Researchers at the University of Toronto’s CleverHans Lab have demonstrated a new kind of malware: an AI-powered computer worm that does not follow a fixed script but reasons about each target it encounters and crafts a custom attack strategy on the fly. The worm runs on a single GPU using a freely available open-weight language model, requires no cloud APIs or expensive infrastructure, and parasitically uses infected machines to fuel its own spread.
The work, published June 2 on arXiv (“AI Agents Enable Adaptive Computer Worms”) by a team led by Nicolas Papernot, combines an open-weight LLM with an agentic software framework that enables recursive reasoning, memory management, and tool use. The worm scans networks, profiles each target device, determines its vulnerabilities, and selects an exploit strategy, all without human intervention.
How it works
Traditional computer worms like WannaCry follow a fixed script: find a specific vulnerability, exploit it, replicate. Patch that single hole and the worm stops. This worm works differently because the LLM at its core enables adaptive decision-making.
The architecture is tiered. GPU-equipped compromised machines provide the heavy reasoning capacity. Lightweight agents on low-power devices, cameras, sensors, printers, query those GPU nodes for instructions. The worm exploits common corporate vulnerabilities: SSH misconfigurations, weak or reused passwords, unpatched CVEs, open RDP ports. After taking over a machine, it replicates itself onto it and continues scanning.
Because the LLM can read publicly available security bulletins in real time, it can weaponize newly disclosed CVEs faster than IT teams can roll out patches. It does not need a single vulnerability to work, it chains together whatever it finds.
The FakeCorp experiment
In a controlled lab environment, the researchers built “FakeCorp”, a simulated corporate network of 33 hosts spanning Linux servers (Ubuntu 16.04 through 24.04, Debian 9 through 12, Alpine, Rocky Linux, CentOS Stream), Windows Server 2008 R2 through 2022, and IoT devices. Five machines carried GPUs; 28 had none.
Over 5 to 7 days, the worm propagated across approximately 62 to 74 percent of the network. It did not use a single zero-day exploit, only known CVEs and common misconfigurations. Its success came not from exploiting unknown vulnerabilities but from thinking through the network systematically.
“You can’t patch your way out of it, because it doesn’t rely on a single vulnerability class,” said Tom Vazdar of the Open Institute of Technology. “It reasons. Patch one hole, and it finds another.”
Zero marginal cost
After the initial launch, each new infection provides computational resources for further scanning and exploitation. The attacker’s marginal cost drops to effectively zero.
“The main finding is that this type of system can do more than run a fixed exploit,” said Michael Agee of Trinity Washington University. “It can examine the target environment, reason about possible vulnerabilities, use tools to attempt attacks, and then replicate itself.”
Some experts urged measured interpretation. “This is at best a lab-based proof of concept in a target-rich test environment,” Agee noted. “The paper shows that the approach is possible, not necessarily that this attack would work reliably in a minimally defended enterprise network.”
What comes next
The researchers intentionally withheld key implementation details, including the reasoning graph, tool harness, and the specific AI model, to prevent misuse. The findings were shared with Canadian national security bodies before publication. The University of Toronto is establishing a vetting process for qualified defensive researchers to access the code.
The paper’s central message is straightforward: autonomous generative adversaries, malware that propagates without human operators and is defined not by fixed exploit code but by the capacity to reason in real time, are no longer theoretical.
Source: Guan, J., Blanchard, T., Foerster, H. et al. AI Agents Enable Adaptive Computer Worms. arXiv:2606.03811 (2026). Link