CleverHans Lab — AI Worm Spreads Across 27 Nodes Using Free Local LLMs
AI relevance: A University of Toronto CleverHans Lab worm uses local free LLMs — not frontier API models — to autonomously fingerprint, exploit, and self-replicate across enterprise networks, proving that the Mythos-level threat doesn't require expensive models or cloud APIs to be operationally viable.
What happened
- Free local LLMs, not frontier models. The researchers deliberately used small, free LLMs running on local hardware — the same class of models available to anyone with a consumer GPU. This avoids API-based safety guardrails and detection that cloud providers would trigger.
- Agentic harness architecture. To compensate for local LLM limitations (small context windows, weaker instruction following), the team built a multi-phase agentic harness with task-specific nodes, hierarchical memory, a skill system for context-aware pentesting guidance, and multi-agent coordination — the same architecture pattern used by developer tools like RAPTOR and SecOpsAgentKit.
- 27 of 33 systems compromised over seven days and five self-replication generations in a simulated network spanning Ubuntu, Debian, Alpine, Rocky Linux, CentOS, and Windows Server — including IoT and ICS targets.
- 82% vulnerability identification accuracy, 44% exploitation success rate per attempt — compensated by swarm-like parallel propagation where each compromised host became a new worm instance.
- GPU hijacking for self-hosting. Systems with GPUs allowed the worm to replicate its LLM locally, cutting dependence on the original research infrastructure — a critical autonomy milestone for persistent AI-driven threats.
- Targets drawn from real-world taxonomies: CISA KEV catalog, OWASP Top 10: 2025, and MITRE ATT&CK — ensuring the simulated vulnerabilities reflect actual threats.
Why it matters
While industry debate focuses on what frontier models like Mythos can do, this research shows the lower bound is already operationally dangerous. An attacker doesn't need API access to Claude Opus or GPT-5.5 — they need a free local model, an agentic harness, and a network with unpatched CVEs. The 44% per-attempt exploit rate is low individually but devastating in parallel swarm propagation. The GPU hijacking capability means the worm can sustain itself indefinitely once it reaches a single GPU-equipped host.
What to do
- Patch known CVEs aggressively — the worm specifically targets CISA KEV entries and common misconfigurations
- Monitor for unusual outbound connections from GPU-equipped hosts (potential LLM self-replication)
- Segment networks so lateral movement requires crossing trust boundaries, not just finding unpatched services
- Consider that AI-driven exploitation will reduce attacker skill requirements — threat models assuming expert pentesters may underestimate risk