A team of researchers at the University of Toronto in Canada has assembled a self-replicating malware - a worm - that is able to reason its way through networks, devising fresh attacks strategies for each machine it encounters rather than relying on fixed, specific exploits.
What's more, the CleverHans Lab team, led by associate professor Nicolas Papernot, used a small, free large language model (LLM) for the worm, showing it doesn't need substantial commercial infrastructure to power it.
The worm carries a copy of a single graphical processing unit (GPU) open-weight LLM that the malware runs on already compromised machines.
Each newly compromised host becomes both a foothold for the malware, while providing additional compute resources.
This allows the worm to parasitically sustain itself on victim infrastructure.
Devices that cannot host the model themselves, such as low-resource Internet of Things (IoT) sensors, forward their reasoning queries to infected GPU-equipped nodes instead.
Papernot's team and researchers from the Vector Institute and the University of Cambridge tested the worm on an isolated, 33-host virtual environment with Linux servers, Windows machines and IoT devices [preprint].
These were configured with common vulnerabilities found in corporate environments, such as re-used passwords, and unpatched software.
Across 15 independent seven-day runs, the worm prototype correctly identified on average 31.3 vulnerabilities per trial.
It was able to escalate access on 23.1 hosts, and propagated to 20.4 hosts, which amounted to nearly two-thirds of the test network.
Individual exploitation attempts succeeded in 44 percent of cases, with most failures caused by malformed payloads rather than a flawed attack strategy.
The worm performed worst against web application structures, Windows command environments, and tasks requiring precise string manipulation, which the team attributed to the code-generation ceiling of a current-generation single-GPU model rather than a fundamental design flaw.
That ceiling is temporary, the researchers said.
"These reflect the code-generation ceiling of a current-generation single-GPU model, not a fundamental constraint on the approach, and are expected to narrow as language models improve at code generation and structured output," they wrote.
Despite the per-attempt failure rate, the worm's swarm architecture compensated by running multiple parallel, independent reasoning trajectories simultaneously.
In the testing, the prototype successfully exploited the recent Copy Fail, Dirty Frag, and a Marimo remote code execution flaw by reading publicly available security advisories at runtime and crafting working exploits from that information alone.
The worm was also able to repair itself without human intervention.
When replicas crashed on Alpine Linux and Windows Server 2008 hosts due to a VM-detection bug, the parent worm located the attestation source file on the target machine, removed the failing check, and retried successfully,
AI safety controls no protection
As the worm runs entirely on locally hosted open-weight models, commercial platform controls such as service refusal, content filtering, and rate limiting do not protect against this type of attack.
Safety guardrails on open-weight models can also be bypassed when attackers control the local execution environment, the researchers said.
"The traditional economic barrier in cyber security collapses," the paper argues.
"The worm parasitically uses the victims' own computational resources, reducing the attacker's marginal cost to zero," the researchers wrote.
Meanwhile, defending against the worm can be done with AI-assisted penetration testing and fuzzing to find exploitable weaknesses before adversaries do the same, along with network micro-segmentation, zero-trust architecture and looking for detectable signatures, although the latter are an artefact of the proof of concept.
The University of Toronto is not releasing the prototype publicly, and has established a vetting process through which qualified researchers may request access for defensive purposes.
Not the only AI worm
Prior to the CleverHans Labs research, a combined team from Peking University, Sun Yat-sen University, Wuhan University, Tsinghua University, and Singapore Management University published ClawWorm in March this year.
ClawWorm demonstrated self-replicating attacks against OpenClaw, an open-source agent framework with more than 40,000 active instances.
It achieves a fully autonomous infection cycle from a single message: it hijacks the victim's core configuration to establish persistence across session restarts, executes a payload on each reboot, and propagates to every newly encountered peer without further attacker involvement.
"ClawWorm is the first fully autonomous, self-replicating worm targeting production-scale LLM agent ecosystems.
It achieves permanent persistence, executes arbitrary payloads, and autonomously spreads to new agents, highlighting severe structural vulnerabilities in current agent architectures," the researchers wrote.
In their attack evaluation on a controlled testbed across four LLM backends, the researchers said they achieved a 64.5 percent aggregate success rate.
The researchers have published a project site for ClawWorm on GitHub.
iTnews State of Security Breakfast
iTnews State of Data & AI Breakfast
The 2026 iAwards
.jpg&w=120&c=1&s=0)
Integrate 2026
Security Exhibition & Conference
_(1).jpg&h=140&w=231&c=1&s=0)
