• 3 min read
AI Worms Can Now Adapt Mid-Attack
University of Toronto researchers built an autonomous worm that changes tactics per host, raising new concerns over cost, patching, and spread.

Image: TechRadar
Researchers at the University of Toronto have demonstrated an autonomous computer worm that can reason its way across a network, choosing a different attack path for each machine it reaches without human input. The result is less a surprise than a proof point: as the source argues, it settles the question of whether this kind of attack is actually buildable.
The biggest shift is economic. Tailored attacks used to require time, skilled operators, and enough payoff to justify the effort. In this design, the worm runs an open-weight model on the GPUs of already compromised machines, and weaker devices can offload their reasoning to another infected node elsewhere on the network. That means the attacker’s compute costs are effectively paid by victims, while every newly captured system expands the worm’s own infrastructure.
Once custom attacks become cheap, smaller organizations lose one of the protections they informally relied on: being too uninteresting to target. Reachability starts to matter more than profile.
Patch management gets harder
This is also a challenge to the standard patch-and-contain playbook. Traditional worms often depend on one specific vulnerability, which gives defenders a clear fix. WannaCry spread across more than 150 countries in 2017 through a single flaw, reinforcing how much rapid patching can limit damage.

Recommended reading
Claude Chrome flaw still unfixed after eight updates
This worm behaves differently. It can work out a separate route for each host, and in one experiment, when repeated attempts failed on older systems because of a detection bug, the parent process identified the failing check, removed it, and tried again. That leaves defenders without a single door to shut.
The researchers also found the worm could ingest newly published security advisories while running and generate attacks for vulnerabilities that were not known when the model was originally trained. That weakens the common assumption that model knowledge cutoffs significantly limit offensive use.
Success rate, spread, and limits
The system is not flawless. Exploitation attempts succeeded 44 percent of the time, and the researchers said most failures came from malformed payloads rather than bad reasoning. It was also slow.
Even so, across fifteen experiments, the worm gained elevated access on about 74 percent of hosts, replicated onto roughly 62 percent, and reached seven generations of self-replication within a week. As the source notes, a 44 percent success rate that keeps retrying is less a hard limit than a starting point.
The article also points out that many safeguards promoted by AI vendors do not apply here. Because the model runs inside attacker-controlled infrastructure, refusals, filters, and rate limits offer little protection.
The defensive advice is familiar, but the emphasis changes: keep patching, reduce external exposure, and prioritize segmentation and containment so an intruder cannot spread far after getting in. The worm stayed in the lab, and the code is gated for defensive researchers, but some researchers and practitioners are already placing operationally relevant autonomous attacks within roughly twelve to eighteen months.
Security Editor
Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.
via TechRadar


