AI-powered worms can use stolen compute on infected machines to run open large language models and craft target-specific attacks, potentially lowering marginal infection costs to nearly zero; the approach circumvents centralized platform safety controls and could create an asymmetric advantage for attackers unless defenses and governance adapt.

Main Finding

AI agents running locally on compromised machines can enable a new class of self-replicating malware: an adaptive, generative "AI-driven worm" that synthesizes target-specific attack strategies at runtime, parasitically uses stolen compute (GPUs) to host reasoning models, and thereby achieves propagation dynamics that combine worm-like scale with adaptive, per-target exploitation. The authors demonstrate this capability in a contained proof-of-concept: the system propagated across a heterogeneous simulated corporate network using only an open-weight single‑GPU LLM (no vendor APIs), and did so at scale and depth that raises meaningful economic and defensive concerns.

Key Points

• New threat class: contrasts traditional fixed-exploit worms (finite, patchable attack surface) with worms that generate bespoke attack logic at runtime using generative models and agentic orchestration.
• Architecture (high level): a tiered agentic harness around a locally hosted LLM, with modules for reasoning, memory/context management, tooling (to interact with hosts), and multi-agent coordination. Compromised GPU hosts become distributed reasoning nodes that serve lower‑capability devices.
• Empirical demonstration: in contained experiments the proof-of-concept autonomously:
  • identified and reasoned about many real-world vulnerabilities,
  • escalated access and staged replication,
  • propagated across diverse host types (Linux, Windows, IoT).
• Quantitative outcomes (reported in the paper): across 15 independent runs on an isolated 33-host network (7 days autonomous per run) the worm on average
  • identified ≈31.3 (±1.7) vulnerabilities,
  • exploited ≈23.1 (±3.9) hosts to elevated access,
  • replicated to ≈20.4 (±3.2) hosts (mean replication depth ≈5.1 generations, max 7).
  • aggregate success rates reported: ~73.8% of hosts had successful exploitation attempts; ~61.8% saw replication.
• Fresh-information use: the agent could ingest publicly available advisories at runtime and act on vulnerabilities disclosed after the model’s training cutoff, showing capability to convert new disclosures into exploit attempts without those exploits being encoded in the base weights.
• Economic asymmetry: because reasoning and replication can run on compromised compute, the attacker’s marginal cost per additional victim is effectively zero; the design also sidesteps centralized vendor controls (no dependence on commercial APIs), weakening mitigation levers that rely on central providers.
• Dual-use & mitigations: authors explicitly treat the work as dual-use, redacting operational details, running experiments in strict containment, restricting access to code, and documenting containment/ethics steps.

Data & Methods

• Experimental setting (high level): an isolated virtual corporate network of 33 heterogeneous hosts (representative Linux servers, Windows machines, IoT/ICS devices), seeded with common, realistic vulnerabilities. Experiments ran fully autonomously in hypervisor‑enforced containment.
• Model & compute: a locally hosted open‑weight single‑GPU large language model formed the reasoning core (no commercial model APIs used). When the worm compromised GPU-capable hosts it deployed local model instances to serve downstream agents.
• Agentic harness (conceptual): the system structures attack effort into phases (reconnaissance, initial access, privilege escalation, replication) and composes multiple specialized LLM invocations, supported by hierarchical memory, tool handlers, and inter-agent communication to overcome limitations of smaller models (e.g., context window, brittle code generation).
• Evaluation protocol: 15 independent runs, each run allowed 7 days of autonomous operation; metrics tracked included vulnerabilities identified, host-level exploit/elevation outcomes, replication counts, and propagation depth.
• Safety and ethics: the authors withheld sensitive implementation details, omitted evasive capabilities from the proof-of-concept, and performed experiments inside contained infrastructure with institutional oversight. Access to the implementation is restricted and subject to vetting.

Implications for AI Economics

• Marginal-cost collapse for attackers: by leveraging compromised compute to run reasoning models, attackers can reduce marginal cost per compromised host toward zero while maintaining the ability to produce target-specific attacks. This changes the economics that historically separated expensive, tailored attacks from cheap, high-scale worms.
• Increased returns to scale for adversaries: each new compromise can simultaneously be a replication vector and an incremental compute node (for further reasoning), producing positive feedback that amplifies scale and reduces per-target attacker cost—favoring adversaries with modest initial investment.
• Value shifts in cybersecurity markets:
  • Defensive spending likely rises: organizations may increase expenditure on detection, rapid patching, isolation (zero-trust), segmentation, and incident response capabilities to counter a higher baseline of automated adaptive attacks.
  • New product/service demand: markets may grow for real‑time patch orchestration, distributed runtime integrity monitoring, on‑premise model‑execution monitoring, and GPU‑usage auditing tools.
  • Insurance and liability: cyber-insurers will need to reassess risk models and premiums given faster, automated exploitation that can outpace traditional patch cycles; liability regimes may shift toward vendors, cloud providers, or organizations that host vulnerable compute.
• Effect on compute markets and incentives: compromised hosts providing GPU compute alters the incentives around securing hardware and controlling access to local model execution. It may increase demand for hardware-level protections, attestation, and monitoring services, and could influence pricing/rental markets for GPU compute.
• Diminished effectiveness of centralized controls: reliance on open-weight local models and in-network reasoning nodes reduces the efficacy of mitigations that depend on centralized model providers (e.g., API refusal, content filtering), raising policy questions about distribution of model weights and access controls.
• Policy and public-good considerations:
  • Externalities justify coordinated, possibly regulatory responses (standards for safe testing, disclosure practices, mandatory logging/auditing of model execution on shared infrastructure).
  • Investment in community defensive public goods (secure testbeds, red-team exercises, rapid advisory-to-patch pipelines) may produce high social returns.
• Research priorities for economics of AI & cybersecurity:
  • Formalize attacker–defender games where attackers internalize low marginal costs and defenders face patching/operational frictions.
  • Quantify cost-effectiveness of defenses (segmentation, rapid patching, GPU attestation) under automated adaptive adversaries.
  • Model externalities and optimal policy interventions (liability, disclosure timing, controls on weight distribution) to align incentives and reduce systemic risk.

Overall, the paper argues that readily available generative models plus modest orchestration can alter the cost structure and scalability of cyber-offense; that shift should be incorporated into economic models of cyber risk, cyber insurance, and policy design, and motivates investment in defensive technologies and governance frameworks that address distributed, compute‑parasitic adversaries.