Researchers from the University of Toronto, Vector Institute, University of Cambridge, and ServiceNow have developed a prototype of an adaptive AI worm. This malware generates a unique attack strategy for each target.
The study titled AI Agents Enable Adaptive Computer Worms indicates that the experiment was conducted in an isolated virtual network. The software prototype spread across a heterogeneous network of Linux, Windows, and IoT devices by exploiting classic vulnerabilities in corporate networks.
Compromised machines were used by the worm as a computational base for further "reasoning" and propagation. The authors claim that this makes the hypothetical cost of infecting a new machine effectively zero for the attacker.
According to the developers at CleverHans Lab, the malware operated on an open language model locally, rather than through a commercial AI platform. The authors emphasize that they did not implement standard virus features that complicate detection or removal.
Attack diagram of the AI worm. Source: CleverHans Lab.The worm utilized a recursive "reasoning" cycle, memory, and tools to tailor its tactics to specific devices. Infected nodes with GPUs could provide computational power for further attacks on less powerful devices within the network.
The AI exploited publicly disclosed but still accessible vulnerabilities, configuration errors, and recurring classes of weaknesses.
The University of Toronto described the work as the first demonstration of how publicly available AI models can fuel a virus that adapts its strategy as it spreads between devices. The report also states that the research aims to help the cybersecurity community prepare for such threats.
Professor David Layai from the university called the publication a "wake-up call" for developers of defensive mechanisms.
It is worth noting that in September 2025, a threat analysis team from the startup Anthropic discovered and thwarted the first of its kind AI-driven cyber espionage campaign.