Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
Malware

GhostGPT

GhostGPT is a malicious or uncensored large language model (LLM) marketed to cybercriminals as an offensive AI assistant without ethical guardrails or content filtering. The content describes it as one of several underground alternatives to WormGPT and FraudGPT, primarily distributed through Telegram channels and discussed alongside other criminal LLM brands such as DarkGPT, DarkestGPT, MalwareGPT, KawaiiGPT, Xanthorox, and BlackHatGPT.

Based on the provided reporting, GhostGPT emerged in the first half of 2024 as a tool specialized in malware development, and later reporting describes it as introduced in late 2024 and capable of generating realistic phishing templates within seconds. In January 2025, Abnormal Security documented GhostGPT as a Telegram-distributed malicious chatbot marketed for rapid exploit development, malware creation, and exploit code generation, with pricing cited at $50 per week. The content also states GhostGPT is marketed for offensive cyber operations including malware development and DDoS-related attack code generation.

Its described capabilities include generating phishing content, exploit code, and malware-related output, with positioning as a force multiplier for established cybercrime workflows rather than a fundamentally new attack class. The content does not provide technical indicators of compromise such as hashes, domains, or file artifacts specific to GhostGPT itself. No specific threat actor attribution is given beyond its sale and promotion in cybercriminal ecosystems and Telegram-based underground channels.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

6 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

2 techniques
T1587Develop CapabilitiesEvidence1

The underground market for AI-driven tools began with WormGPT in June 2023... Other tools followed. FraudGPT promised phishing and malware capabilities... GhostGPT, introduced in late 2024, proved more functional.

T1587.001MalwareEvidence1

The dark web site for FraudGPT advertises some interesting features: Write malicious code Create undetectable malware... Programming features of many criminal LLMs include the ability to assist cybercriminals in writing ransomware, remote access trojans, wipers...

Initial Access

2 techniques
T1566PhishingEvidence4

For example, asking ChatGPT to produce a phishing email will result in a denial... Another uncensored LLM popular among cybercriminals is a tool called WhiteRabbitNeo... This LLM will happily write offensive security tools, phishing emails and more.

T1566.001Spearphishing AttachmentEvidence1

Testing showed it could generate realistic phishing templates within seconds... Attackers can now produce thousands of tailored messages at low cost.

Execution

1 technique
T1059Command and Scripting InterpreterEvidence1

Programming features of many criminal LLMs include the ability to assist cybercriminals in writing ransomware, remote access trojans, wipers, code obfuscation, shellcode generation and script/tool creation.

Other

1 technique
T1656ImpersonationEvidence1

"generating code snippets, and coaching social engineering calls"; "rehearse social engineering scripts tailored to a target organization"

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app
intezer blogNews
Jun 3, 2026
How attackers are gaining access to LLM inference - Intezer

Cyber-oriented LLM marketed on underground forums for offensive use without content filtering; described as useful for phishing content or simple malware stubs.

Read more
ahnlab asec blogNews
May 27, 2026
The proliferation and evolution of AI-powered hacking tools - how generative AI has changed the cyber attack ecosystem and response strategies - ASEC

AI-based hacking tool specialized in malware development.

Read more
socradar blogNews
Apr 15, 2026
AI Across the Attack Chain From Recon to Execution

A dark LLM described as functional and capable of rapidly generating realistic phishing templates.

Read more
the hacker newsNews
Feb 16, 2026
Safe and Inclusive E‑Society: How Lithuania Is Bracing for AI‑Driven Cyber Fraud

A maliciously purposed large language model referenced as being used to support malicious activities such as generating convincing fraudulent communications.

Read more
+3 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping6

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.