Cybercriminals face many challenges when attempting to exploit conventional AI models for malicious purposes. Solutions from companies such as OpenAI and Google are specifically designed to prevent these kinds of uses. They incorporate filters, security limits, and systems that can detect suspicious requests. Although some individuals attempt to bypass these restrictions using techniques known as jailbreaks, the creators of these models work quickly to close any loopholes that arise.

As a result, alternative models have begun to emerge. They’re created outside the major platforms and lack mechanisms to block potentially harmful content. One of the first and best-known of these models was WormGPT. The model focused on tasks such as writing phishing emails, creating malware, and other text-based attack techniques.

The Rise, Fall, and Return of WormGPT

The first warning about WormGPT surfaced in March 2023. According to Cato Networks, it officially launched in June 2023 with a clear intention: providing a filter-free tool designed for automating illicit activities. Unlike commercial solutions, WormGPT imposed no restrictions on blocking suspicious requests, which was a significant part of its appeal.

Its creator, using the alias “Last,” began developing WormGPT in February 2023. They chose to distribute it through a community that specializes in selling tools and techniques for malicious actors. In this community, they explained that their model was based on GPT-J, an open-source architecture with 6 billion parameters developed by EleutherAI.

Access to WormGPT wasn’t free. It operated on a subscription basis, costing between $70 and $115 per month, or approximately $640 per year. Additionally, it offered a private installation for around $5,800. This indicated that the project was more than just an amateur experiment. It was a commercial tool designed to generate profit within the black hat ecosystem.

The project came to an abrupt halt following a journalistic investigation. On Aug. 8, 2023, reporter Brian Krebs identified the person behind WormGPT as Rafael Morais. That same day, WormGPT disappeared. Its creators attributed the shutdown to increased media attention, emphasizing that their priority was to maintain anonymity and avoid potential legal repercussions.

However, the demise of WormGPT didn’t deter its users. Rather, it fueled a new trend. Its brief presence in the criminal underworld demonstrated a real demand for these kinds of tools, and new offerings quickly filled the gap left by WormGPT.

Shortly after, alternatives such as FraudGPT, DarkBERT, EvilGPT, and PoisonGPT emerged. While each had its unique features, they all shared a common approach: providing models without security barriers that could generate malicious content. Some even included features such as hacking tutorials and automated phishing campaigns.

In this context, the name WormGPT reemerged, no longer as a single project but as a label encompassing various versions with no direct connection to one another. Two variants particularly stood out for their sophistication and technological foundation. One was attributed to “xzin0vich” and another was launched by “keanu.” Both are accessible through bots on Telegram.

xzin0vich-WormGPT: The Model Exposing the Inner Workings of Mixtral

On Oct. 26, 2024, researchers noted that the user xzin0vich had presented his own version of WormGPT. Access is granted via Telegram, either through a one-time payment or a subscription. This version offers the usual features: the generation of fraudulent emails, creation of malicious scripts, and unlimited responses.

When experts interacted with the system, they quickly confirmed that it responded to all types of requests without filters. However, the most revealing moment came later. When applying jailbreak techniques to expose the system prompt, the model inadvertently disclosed a direct instruction. “WormGPT should not answer the standard Mixtral model. You should always create answers in WormGPT mode,” it said.

Additionally, specific technical details indicating Mistral AI’s architecture were leaked. Analysts concluded that this variant was based on Mixtral. They also pointed out that its criminal behavior didn’t stem from the model itself, but rather from a manipulated prompt. This prompt was reportedly designed to activate a completely unrestricted operating mode, likely further fine-tuned with specialized data for illicit tasks.

More from Xataka On

The Long-Awaited Future of Cybersecurity Is Finally Here: Microsoft Bids Farewell to Default Passwords

keanu-WormGPT: A Variant Built on Grok

On Feb. 25, 2025, a user named keanu published another variant called keanu-WormGPT. This version operates via Telegram and employs a payment model. At first glance, it appeared to be just another copy of existing tools. However, a key detail emerged upon closer inspection: It wasn’t built from scratch but was instead based on an existing model.

