding the risks, capabilities and behavior of this offensive tool helps develop effective defensive strategies.

Steps to mitigate the risks include monitoring email patterns, identifying suspicious language, and employing AI-based anomaly detection.

Robust email verification measures are also vital in countering malicious activities. This involves

implementing automatic alerts for impersonation attempts, verifying sender identities, and employing domain-based authentication mechanisms like DKIM, SPF, and DMARC.

Additionally, regular security awareness training plays a crucial role in enhancing defenses, by increasing awareness and empowering individuals to identify and report suspicious emails.

If you would like to upskill your employees on the risks and threats that exist in the online world, we offer security awareness training as an affordable service to businesses. Contact us if you're interested in this service.



Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).



The contents of blog posts on this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of East Midlands Cyber Resilience Centre (EMCRC) is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. EMCRC provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us by email.


EMCRC does not accept any responsibility for any loss which may arise from reliance on information or materials published on this blog. EMCRC is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page