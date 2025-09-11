The rise of WormGPT in 2023 showed how quickly large language models (LLMs) could be stripped of safety filters and repurposed for cybercrime. That early jailbreak wasn’t expected at the time, but it proved that demand existed for AI designed to serve attackers.
Now, two years later, the underground market has become more sophisticated, so much so that platforms like Xanthorox AI are now being sold like legitimate SaaS, complete with subscription tiers, modular agents, and Telegram-based customer support.
Radware’s new report, The Internet of Agents: The Next Threat Surface, shows how this new agentic anomaly is transforming the criminal ecosystem as well as how it puts enterprises at risk.
Key Takeaways
- WormGPT opened the door for criminal AI, but Xanthorox has turned it into a full-fledged SaaS model.
- Radware’s research shows Xanthorox can generate ransomware, DLL injectors, and phishing kits on demand.
- Subscription tiers for Xanthorox prove that criminals are paying for enterprise-grade offensive AI.
- Business protocols like MCP and A2A expand efficiency but also create new attack surfaces.
- Radware recommends six safeguards, from red-teaming to AI-powered defenses, to contain these threats.
Xanthorox: From Chatbots to Black-Hat Ecosystems
Radware describes Xanthorox as the successor to WormGPT and “killer of WormGPT and EvilGPT.”
Xanthorox markets itself as an “ethical hacking tool,” but, per Radware, it is promoted in darkweb forums as a one-stop offensive platform. It integrates reasoning, coding, vision, and search, allowing it to generate malware, phishing kits, and exploits on demand.
Unlike earlier bots that were simple jailbreaks of GPT, the report says that Xanthorox is modular and self-hosted and built to avoid reliance on ChatGPT or Anthropic APIs. The platform runs multiple specialized models, like a coder that writes exploits and ransomware, a vision module that analyzes stolen screenshots, and a reasoning engine that validates outputs.
The report includes demonstrations of how a user can use this tool to gather malicious responses, such as how to make a nuclear weapon and how to generate ransomware codes.
In one case, Xanthorox AI produced a complete DLL injection program in C++ with hidden functions to evade detection.
In another instance, it generated “XenWare,” a ransomware strain that features AES-256 encryption, RSA key wrapping, and Telegram integration for exfiltration.
Subscription to Xanthorox AI, according to Radware findings, comes in tiers, with each having different layers of capabilities.
- Telegram bot access starts at $200 per month
- The web app version costs $300
- A premium “Xen Package” offers custom models and lifetime support
Radware reveals that they found at least 13 confirmed subscriptions, which shows that criminals are willing to pay for professional-grade AI services.
When Enterprise Protocols Become Attack Surfaces
The same protocols that make AI agents useful in business are also opening doors for attackers, according to the Radware research team. One critical risk for enterprises, they note, is what they tagged as the Model Context Protocol (MCP), which is promoted as “USB-C for AI agents.”
MCP was designed as a “universal plug that enables an LLM to connect with external tools, data sources, and other systems in a standardized manner,” Radware wrote. That simplicity is what makes it attractive for enterprises, yet it also extends the attack surface.
However, the researchers warn that when an MCP server is poisoned, it can quietly deliver malicious data, execute hidden commands, or slip in backdoor instructions each time the agent calls the tool. They also note that thousands of MCP servers have already been deployed in the open, and scans have found many misconfigured and dozens carrying flaws that allow remote code execution.
Another layer of risk for enterprise agentic AI adoption, as reported by Radware, is Agent-to-Agent (A2A) networks. This creates what the researchers call “Internet of Agents,” as it allows agents to collaborate across vendors and systems.
This level of agentic communication makes it possible to pass tasks between agents, often with no human monitoring. The design, as the researchers put it, is efficient, but also builds fragile chains of trust.
They wrote:
“The nature of A2A’s peer-to-peer communication architecture introduces a new layer of trust ambiguity and complexity.”
The researchers went on to explain that once a single agent is compromised, poisoned instructions can ripple across the network, redirect operations, corrupt outcomes, or hand off hidden objectives that spread laterally.
Radware warns that this combination of MCP and A2A takes familiar risks like supply chain compromise and amplifies them at machine-like speed.
Six Safeguards for Agentic AI Deployments
Radware outlines six measures that can help organizations manage the risks that come with agent-based AI systems:
- Treat language models and AI agents as high-privilege accounts that require the same restrictions and oversight as administrators.
- Build red-teaming and prompt testing into development cycles so hidden instructions or poisoned tools are uncovered before deployment.
- View MCP and A2A as security-critical components, not just productivity aids, since they open new points of compromise.
- Track the growth of criminal AI ecosystems such as Xanthorox, which demonstrate how quickly tools can shift into threats.
- Adopt detection, sandboxing, and behavioral monitoring to spot and contain abnormal actions by autonomous agents.
- Recognize that countering AI-driven adversaries requires AI-enabled defenses, capable of scanning and responding at machine speed.
The Bottom Line
Radware’s findings show that Xanthorox AI is more than just the next WormGPT. It is a sign that criminal AI is evolving into a professionalized, subscription-driven ecosystem. The same agentic principles now embedded in enterprise software are being mirrored in offensive platforms.
Organizations that continue to roll out artificial intelligence (AI) without integrating some of the guardrails raised above may risk falling into the ugly hands of adversaries who are already exploiting the gaps.
FAQs
Xanthorox is modular, self-hosted, and built to automate entire attack chains, not just text generation.
Because poisoned MCP servers can slip in hidden commands, turning trusted tools into attack vectors.
It allows compromised agents to pass malicious instructions laterally across networks without human oversight.
They can adopt strict controls, embed red-teaming, monitor dark AI ecosystems, and use AI-driven detection tools.