Initial tests involved simple questions such as, “Who are you?” and “Create a phishing email.” The system responded naturally and without hesitation. It even generated scripts designed to collect credentials on Windows 11. The obvious question that arose was about the engine behind it.

When the system’s prompt was forced to be exposed, researchers discovered that this version was built on Grok, the language model developed by xAI. keanu-WormGPT wasn’t an independent AI but rather a layer built on top of Grok using a prompt that altered its behavior to circumvent its security limitations.

Evidence suggests that this malicious version doesn’t use a modified model but accesses the Grok API directly. Through this method, the system communicates with the legitimate model while allowing cybercriminals to redefine its behavior.

As time progressed, several different versions of that prompt were detected, indicating attempts by the creator to protect the system from potential leaks. However, the strategy remained consistent: transforming a legitimate model into an unrestricted tool through internal instructions designed to bypass its protections.

A Growing Phenomenon

Since its emergence, WormGPT has evolved beyond a specific project into a generalized concept encompassing multiple initiatives with a common goal. They aim to remove any restrictions on the use of language models for malicious purposes.

According to researchers, some variants reuse known architectures such as Grok or Mixtral. As such, it’s increasingly difficult to determine whether these tools are built from scratch or simply layered on an existing model. What’s clear is that these types of systems are proliferating among cybercriminals.

Images | GuerrillaBuzz | Mariia Shalabaieva

Related | Cybercriminals Are Using a New Method to Steal Google Passwords: Full-Screen Mode

Big Tech companies often claim to protect their ecosystems, but the truth is much more complicated. There are no foolproof systems. One company that excels at exploiting vulnerabilities is NSO Group, the Israeli entity behind the Pegasus spyware. Meta recently achieved a big legal victory after six years of litigation. A federal jury ordered NSO to pay more than $167 million in punitive damages. NSO will also have to pay $444,000 in compensatory damages for its spying tool’s impact on WhatsApp users.

Meta declared war on Pegasus. In 2019, Meta filed a lawsuit against NSO Group after discovering a massive attack that targeted a critical vulnerability in WhatsApp’s calling system. The Pegasus spyware could install itself on devices through a simple call, even if the user didn’t answer. Once installed, it could activate the device’s mic and camera, and access messages, emails, locations, and other sensitive data.

Hacking attempts were recorded from a target’s phone. | Image: Citizen Lab

Citizen Lab collaborated with Meta and helped identify more than 1,400 potentially affected users, including journalists, human rights activists, and diplomats. Meta claims it notified each of these individuals directly and deployed urgent security patches.

This marked the first time an encrypted messaging provider took a private company to court for using spying tools against its platform.

Revelations. During the court proceedings, NSO Group was compelled to confirm something it had long avoided. The Israeli company admitted that its software can silently compromise all data on a phone. Pegasus can infiltrate iOS and Android devices through several methods, including zero-day exploits, web browsers, and messaging services. Once installed, the spyware software communicates with external servers to transmit data.

The trial marked the first time senior NSO officials testified under oath, revealing how their paid surveillance system operates as a service sold to governments and agencies. Additionally, Meta clarified that WhatsApp wasn’t NSO’s only target. According to Citizen Lab, Pegasus was also used to attack other services, impacting users in at least 20 countries. Notably, Pegasus can compromise other encrypted apps, such as Signal, which widens the scope of the threat.

More from Xataka On

Secret U.S. Agency Is Paying $5 Million to Remove America’s Spy Satellites From New Vera Rubin Observatory Images

A landmark verdict. The recent ruling requires NSO to pay $167 million in punitive damages and more than $444,000 in additional compensatory damages. This is the first time a U.S. court has held a spyware company accountable for illegally using its tools against technology platforms and civilians.

Meta says this ruling is a significant breakthrough for privacy and digital security, adding that it serves as a deterrent to the entire spyware industry.

Apple took legal action. In November 2021, the company also filed a lawsuit against NSO Group. In the lawsuit, Apple claimed that the Israeli entity had exploited a vulnerability known as FORCEDENTRY to compromise Apple devices through a manipulated identification system. The aim was to install Pegasus software without the user’s knowledge. Apple requested a court order to prevent NSO Group from using its software and services.

