A New Tool Linked to a Suspected Chinese Company Has Been Downloaded Thousands of Times, Raising Red Flags Among Security Experts

A new AI-powered penetration-testing tool, dubbed Villager, has raised alarm among cybersecurity professionals due to its potential for misuse. Developed by a suspicious China-based company known as Cyberspike, the tool has been downloaded approximately 10,000 times since its release in July, according to a report by Straiker, an AI security firm. Villager operates as a Model Context Protocol (MCP) client and integrates multiple security tools, including Kali Linux, which is commonly used by legitimate defenders for penetration testing. However, it also contains hundreds of tools that can be used to launch large-scale cyber attacks.

The tool incorporates DeepSeek AI models to automate testing workflows and includes a database of 4,201 AI system prompts to generate exploits. This makes it difficult to detect and significantly lowers the barrier to entry for potential attackers. Dan Regalado, a principal AI security researcher at Straiker, noted that Villager can be used for both legitimate and malicious purposes, and its fully automated nature means it can be deployed without requiring specialized expertise.

Cyberspike, the company behind Villager, has been linked to a Chinese organization, Changchun Anshanyuan Technology Co., which is listed as an AI and application software development provider. However, the company does not appear to have a website or any other indicators of legitimacy. Additionally, Cyberspike’s earlier product line was uploaded to VirusTotal in December 2023, and analysis revealed that it was related to AsyncRAT, a remote-access trojan with capabilities such as remote desktop access, keystroke logging, webcam hijacking, and surveillance functions.

Regalado emphasized that Cyberspike integrated AsyncRAT into its red teaming product, along with plugins for well-known hacking tools like Mimikatz. This integration suggests that Cyberspike repackaged established hacking tools into a turnkey framework designed for both penetration testing and potential malicious operations.

Villager was released on the Python Package Index (PyPI) on July 23 and includes components for both penetration testing and attacking systems. It uses the MCP Client Service (Port 25989) for coordination and includes features such as auto-creating isolated Kali Linux containers for network scanning and vulnerability assessment. Villager also integrates with Pydantic AI to enforce formatting rules on AI outputs and includes a 24-hour self-destruct feature to erase activity logs and forensic evidence.

According to the report, Villager can automatically launch WPScan within a Kali container if WordPress is detected, or shift to browser automation to probe authentication flows if an API endpoint is identified. The tool’s ability to adjust exploits in real-time based on what it finds makes it particularly dangerous.

The tool’s creator, @stupidfish001, is a former capture the flag (CTF) player for the Chinese HSCSEC team, which is significant because these competitions in China provide a recruiting and training pipeline for skilled hackers and Beijing’s cybersecurity and intelligence agencies looking to hire them. This connection further raises concerns about the tool’s origins and potential use.

Regalado urged companies to be aware of this previously undocumented threat and to adopt AI-based products to defend against such attacks as quickly as attackers are using AI for nefarious purposes. He emphasized that attackers are moving at a rapid pace, automating attacks with AI, and that defenders must match this speed to stay ahead of emerging threats.

The report also noted that Cyberspike’s website was shut down early in 2024, and while the code from Villager contains Chinese language elements, the company’s domain is still being used, suggesting that the team is still utilizing the infrastructure. The lack of employee information, a legitimate website, or any public presence adds to the suspicion surrounding the company.

As the cybersecurity landscape continues to evolve, the emergence of tools like Villager highlights the growing need for proactive defense strategies and increased awareness of AI-driven threats.