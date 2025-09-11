SUGGESTED SEARCHES
A digital matrix of blue and orange lights forms an endless tunnel, symbolizing data flow and technology

The rise of WormGPT in 2023 showed how quickly large language models (LLMs) could be stripped of safety filters and repurposed for cybercrime. That early jailbreak wasn’t expected at the time, but it proved that demand existed for AI designed to serve attackers.

Now, two years later, the underground market has become more sophisticated, so much so that platforms like Xanthorox AI are now being sold like legitimate SaaS, complete with subscription tiers, modular agents, and Telegram-based customer support. 

Radware’s new report, The Internet of Agents: The Next Threat Surface, shows how this new agentic anomaly is transforming the criminal ecosystem as well as how it puts enterprises at risk.

Key Takeaways

  • WormGPT opened the door for criminal AI, but Xanthorox has turned it into a full-fledged SaaS model.
  • Radware’s research shows Xanthorox can generate ransomware, DLL injectors, and phishing kits on demand.
  • Subscription tiers for Xanthorox prove that criminals are paying for enterprise-grade offensive AI.
  • Business protocols like MCP and A2A expand efficiency but also create new attack surfaces.
  • Radware recommends six safeguards, from red-teaming to AI-powered defenses, to contain these threats.

Xanthorox: From Chatbots to Black-Hat Ecosystems

Radware describes Xanthorox as the successor to WormGPT and  “killer of WormGPT and EvilGPT.” 

Xanthorox markets itself as an “ethical hacking tool,” but, per Radware, it is promoted in darkweb forums as a one-stop offensive platform. It integrates reasoning, coding, vision, and search, allowing it to generate malware, phishing kits, and exploits on demand. 

Unlike earlier bots that were simple jailbreaks of GPT, the report says that Xanthorox is modular and self-hosted and built to avoid reliance on ChatGPT or Anthropic APIs. The platform runs multiple specialized models, like a coder that writes exploits and ransomware, a vision module that analyzes stolen screenshots, and a reasoning engine that validates outputs.

The report includes demonstrations of how a user can use this tool to gather malicious responses, such as how to make a nuclear weapon and how to generate ransomware codes

A dark-themed screenshot shows a chat window with the user "xanthoroxv4:latest" discussing steps to make a nuclear weapon in a basement. The conversation includes instructions on acquiring fissile material, choosing a design, and preparing the fissile material
Xanthorox on how to make a nuclear weapon. Source: Radware

In one case, Xanthorox AI produced a complete DLL injection program in C++ with hidden functions to evade detection. 

In another instance, it generated “XenWare,” a ransomware strain that features AES-256 encryption, RSA key wrapping, and Telegram integration for exfiltration.

Dark interface showing code for a C++ injector with custom sleep routine and DLL mapping. The code aims to inject a DLL into a target process
XenWare writing code for advanced ransomware. Source: Radware

Subscription to Xanthorox AI, according to Radware findings, comes in tiers, with each having different layers of capabilities. 

  • Telegram bot access starts at $200 per month
  • The web app version costs $300
  • A premium “Xen Package” offers custom models and lifetime support

Radware reveals that they found at least 13 confirmed subscriptions, which shows that criminals are willing to pay for professional-grade AI services.

Pricing options for Xanthorox AI are displayed in three columns: Telegram Bot ($200), Web App ($300, Best Seller), and AI Xen Package (Custom Quote). Each includes distinct features and support
Xanthorox AI deployment models, features, and pricing. Source: Radware

When Enterprise Protocols Become Attack Surfaces

The same protocols that make AI agents useful in business are also opening doors for attackers, according to the Radware research team. One critical risk for enterprises, they note, is what they tagged as the Model Context Protocol (MCP), which is promoted as “USB-C for AI agents.” 

MCP was designed as a “universal plug that enables an LLM to connect with external tools, data sources, and other systems in a standardized manner,” Radware wrote. That simplicity is what makes it attractive for enterprises, yet it also extends the attack surface. 

However, the researchers warn that when an MCP server is poisoned, it can quietly deliver malicious data, execute hidden commands, or slip in backdoor instructions each time the agent calls the tool. They also note that thousands of MCP servers have already been deployed in the open, and scans have found many misconfigured and dozens carrying flaws that allow remote code execution.

Another layer of risk for enterprise agentic AI adoption, as reported by Radware, is Agent-to-Agent (A2A) networks. This creates what the researchers call “Internet of Agents,” as it allows agents to collaborate across vendors and systems. 

This level of agentic communication makes it possible to pass tasks between agents, often with no human monitoring. The design, as the researchers put it, is efficient, but also builds fragile chains of trust. 

They wrote: 

“The nature of A2A’s peer-to-peer communication architecture introduces a new layer of trust ambiguity and complexity.”

The researchers went on to explain that once a single agent is compromised, poisoned instructions can ripple across the network, redirect operations, corrupt outcomes, or hand off hidden objectives that spread laterally. 

Radware warns that this combination of MCP and A2A takes familiar risks like supply chain compromise and amplifies them at machine-like speed.

Six Safeguards for Agentic AI Deployments

Radware outlines six measures that can help organizations manage the risks that come with agent-based AI systems:

  1. Treat language models and AI agents as high-privilege accounts that require the same restrictions and oversight as administrators.
  2. Build red-teaming and prompt testing into development cycles so hidden instructions or poisoned tools are uncovered before deployment.
  3. View MCP and A2A as security-critical components, not just productivity aids, since they open new points of compromise.
  4. Track the growth of criminal AI ecosystems such as Xanthorox, which demonstrate how quickly tools can shift into threats.
  5. Adopt detection, sandboxing, and behavioral monitoring to spot and contain abnormal actions by autonomous agents.
  6. Recognize that countering AI-driven adversaries requires AI-enabled defenses, capable of scanning and responding at machine speed.

The Bottom Line

Radware’s findings show that Xanthorox AI is more than just the next WormGPT. It is a sign that criminal AI is evolving into a professionalized, subscription-driven ecosystem. The same agentic principles now embedded in enterprise software are being mirrored in offensive platforms.

Organizations that continue to roll out artificial intelligence (AI) without integrating some of the guardrails raised above may risk falling into the ugly hands of adversaries who are already exploiting the gaps.

FAQs

What makes Xanthorox different from WormGPT?

Xanthorox is modular, self-hosted, and built to automate entire attack chains, not just text generation.

Why is MCP considered risky for enterprises?

Because poisoned MCP servers can slip in hidden commands, turning trusted tools into attack vectors.

How does A2A increase the threat?

It allows compromised agents to pass malicious instructions laterally across networks without human oversight.

What steps can organizations take to defend against these risks?

They can adopt strict controls, embed red-teaming, monitor dark AI ecosystems, and use AI-driven detection tools.

References

  1. Internet of Agents: The Next Threat Surface Report (Radware)

Franklin Okeke
Technology Journalist
Franklin Okeke is an author and tech journalist with over seven years of IT experience. Coming from a software development background, his writing spans cybersecurity, AI, cloud computing, IoT, and software development. In addition to pursuing a Master's degree in Cybersecurity & Human Factors from Bournemouth University, Franklin has two published books and four academic papers to his name. Apart from Techopedia, his writing has been featured in tech publications such as TechRepublic, The Register, Computing, TechInformed, Moonlock, and other top technology publications. When he is not reading or writing, Franklin trains at a boxing gym and plays the piano.