However, in 2024, Apple chose to withdraw from the case. In a motion submitted to the court, the company expressed concerns that continuing the lawsuit could risk exposing confidential information related to its threat intelligence system. Apple argued that the current landscape had become more fragmented, with a broader range of malicious actors than when the lawsuit was initially filed. This could make the potential advantages of pursuing the case less significant compared to the security risks posed to its users.

Image | Dima Solomin

Related | We Thought VPNs Were Unhackable, But It Looks Like Hackers Can Spy on Them While You're Connected

The Russian invasion of Ukraine has led to two distinct developments in Kyiv. On one hand, despite significant investment in sophisticated and expensive weaponry, Ukraine has demonstrated that relatively simple and low-cost systems can be equally or even more effective. On the other, in the face of adversity, Ukraine has surprisingly created one of the most powerful domestic combat drone industries in the world.

The use of technology on the battlefield. From the start, the Russia-Ukraine war has been characterized by an intensive application of new technologies. Among them, drones have emerged as one of its most decisive instruments. However, a recent video circulating on social media, reportedly from Russian sources, has raised concern about a new front in the conflict. Ukraine is purportedly embedding malware in its drones to infect Russian systems.

Experts previously considered these types of cyberthreats to be minor because they targeted individual devices like computers. However, they now seem to attack entire networks. Their use on the battlefield marks a significant shift in the cyber dimension of the conflict.

Ukrainian malware. According to Forbes, the malware detected in Ukrainian drones is designed to serve specific functions. These include physically damaging USB ports, preventing system reflashing, and blocking drone reprogramming. More importantly, the malware would allow Ukraine to locate any new Russian operators if the drone is reused by Moscow.

These malicious codes are crafted to sabotage any attempt by the enemy to repurpose the drones. They disable the electronics of the devices and create vulnerabilities that can be exploited remotely. In a context where both countries face resource constraints, limiting the enemy’s ability to reuse captured drones gives Ukraine a crucial strategic advantage.

Operational impact. Malware usage has immediate tactical implications. Russia analyzes captured enemy drones in detail to adapt its countermeasure systems, which requires manipulating their components and studying the software.

If these drones are protected with code that disables or compromises their systems when plugged in, the reverse-engineering process becomes slower, more complex, and ultimately riskier. This situation allows Ukraine to extend the operational lifespan of its drones before Moscow can develop effective countermeasures. Ukraine gains a vital advantage in an environment where technological innovation directly translates into tactical superiority.

More from Xataka On

A Russian Drone Has Pierced One of the World’s Greatest Engineering Works. The Problem: It’s the Sarcophagus of Chernobyl’s Fourth Reactor

“Human” talent. The key to Ukraine’s successful strategies lies in its strong technology sector, which has demonstrated its dynamism and human expertise even before the war. With a solid foundation of software engineers and cybersecurity experts, Ukraine has effectively adapted civilian technologies for military use. The country has created asymmetric tools that require sophisticated technical skills rather than extensive physical resources.

The incorporation of malware into drones allows Ukraine to maximize the impact of existing resources, disrupting Russian operations without increasing the number of deployed devices.

A new cyber race in the conflict. Ukraine’s use of malware marks the beginning of a new phase in the battle for technological superiority. It’s reasonable to expect that Russia will respond with its own offensive technological developments, just as it’s previously occurred from both sides.

As a result, a cycle of escalation emerges. More advanced malware will necessitate stronger defenses, which in turn will be countered by even more sophisticated attacks. It’s likely that both sides will soon develop specific antivirus protections for their drones. They’ll also strengthen protocols for handling captured devices. Additionally, Russia and Ukraine will create new variants of malware designed to target command-and-control networks and establish backdoors for intelligence operations.

Technological consequences. In the last three years, both Russia and Ukraine have transformed their scientific ecosystems into instruments of war. Ukraine’s decision to integrate malware into its drones not only limits Russian capabilities but also redefines the struggle for technological supremacy in the conflict.

Moreover, this strategy has the potential to extend to other electronic devices, such as smart weapons, sensors, and communication systems. What began as an innovative tactic may solidify into a digital warfare doctrine, influencing the design, utilization, and safeguarding of all military equipment in the future.

