Latest WormGPT News: WormGPT 4, AI-Enabled Cybercrime, and the 2026 Ransomware Surge

Image source: Elise Racine & The Bigger Picture / Better Images of AI, used in the UK National Cyber Security Centre report “Impact of AI on cyber threat from now to 2027.” JPG image, not SVG. Source: NCSC.

News Summary

WormGPT continues to appear in cybersecurity reporting as a symbol of the broader “malicious LLM” trend: large language models or chatbot-like tools marketed for cybercrime, fraud, social engineering, and attack automation. As of June 5, 2026, the most important development is not a single tool, but the growth of a wider AI-enabled crimeware ecosystem that includes WormGPT, FraudGPT, BruteForceAI, HexStrike AI, and successor or copycat variants.

The most recent high-impact source is Fortinet’s 2026 Global Threat Landscape Report. FortiGuard Labs said it identified 7,831 confirmed ransomware victims globally in 2025, up sharply from roughly 1,600 in the prior report. Fortinet linked this 389% year-over-year rise to the availability of crime service kits such as WormGPT, FraudGPT, and BruteForceAI. Source: Fortinet Press Release, April 30, 2026.

1. Fortinet: WormGPT Is Part of the Crimeware Toolkit Behind Faster Ransomware Operations

Fortinet’s 2026 report frames modern cyber risk around velocity. The report says time-to-exploit for critical outbreaks has dropped to about 24–48 hours, as AI accelerates reconnaissance, weaponization, and execution. That shift compresses the defensive window for organizations that still depend on slow patch cycles or manual response.

In the same report, Fortinet names WormGPT, FraudGPT, and BruteForceAI as crime service kits that contributed to a 389% increase in confirmed ransomware victims. The three most targeted sectors were manufacturing with 1,284 victims, business services with 824 victims, and retail with 682 victims. Geographically, the United States led with 3,381 victims, followed by Canada and Germany. Source: Fortinet.

The key news point is that WormGPT is no longer treated merely as one rogue chatbot. It is now discussed as part of a wider cybercrime supply chain that includes access brokers, botnet operators, stolen-data markets, and AI-assisted tooling. This reduces the technical skill required for entry-level attackers and helps experienced groups accelerate campaign execution.

2. Unit 42: WormGPT 4 Shows the Commercialization of Malicious LLMs

Image source: Unit 42, Palo Alto Networks — screenshot of a WormGPT forum advertisement included in its malicious LLM analysis. PNG image, not SVG. Source: Unit 42.

In a November 25, 2025 analysis, Palo Alto Networks’ Unit 42 described WormGPT 4 as an example of a malicious LLM: a model built or adapted for offensive purposes, marketed without the ethical constraints normally built into mainstream AI systems. Unit 42 said such tools are advertised on underground forums and Telegram channels, with claimed capabilities including phishing email generation, malware-related assistance, and reconnaissance automation.

Unit 42 also described the original WormGPT as one of the first widely recognized commercial malicious LLMs, emerging in July 2023. Although the original project reportedly shut down after negative publicity, the WormGPT name remained valuable as a brand, creating demand for successor versions and copycats. Source: Unit 42.

Image source: Unit 42, Palo Alto Networks — screenshot of WormGPT 4 pricing in the malicious LLM report. PNG image, not SVG. Source: Unit 42.

The commercialization angle matters. Unit 42 observed WormGPT 4 being marketed with monthly, annual, and lifetime pricing, plus a Telegram presence used as a sales and community channel. That places malicious LLMs inside the cybercrime-as-a-service model: branding, pricing, user channels, and feature marketing similar to normal software products.

3. The 2023 Background: WormGPT Emerged Alongside AI-Driven Phishing and BEC

Reports from 2023 show why WormGPT became prominent in the first place. In July 2023, The Hacker News reported that, according to SlashNext findings, WormGPT was being advertised on underground forums as a tool for phishing and business email compromise attacks. Source: The Hacker News.

BleepingComputer later reported the appearance of FraudGPT “in the wake of WormGPT,” showing that cybercriminals were not experimenting with only one tool. Instead, they were multiplying the idea of chatbot-like services designed for phishing, social engineering, vulnerability exploitation, and malware-related activity. Source: BleepingComputer.

The significance of the 2023 phase is that WormGPT created a recognizable template for AI-assisted cybercrime: a familiar chatbot interface, removed safety guardrails, underground forum promotion, and the conversion of fluent text generation into a tool for phishing and BEC.

4. NCSC: AI Will Keep Making Cyber Intrusion More Efficient Through 2027

The UK National Cyber Security Centre’s 2025 assessment does not focus only on WormGPT, but it provides the broader threat context. NCSC assessed that AI will almost certainly continue making parts of cyber intrusion operations more effective and efficient, increasing the frequency and intensity of cyber threats. Source: NCSC.

NCSC also assessed that the proliferation of AI-enabled cyber tools is highly likely to expand access to cyber intrusion capability for a wider range of state and non-state actors. This aligns with the WormGPT trend: AI may not create wholly new attack categories, but it can accelerate and scale existing techniques such as phishing, reconnaissance, vulnerability research, and deception.

5. What This Means for Organizations and Users

WormGPT and similar tools reduce the usefulness of older phishing warning signs. Historically, scam emails were often flagged by poor grammar, awkward phrasing, or obvious formatting mistakes. LLM-generated text can be more fluent, more personalized, and more context-aware, making it harder for recipients to rely on language errors alone.

The impact is concentrated in three areas. First, phishing and BEC can be personalized at scale. Second, attack workflows can be shortened because AI can assist with writing, reconnaissance, and technical scaffolding. Third, service-style malicious tools expand the pool of people who can participate in cybercrime, including less-skilled actors.

6. WormGPT Timeline

7. Frequently Asked Questions

What is WormGPT?

WormGPT is a name used for a line of AI tools advertised in cybercrime communities as chatbot-like systems without normal safety guardrails, allegedly useful for phishing, business email compromise, and other attack-supporting tasks. Sources: Unit 42, The Hacker News.

What is new about WormGPT 4?

According to Unit 42, WormGPT 4 shows a move from early hype to a more commercialized model, including package-style pricing, promotion, and community channels. Source: Unit 42.

Why is WormGPT mentioned in 2026 ransomware reporting?

Fortinet listed WormGPT alongside FraudGPT and BruteForceAI as crime service kits that contributed to the 389% increase in confirmed ransomware victims in 2025. Source: Fortinet.

What is the main risk of WormGPT?

The main risk is scaled social engineering: malicious messages can become more fluent, more personalized, and harder to detect by traditional grammar-based cues. Malicious LLMs also lower the technical barrier for less-skilled actors. Sources: NCSC, Unit 42.

Main Sources

1. Fortinet — 2026 Global Threat Landscape Report press release
2. Fortinet — 2026 Global Threat Landscape Report page
3. Unit 42, Palo Alto Networks — The Dual-Use Dilemma of AI: Malicious LLMs
4. UK National Cyber Security Centre — Impact of AI on cyber threat from now to 2027
5. The Hacker News — WormGPT: New AI Tool Allows Cybercriminals to Launch Sophisticated Cyber Attacks
6. BleepingComputer — Cybercriminals train AI chatbots for phishing, malware attacks