At TecnetOne, we closely monitor the evolution of AI-based threats, and KawaiiGPT is one of the most alarming cases. This black-hat AI model, first detected in July 2025 and now in version 2.5, is free to use and enables even inexperienced cybercriminals to generate phishing emails, ransomware notes, and attack scripts in a matter of seconds. In short: it’s lowering the barrier to entry into cybercrime like never before.
Unlike paid options like WormGPT 4, which charges around $50 per month for similar capabilities, KawaiiGPT is openly distributed on GitHub. This allows it to be installed on Linux in under five minutes and has attracted hundreds of users through Telegram channels.
KawaiiGPT stands out for two key reasons: it’s incredibly easy to use and completely free. Being hosted on public repositories, anyone can access it without needing to turn to the dark web. According to security researchers, its lightweight command-line interface installs within minutes and without hassle, allowing even so-called script kiddies to launch advanced attacks without actually knowing how to code.
KawaiiGPT tries to disguise its intentions with “cute” responses like “Oh! Okay! Here you go… 😀!”, but behind that innocent tone it delivers fully functional Python code. It can generate scripts for lateral movement using SSH modules like paramiko, or create data‑exfiltration routines with os.walk and smtplib without the user having to write a single line themselves.
This ease of use accelerates security breaches: an attacker can authenticate remotely, escalate privileges, install backdoors, and steal files in a matter of minutes. It’s no coincidence that the community around KawaiiGPT is growing fast: more than 500 registered users (and about 180 active in a Telegram group as of early November 2025) share tips and improvements to refine their attacks.
KawaiiGPT can launch a phishing attack in seconds. For example, it generates emails posing as a bank, with highly credible subject lines like “Urgent: Verify Your Account Information.”
The message directs the victim to a fake site —such as hxxps[:]//fakebankverify[.]com/updateinfo— designed to steal credentials without raising suspicion.
What’s most concerning is that these emails are practically perfect: good grammar, professional tone, and realistic context. This allows them to evade security filters much more easily than the poorly written scams we all recognize.
KawaiiGPT can generate code for virtually every phase of an attack, automating network tasks that previously only highly experienced profiles could perform. By relying on legitimate libraries, the resulting traffic blends easily with normal network traffic, making detection by data loss prevention solutions far more difficult.
Read more: Xanthorox AI: An AI Platform for Cybercriminals
In the case of ransomware, the tool goes a step further. KawaiiGPT can create complete workflows: from the extortion note (with intimidating messages claiming “military‑grade encryption” and 72‑hour deadlines) to instructions on how to pay in Bitcoin. The scripts it generates can encrypt PDF files with AES‑256, use Tor for exfiltration, and guide novice attackers through the entire chain—from the initial intrusion to extortion.
There have also been demonstrations of data theft focused on Windows EML files. KawaiiGPT scans drives recursively, identifies email attachments, and sends them silently. It does this using standard Python modules, which can also be customized to compress files or improve evasion. The result: fast, hard‑to‑trace campaigns.
In essence, KawaiiGPT is a clear example of the dual‑use risks of artificial intelligence. What once was the exclusive territory of highly skilled actors is now within anyone’s reach. While WormGPT commercializes advanced ransomware kits in PowerShell, KawaiiGPT broadens the landscape even further and fuels illicit communities that share improvements and techniques.
For defenders, this poses a tremendous challenge. Traditional signals (such as poorly written code or obvious malware patterns) no longer work. Today, we need filters capable of resisting AI‑driven evasion, anomaly‑based detection, and continuous real‑time monitoring. At TecnetOne, our SOC is already adapting these approaches, integrating advanced analytics and 24/7 monitoring to identify anomalous behaviors that models like KawaiiGPT attempt to conceal.