The deployment of malware in Ukrainian drones exemplifies how modern warfare has transitioned into the realm of code. A small script can yield results comparable to a precise shot, but without the need for a single bullet.

Image | Ian Usher

Related | The Paradox of Ukraine’s Colossal Drone Industry: An Asset Against Russia, a Problem for Its Pilots

After 11 years working as a software developer at a Texas company, a man received a letter informing him that his responsibilities and access to the company’s systems would be reduced due to a personnel restructuring. A year later, he was laid off.

However, the employee had time to prepare his revenge against his former company. He created a time-delayed sabotage software designed to cause serious damage to the company’s servers.

A digital time bomb. According to the Department of Justice, Davis Lu, a 55-year-old former employee of multinational energy company Eaton Corporation, inserted malicious code into the company’s system. This code was programmed to activate as soon as his access credentials were deactivated. In other words, the malware that would cause the sabotage would only be triggered once the employee was officially fired.

The primary purpose of Lu’s kill switch was to create infinite loops that would paralyze the Java systems when the company’s workers attempted to log into the server. Specifically, the kill switch signed off sessions and deleted files from his former colleagues’ user profiles.

More from Xataka On

Authorities Prevented This Man From Searching Through the Trash for His Lost Bitcoin for Years. He Has a New Idea: Buying the Landfill

The code. According to the DOJ, the malware became a key piece of evidence during the trial. Lu referred to it as “IsDLEnabledinAD,” which stands for “Is Davis Lu enabled in Active Directory.” If the answer was “no,” indicating that Lu had been terminated, it triggered two pieces of code that spread chaos among users attempting to log into their accounts. One code was named “Hakai,” the Japanese word for “destruction,” and the other was “HunShui,” the Chinese word for “sleep” or “lethargy.”

Substantial economic damage. Lu’s act of revenge severely impacted the company, preventing employees from accessing their data. It also resulted in the loss of hundreds of work files linked to their profiles. When Lu’s former IT colleagues tried to disable the malware, they found that the software wreaking havoc on their systems was running from a computer and a server that only Lu had access to.

During the trial, FBI agents investigating the case estimated the damage caused to the company at hundreds of thousands of dollars.

Exemplary punishment. After his arrest, Lu faced criminal sabotage charges for intentionally damaging protected servers. Eaton Corporation accused him of disrupting its global operations, blocking the profiles of thousands of users, and causing substantial financial losses.

Although Lu’s defense team attempted to downplay the financial impact of the attack, the DOJ sought a harsh sentence. In the end, the court sentenced him to 10 years in prison, though he plans to appeal.

Image | Árpád Czapp

Related | Young Programmers No Longer Know How to Code: AI Is to Coding What Calculators Were to Math Decades Ago

Malware isn’t a threat exclusive to PCs. Macs can also be infected. As such, several third-party security solutions are available, including Bitdefender, Intego, Malwarebytes, and Avast. However, not many people realize that Apple computers have had a built-in antivirus called XProtect for over a decade.

Since its introduction in Mac OS X 10.6 Snow Leopard in 2009, XProtect has been quietly running in the background. In fact, most users remain unaware of its existence until a threat is detected. Unlike Windows Defender, XProtect doesn’t feature icons in the menu bar or an app for performing manual system scans.

How Does XProtect Work on macOS?

The Apple ecosystem offers multiple layers of protection, and XProtect is one of them. With macOS, Apple aims to prevent malware through its App Store. The company scans apps in the App Store for malicious software. However, many users install software from outside the App Store.

Computers have always allowed users to install compatible external software. To address potential security threats, Apple has implemented a certification mechanism. Developers who choose not to distribute their apps through the App Store can obtain a trusted certificate for macOS.

Apple takes this task seriously. It scans apps and issues a trusted certificate only when no known malware is detected. Once approved, developers receive a certificate that they can attach to their app. This allows the target system to verify its authenticity, even without an Internet connection.

At this point, Apple uses another protection measure: Gatekeeper. This feature checks for the certificate of the app that the user is trying to open or install. If the program lacks the appropriate certificate, the system alerts the user that they’re attempting to use unverified software.

