Security researchers at Straiker’s AI Research (STAR) team have uncovered Villager, an AI-native penetration testing framework developed by Chinese-based group Cyberspike that has already accumulated over 10,000 downloads within two months of its release on the official Python Package Index (PyPI).
The tool combines Kali Linux toolsets with DeepSeek AI models to fully automate penetration testing workflows, raising significant concerns about the potential for dual-use abuse similar to the Cobalt Strike trajectory.
Originally positioned as a red-team offering, Villager represents a concerning evolution in offensive security tooling by leveraging artificial intelligence to orchestrate sophisticated attack chains.
The framework’s rapid adoption and public availability create realistic risks that legitimate penetration testing tools could be repurposed by threat actors for malicious campaigns, following the well-established pattern of commercially developed security tools being weaponized by cybercriminals and advanced persistent threat groups.
Key Villager Framework Capabilities:
- AI-driven automation layer for pentesting workflows integrating Kali Linux and DeepSeek models.
- Over 10,000 downloads from PyPI within first two months of release.
- MCP-supported automation with task-based command and control architecture.
- On-demand containerized Kali Linux environments with 24-hour self-destruct mechanisms.
- Natural language command processing for complex attack orchestration.
Cyberspike’s Shift from RATs to AI Frameworks
Cyberspike first emerged in November 2023 when the domain cyberspike.top was registered under Changchun Anshanyuan Technology Co., Ltd., a Chinese company listed as an Artificial Intelligence and Application Software Development provider.
However, archived analysis reveals the company’s questionable origins, as legitimate business traces for the organization remain absent despite official registration numbers.
Initial investigations uncovered that Cyberspike’s earlier product offerings included a Remote Administration Tool (RAT) suite that was essentially a repackaged version of AsyncRAT, a well-known malware family first released on GitHub in 2019.
The Cyberspike Studio Installer v1.1.7, analyzed through VirusTotal submissions, contained comprehensive victim surveillance capabilities including remote desktop access, keystroke logging, webcam hijacking, and Discord account compromise functions.
Cyberspike Company Background:
- Domain registered November 27, 2023 under Changchun Anshanyuan Technology Co., Ltd.
- No legitimate business website or traces despite official Chinese company registration.
- Previously distributed AsyncRAT-based malware suite with surveillance capabilities.
- Author @stupidfish001 is former CTF player for Chinese HSCSEC Team.
- Maintains packages using hscsec.cn and cyberspike.top email addresses.
The evolution from distributing traditional RAT tools to developing AI-powered frameworks demonstrates Cyberspike’s adaptation to emerging technologies.
The current Villager project is authored by @stupidfish001, a former CTF player for the Chinese HSCSEC Team, who maintains the package using email addresses tied to both hscsec.cn and cyberspike.top domains, establishing clear organizational continuity.
Villager Automates Attack Chains with AI
Villager operates as a Model Context Protocol (MCP) client that integrates multiple security tools through a distributed architecture consisting of several key components.
The framework runs an MCP client service on port 25989 for central coordination, while leveraging a database of 4,201 AI system prompts to generate exploits and make real-time penetration testing decisions.
The tool’s most sophisticated capability lies in its on-demand container creation system, which automatically spawns isolated Kali Linux environments when cybersecurity tools are needed for network scanning, vulnerability assessment, and exploitation.
These containers are configured with 24-hour self-destruct mechanisms that wipe activity logs and evidence, making AI-powered attack containers difficult to detect and complicating forensic analysis.
Technical Architecture Components:
- MCP Client Service on port 25989 for central message passing and coordination.
- RAG-enhanced decision making using 4,201 AI system prompts database.
- Pydantic AI integration for strict formatting rules on AI outputs.
- Browser automation service on port 8080 for web-based interactions.
- Direct code execution capabilities through pyeval() and os_execute_cmd().
Unlike traditional pentesting frameworks that rely on scripted playbooks, Villager implements a task-based command and control architecture through its FastAPI interface.
Operators can submit high-level objectives in natural language, such as “Test example.com for vulnerabilities,” which the framework automatically decomposes into subtasks, tracks dependencies, and executes in proper sequence with failure recovery capabilities.
AI-Native Pentesting Security Risks
The emergence of Villager represents a fundamental shift in cyber attack methodologies, where artificial intelligence dynamically orchestrates tools based on objectives rather than following rigid attack patterns.
This approach dramatically lowers the technical barrier for conducting complex attacks by enabling less-skilled actors to perform sophisticated intrusions that previously required extensive expertise.
The framework’s integration of containerized Kali environments, browser automation, direct code execution, and vulnerability databases all coordinated through AI decision-making creates what researchers term AI-powered Persistent Threats (AiPT).
These represent a new class of autonomous cyber attacks where AI engines plan, adapt, and execute campaigns at scale without human intervention.
Enterprise Impact Considerations:
- More frequent and automated external scanning and exploitation attempts.
- Faster attack lifecycles that compress detection and response windows.
- Greater use of off-the-shelf tools complicating attribution and response efforts.
- Increased supply-chain exposure through legitimate package repositories.
- Need for AI-specific incident response playbooks and detection capabilities.
Most concerning is the framework’s distribution through legitimate channels like PyPI, providing attackers with a convenient and trusted supply chain vector to obtain advanced offensive capabilities.
The tool’s 200+ downloads every three days during the investigation period indicates growing adoption that could accelerate the proliferation of AI-enhanced cyber attacks across the threat landscape.
The discovery confirms that AI-orchestrated attack tools are already deployed in the wild, requiring organizations to develop new approaches to threat detection and response as the line between legitimate AI development and weaponized frameworks continues to blur.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.