Villager, a new penetration-testing tool linked to a suspicious China-based company and described by researchers as "Cobalt Strike's AI successor," has been downloaded about 10,000 times since its release in July.

The package, published on Python Package Index, operates as a Model Context Protocol (MCP) client and integrates multiple security tools. It includes Kali Linux, which legitimate defenders use to automate penetration testing, and it contains hundreds of tools that can also be used to launch cyber attacks at scale. Villager also contains DeepSeek AI models to automate testing workflows, plus a ton of other AI tools like a database of 4,201 AI system prompts to generate exploits and other mechanisms to make it difficult to detect.

"Like Cobalt Strike, it can be used for legitimate purposes but it is also ready to be used maliciously without expertise needed since it is fully automated," Dan Regalado, principal AI security researcher at Straiker, told The Register. "And we see downloads every day, not massively but consistently."

In a report published today and shared with The Register, the AI security company's Regalado and fellow researcher Amanda Rousseau said they recorded an average of 200 downloads every three days during their investigation, totaling 9,952 downloads across multiple operating systems, including Linux, macOS, and Windows.

And they traced the AI-powered pen-testing tool to a Chinese organization called Cyberspike.

Cyberspike first appeared in November 2023, when the domain cyberspike[.]top was registered under Changchun Anshanyuan Technology Co., which is listed as an AI and application software development provider.

However, the company doesn't appear to have a website or any other indications to suggest that it's a legitimate business. Plus, Changchun Anshanyuan's earlier product line called Cyberspike was uploaded to VirusTotal in December 2023.

After analyzing the binaries, Straiker discovered that the entire Cyberspike software suite was related to AsyncRAT, a remote-access trojan with capabilities including remote desktop access, Discord account compromise, keystroke logging, webcam hijacking, and other surveillance functions.

"Our analysis confirms that Cyberspike integrated AsyncRAT into its red teaming product, with additional plugins to well-known hacktools like Mimikatz as well," Regalado and Rousseau wrote. "These integrations demonstrate how Cyberspike repackaged established hacktools and offensive tools into a turnkey framework designed for penetration testing and probably malicious operations."

Regalado told The Register that no one has talked about Cyberspike previously. "We are the first ones," he said.

"The company is very suspicious because it is registered in China with a valid physical place - but we do not think there is an office there - and there is no employee information," Regalado added. "Plus their website was shut down early in 2024. All the code from Villager has words in Chinese, and the creator is also from that country. But we can see that Villager is still using the company's domain, which suggests the team is still using the infrastructure."

From capture the flag to AI-powered exploits

The Cyberspike crew released its new Villager pen-testing tool on PyPI on July 23.

The author @stupidfish001, is a former capture the flag (CTF) player for the Chinese HSCSEC team, which is significant because these competitions in China provide a recruiting and training pipeline for skilled hackers and Beijing's cybersecurity and intelligence agencies looking to hire them.

Villager itself includes several components for pen testing - or attacking someone's system, depending on who is using the AI framework. It uses MCP Client Service (Port 25989) for central message passing and coordination, along with a database of 4,201 AI system prompts to generate exploits and make real-time decisions. It also auto-creates isolated Kali Linux containers for network scanning, vulnerability assessment, and penetration testing.

Villager also integrates with Pydantic AI to enforce formatting rules on AI outputs, and it configures a container to have a 24-hour, self-destruct feature to wipe activity logs and forensic evidence of the software tool.

All of this makes it very easy to use Villager to launch attacks, both aimed at a single web application, in which it uses AI to adjust the exploit based on what it finds. According to the report:

If WordPress is detected, Villager automatically launches WPScan within a Kali container; if an API endpoint is identified, it shifts to browser automation to probe authentication flows. The task verification system ensures each step succeeds before proceeding.

Or, it can develop a more complex, multi-tool attack chain:

Browser automation discovers client-side prototype pollution vulnerability

Direct code execution crafts specialized payloads

Kali container monitors network traffic for successful exploitation

Upon success, persistence mechanisms are deployed via OS execute

Regalado says he wants to make companies aware of this previously undocumented threat, and the speed at which attackers are adopting AI for nefarious purposes.

"Attackers are moving really fast, automating attacks with AI," he said. "Defenders should be also using AI-based products to defend at the same speed." ®