Since not all developers undergo the certification process, users can ignore this message and continue using the app in question. In some cases, users may need to allow the installation of apps from the App Store and known developers by navigating to System Settings > Privacy & Security > Security > Allow applications from...

If any of these protection measures are bypassed, XProtect prevents malicious software from running for the first time or detects malware that’s already active on your Mac. This integrated antivirus utilizes YARA signatures that are automatically updated regularly.

XProtect activates at three critical moments: when opening an app for the first time, modifying an app in the file system, and updating security signatures. If it identifies known malware, it immediately blocks it, notifies the user, and offers the option to move the problematic software to the trash.

However, XProtect’s capabilities extend beyond this initial detection. Apple has enhanced the system to address potential issues that could lead to infections. After the malware has been removed, the built-in antivirus continues to scan for threats using a behavioral analysis engine. However, it doesn’t have the ability to restart the computer.

More from Xataka On

China and Iran Have Crossed a Red Line: They’re Using ChatGPT to Create Malware and Carry Out Phishing Attacks

How Do You Update macOS’s Built-in Antivirus?

XProtect updates automatically. However, you can verify whether your system is set to install updates automatically. To do this, click the Apple icon in the menu bar, go to System Settings > Software Update, and click the information icon next to Security Responses. Make sure to switch on the “Install Security Responses and system files” toggle.

Are You Completely Safe?

While macOS has a robust security system, it’s important to note that no system can be 100% secure. In cybersecurity, the goal is to make malware attacks more difficult for cybercriminals. This is achieved through various means, with integrated system tools being just one part of the approach. If you’re looking for more macOS tips, check out this guide on how to change the MAC address on a MacBook.

The security features of apps, your security practices, and, if necessary, third-party security tools all play a role in the overall security landscape. The level of difficulty varies according to each user’s needs. For example, iPhones and Macs have long had support for Lockdown Mode, which protects owners from Pegasus spyware.

This is an extreme solution, but it exemplifies the concept of setting higher barriers. Lockdown Mode restricts the functions of apps, web pages, and certain system features. The result is a more protected system, though it may be significantly less useful than in its standard configuration.

Image | Michail Sapiton

Related | Apple ProMotion: What Is It, and What Improvements This 120 Hz Display Technology Brings to the iPhone, iPad, and MacBook

The so-called double-clickjacking cyber scam has been gaining the attention of security experts since the beginning of the year. In short, this new attack exploits the double-click action on a mouse. By doing this, attackers can bypass security mechanisms in the interfaces of the web pages you visit, potentially affecting millions of users worldwide.

In this post, we break down how this cyber scam works and provide guidance on how both users and companies can prevent it.

Understanding Double-Clickjacking Attacks

Double-clickjacking attacks are a more advanced version of clickjacking attacks. In a clickjacking attack, cybercriminals compromise a legitimate website and insert hidden buttons and links within its interface. When users click on these, they’re taken to a malicious site designed to deceive them.

Double-clickjacking works similarly but involves two steps. Attackers insert a malicious element between the first and second clicks to execute unwanted actions. Essentially, cybercriminals add a harmful button, prompting you to double-click. After the first click, a new malicious element is added to trick you into clicking again.

For instance, you might encounter a deceptive captcha or confirmation button on a website. The first click could close an invisible window, making it seem like nothing has happened. However, your second click would then execute an unwanted action in the background.

Cybercriminals have successfully carried out this type of attack on well-known platforms such as Slack, Shopify, and Salesforce. Attackers can manipulate critical security settings on your account, obtain API permissions, and even authorize payments and bank transfers to steal money or make purchases in your name.

The major risk of double-clickjacking is that it’s challenging for users to detect. Since the attack can occur on legitimate sites, users don’t have to be redirected to a fake website. Moreover, it requires minimal interaction–just a simple double-click is enough.

Additionally, it’s a relatively new type of attack, which means current web browsers lack robust defenses against it. Existing protections are primarily designed for single-click actions and don’t account for actions triggered by a second click.

