A new player has entered the cybercrime AI landscape — Xanthorox AI, a malicious tool that brands itself as the “Killer of WormGPT and all EvilGPT variants.”
The next evolution in Black-Hat AI
First spotted in late Q1 2025, Xanthorox began circulating in cybercrime communities across darknet forums and encrypted channels. The system is promoted as a highly modular AI platform tailored to offensive cyber operations and privacy-conscious exploitation.
Unlike its predecessors, Xanthorox AI doesn't rely on jailbreaks or tweaks to existing foundation models.
Instead, the developers claim to have built a self-contained, multi-model architecture hosted entirely on their servers, enabling a local, unmonitored, and highly customizable AI experience.
Infrastructure and architecture
According to the seller, Xanthorox AI is powered by five distinct models, each optimized for different operational tasks. These models run entirely on local servers controlled by the seller, rather than being deployed over public cloud infrastructure or through exposed APIs. This local-first approach drastically reduces the chances of detection, shutdown, or traceability.
Some of the standout claims include:
- Fully custom-built language models (no GPT, LLaMA, Claude, etc.)
- Modular design allowing updates or replacement of capabilities
- Built-in voice and image handling modules
- Live internet search scraping using over 50 engines
- Offline functionality, enabling use without network dependencies
- Data containment, removing the risks of third-party AI telemetry
Considering the current state of AI technology, creating modular, self-contained systems that work offline and combine various models is entirely possible. We have tools like customizable language models and methods to integrate voice and image processing. Even if Xanthorox doesn’t meet every expectation, the technology to build something similar is available, and we’ll likely see systems like it emerge soon.
What Xanthorox AI can currently do
Xanthorox AI is a comprehensive, all-in-one hacking tool powered by a modular architecture that is designed to support a wide range of cybercrime operations.
From an attacker's perspective, Xanthorox AI hits most of the marks needed for a versatile hacking assistant. It handles code generation, vulnerability exploitation, and data analysis, and integrates voice and image processing, making it capable of automated and interactive attacks.
At the core of its toolkit is Xanthorox Coder, which automates everything from code generation and script writing to malware development and vulnerability exploitation.
Xanthorox Coder
Xanthorox Coder
Xanthorox Vision adds a visual intelligence layer by allowing users to upload images or screenshots for analysis. The model can describe, interpret, or extract relevant data from visual content.
Xanthorox Vision
Xanthorox Vision
Xanthorox Reasoner Advanced aims to copy how humans make decisions with accurate reasoning. While reaching "100% accuracy" might be unrealistic, creating a model consistently producing well-organized and convincing results is possible.
Reasoner Advanced could support tasks where logical consistency and persuasive communication are essential, even if they don’t consistently achieve perfection.
Xanthorox Reasoner
Xanthorox Reasoner
The platform also supports voice-based interaction via real-time voice calls and asynchronous voice messaging, enabling hands-free command and control. This feature allows for fluid, natural engagement with the AI, especially in environments where typing may not be optimal.
Voice-based interaction interface
Voice-based interaction interface
Using its internet search abilities, Xanthorox can gather information from over 50 search engines. This allows it to provide up-to-date and highly relevant details.
This claim seems believable because data scraping is a standard and practical method. It avoids the usual limitations of APIs and ensures the system can access helpful information for specific targeting or research purposes.
Xanthorox’s web search capabilities
Xanthorox’s web search capabilities
For static file input, file analysis enables the model to process various file formats, including .c, .txt, .pdf, and others. It can extract, summarize, and rewrite or edit content, supporting threat actors handling leaked data or technical documentation.
How Varonis can help
Xanthorox AI is a powerful tool that takes cyberattacks to a new level. It’s a self-hosted, customizable AI system built to handle large-scale, automated cyber operations.
It can focus on tasks like phishing, social engineering, creating malware, and analyzing files without depending on public platforms or commercial AI models. Unfortunately, with tools like Xanthorox, attackers can create precise and convincing phishing campaigns at scale.
Varonis is here to stop this type of threat.
Our platform uses advanced technology to analyze behavior and understand language, helping us detect AI-generated email threats. This works whether the threats are in text, images, or part of multi-channel phishing attacks. We block harmful messages before they can reach users, even with no apparent warning signs.
As AI threats become more advanced, our defenses keep up. Varonis offers real-time protection against these new types of email attacks, including those powered by systems like Xanthorox.
-1.png)