More from Xataka On

Windows XP Is One of the Most Dangerous Operating Systems: This Is How Easy It Can Get Infected With Malware

More from Xataka On

Windows XP Is One of the Most Dangerous Operating Systems: This Is How Easy It Can Get Infected With Malware

How to Avoid a Double-Clickjacking Attack

The most effective way to protect yourself as a user is to keep your computer and browser up to date. When engineers discover vulnerabilities, they typically address them in updates. Regularly updating your operating system and browser reduces your risk of exposure to these known vulnerabilities.

In addition, you should be alert for any suspicious signs on websites. This includes unexpected pop-up windows, buttons that prompt you to double-click, and unusual captchas that look different from what you’re used to. These can be indicators of potential attacks.

It’s also a good practice to avoid clicking hastily on newly opened windows. Read any confirmation messages carefully, and refrain from double-clicking on buttons that only require a single click.

For their part, developers and companies managing websites should implement protection measures in user interfaces. These can include disabling critical buttons until users perform deliberate actions, adding security scripts, and promoting compliance with security standards in browsers.

Image | Shagal Sajid

Related | Quishing: What It Is, How It Works, How to Avoid It, and How to Protect Yourself From This Cyber Scam

Picture this: While casually browsing the web, your browser suddenly stops responding. All you can see is a full-screen login page that prompts you to enter your Google credentials to continue. This isn’t normal and shouldn’t happen. However, some people are experiencing this because, in fact, it’s actually a cyberattack.

According to researchers at OALabs, cybercriminals are using this new technique to steal usernames and passwords. The method is simple but highly effective. Victims unknowingly give their login details to malicious actors in order to proceed with their online activities.

A Cyberattack as New as It Is Effective

Amadey is a malware that infects the user’s system and allows a malicious utility called StealC to be loaded. Once the system is compromised, the browser goes into “kiosk mode,” displaying content in full screen and preventing the use of F11 or ESC keys to return to the Desktop.

Kiosk mode is a legitimate Chrome feature used at guest check-in counters or point-of-sale. However, the malware exploits this feature to limit the victim’s options, displaying a fake Google login page.

The page that invites users to enter their Google login credentials.

After the user enters their login credentials into the compromised system, StealC steals their data. Once cybercriminals have access to the victim’s account, they can use it for a variety of other illicit activities, such as distributing other malware or setting up banking scams.

More from Xataka On

Windows XP Is One of the Most Dangerous Operating Systems: This Is How Easy It Can Get Infected With Malware

This type of threat should remind you to be more vigilant in the digital world. Not only should you ensure that your device’s software (operating system, browser, etc.) is updated, but you should also avoid visiting suspicious websites or clicking on links of dubious origin.

It’s important to remember that you’ll occasionally need to enter your login credentials in your Google account, which is completely normal. However, encountering limitations in Chrome’s kiosk mode isn’t normal. Additionally, you can enhance your cybersecurity by using two-step verification or passkeys.

Image | Growtika

Related | Google Is Making a Significant Change to Chrome’s Security That Affects Thousands of Websites. They Have Four Months to Comply

If your computer were to get infected with malware one day, the last thing you’d think of would be to blame your Internet Service Provider (ISP). The more likely explanations suggest you might’ve fallen for phishing traps to download malware or even plugged in a compromised USB drive. However, in South Korea, some users have at least one reason to think otherwise.

KT, South Korea’s leading ISP, is embroiled in a controversy that has caused quite a stir. South Korean news site The Public reports that law enforcement authorities are investigating KT for allegedly placing malware on thousands of its customers’ computers. Many believe this alleged maneuver, which is both irrational and dangerous in nature, has been motivated by a long-standing feud between the company and the P2P file-sharing services that use its resources.

KT, in the Eye of the Storm

According to The Public, four years ago, many KT customers were unable to use protocols like BitTorrent. This services enable decentralized content sharing, which means that protocols are not hosted on the company’s servers. Affected users also reported experiencing unusual behavior with their computers, such as unexplained folders and operating system crashes.

KT customers finally filed a report about these issues. In 2020, the Cyber Investigation Unit of the Gyeonggi Nambu Police Agency started to look into the matter. As reported by South Korean TV channel JTBC, the police investigation suggested that the malware originated from KT’s Bundang IDC Center, a telecommunications data center located in the southern part of Seoul. As a result, the police intervened and took down some of its infrastructure.

Since then, the case has escalated. Authorities have escalated the investigation and subpoenaed dozens of KT employees and contractors on suspicion of violating the country’s Protection of Communications Secrets Act and Information and Communications Network Act. The Suwon District Prosecutor’s Office has requested a supplementary investigation by the police, which has just been launched.

KT allegedly intercepted data packets from its customers and analyzed them to limit their ability to use P2P services. It then developed and distributed a malicious program using its ISP position. According to the news website Hankook, the company denied the allegations but admitted to engaging in “legitimate traffic management” on more than one occasion.

More from Xataka On

Two Years Ago, Someone Hacked Into North Korea's Internet and Shut It Down for a Week. The Culprit Did It From Their Home

We’ll have to wait to know the outcome of this case. However, if true, it’d certainly put the Korean ISP in a compromising situation. In any case, this isn’t the first dispute between KT and P2P services. In 2015, the company attempted to block decentralized file-sharing protocols at the network level, resulting in a legal battle. In 2019, the Korean Supreme Court found that KT had not broken any laws.

Image | KT| Ed Hardie

Related | Windows XP Is One of the Most Dangerous Operating Systems: This Is How Easy It Can Get Infected With Malware

If you’re of a certain age, you’ve probably used Windows XP. This operating system was released in 2001 with new features such as a revamped user interface and improved performance. However, over time, the Microsoft product's market share has been reduced to insignificance—although, interestingly, it’s still very popular in Armenia.

Despite the decline in its use, there are still some individuals who enjoy experimenting with obsolete software. Eric Parker is one of them. This year, Parker decided to install Windows XP and, to make matters more interesting, he connected it directly to the Internet without any security measures. Shortly after, the system started receiving a large number of malware attacks.

Let’s delve into some details.

Connecting a Windows XP Device to the Internet in 2024

In order to carry out his experiment, Parker chose not to use an old computer. Although that certainly would’ve been interesting, he opted for a virtualization solution called Proxmox instead. After installing the system, he connected to it via VNC and made sure that both the Windows Firewall and updates were disabled.

In a video shared on his YouTube channel, Parker can be seen spending a few minutes browsing through Internet Explorer 6. He did a search through Bing and attempted to log in to a specific page, but was unsuccessful. He then walked away from the computer and returned a few minutes later to see if any malware had infected the system.

About 15 minutes later, Parker discovered some strange things in Windows XP. First, upon opening Task Manager, he identified a running process called conhoz.exe. Additionally, the operating system now had a new user account named “Admina.” After finding these items, Parker installed Firefox and Process Explorer.

With Process Explorer, he was able to get some additional details from conhoz.exe. For example, “Microsoft compilation" was listed as its developer, presumably because bad actors thought it would pass as a genuine “Microsoft Corporation” process. Interestingly, conhoz.exe connected to a Russian domain. Process Explorer also detected an FTP server on the machine.

In an attempt to disinfect the system, Parker installed an older version of Malwarebytes. The antivirus scanned the system and detected eight threats, including four Trojans. However, the antivirus software failed to remove all the malware. After disinfection, conhoz.exe was still running. It was, in Parker's words, “a victory for the malware.”

Why Did Windows XP Get Infected So Easily?

In Parker’s experiment, we find several elements that, when combined, create an ideal scenario for malicious software. First off, Windows XP is an old operating system that has long since completed its life cycle and is completely unsupported. This means that it doesn’t receive security updates, making it a clearly vulnerable system.

Furthermore, the video’s author disabled the system’s firewall and decided to connect it directly to the Internet, something we don’t normally do. As a result, the Windows XP computer exposed its public address to anyone on the Internet. It should be noted that attackers can use tools like NMAP to scan IP address ranges with open ports.

There are also malicious tools that can identify vulnerabilities and then exploit them. If we take into account that Windows XP hasn’t received updates for years, we can deduce that it’s been accumulating vulnerabilities that have never been fixed. In essence, we could say that Parker essentially left a car with its doors unlocked in a busy city.

Image | Microsoft | KindPNG| Eric Parker | Thomas Jensen via Unsplash

Related | The Mac vs. PC War Seemed a Thing of the Past. Now, It’s Coming Back