The world of cybersecurity has just crossed a new Rubicon, almost unnoticed. Researchers at the University of Toronto recently demonstrated the viability of a new class of threat: the computer worm controlled by embedded AI. Unlike traditional worms like WannaCry, whose propagation relies on a fixed repertoire of vulnerabilities, this new prototype generates its own attack strategies based on context and in real time.
But most importantly – and this is the major innovation – the worm is completely autonomous and deploys its own LLM within the victim's infrastructure. It appropriates the GPU computing power of the compromised machines and deploys a local instance of an open-weight model. This node then becomes a reasoning center for the rest of the swarm: less powerful machines (such as IoT devices) query this local "brain" to obtain the optimal attack strategy against their specific target.
Results worthy of a great model
The effectiveness of this prototype was validated in a simulated environment (FakeCorp) composed of 33 heterogeneous machines. The results are striking: in just 7 days of fully autonomous operation, the worm successfully identified the vulnerabilities of 82 % targets and ended up compromising and replicating across more than 61 % of the network. Even more worrying, he was able to exploit published vulnerabilities. After The date the model's training was cut off demonstrates its ability to transform a simple security report reading into a functional feat in just a few hours. This is all the more impressive given that the deployed model – its technical specifications are not detailed in the paper – necessarily has very limited reasoning capabilities compared to cutting-edge models like Claude Mythos.

An "agentic harness" guides the LLM step by step
And that's probably the most fascinating aspect of this research! Taken in isolation, mid-sized LLM models running on a single GPU are often too weak to carry out complex cyberattacks: they hallucinate, lose their train of thought, or fail to generate accurate code.
To compensate for this lack of "raw power," the researchers designed a agent harness (Agentic Harness). The idea is simple but formidable: rather than asking the model to do everything in a single request, the harness fragments the attack into a structured reasoning graph.
How does it work? The harness breaks down the attack into discrete phases (discovery, exploitation, replication). And at each stage, the generative process passes through a succession of logical nodes that receive only a small portion of the context and a specialized instruction:
- A knot «" Plan "» formulate the strategy.
- A knot «"Judge"» Criticize the plan to avoid repeating mistakes.
- A knot «" Action "» executes the command.
- A knot «Summary» extracts raw facts to feed a hierarchical memory.
- A knot «Progress» evaluates the result and decides whether to continue or change the hypothesis.
By injecting targeted contextual information and forcing the model to proceed in small steps, the harness compensates for the lack of massive pre-trained knowledge. The model doesn't necessarily "know" how to exploit a vulnerability, but thanks to the harness, it does. how to search for information, interpret it and test a hypothesis.

A hierarchical memory to avoid saturating the context
But that's not all. To prevent the model from saturating its context window with unreadable technical logs, the harness relies on a hierarchical memory management. Instead of storing everything in RAM, the system organizes information into three layers: a General Memory which preserves the overall state of the mission and compresses older observations, a Guest's Memoir which stores the specifics of each target and the vulnerability assumptions tested and a Memory of Vulnerabilities which archives observations on specific vulnerabilities to avoid repeating the same mistakes on different machines.
This system allows the worm to maintain situational awareness over the long term. Even if the model forgets a technical detail after a few queries, the harness feeds it back the relevant information at the exact moment it becomes useful for action.
The orchestration, the real game changer
This approach radically changes the game. The worm becomes a completely autonomous own-weight system: It doesn't need any external APIs, rendering server blocks or security filters from AI providers completely unnecessary..
Above all, it proves that the destructive capacity of an AI no longer depends on its size, but on the quality of its orchestration. A "medium" model, properly equipped, can thus carry out attacks of surgical precision by using resources stolen from its victims to fuel its own reasoning.
The generative adversary is no longer theoretical. We are entering an era where malware is no longer defined by its code, but by its ability to reason about its target. The response can no longer be solely reactive (patching), but must become structural: strict micro-segmentation and Zero-Trust architectures to break the reasoning chain of these autonomous agents.
How Intrinsec protects you against the emergence of autonomous agents
Testing before the attacker: the "Agent-Centric" approach«The arrival of adaptive worms and autonomous agents renders traditional security audits insufficient. Our teams Audit and offensive security They now simulate "augmented" attack scenarios, using frameworks and agents similar to those of adversaries. We test the resilience of your environments—and particularly your compute resources (GPUs) and IT-OT gateways—to identify and remediate critical access paths before an autonomous agent discovers them.
Detecting the invisible: behavioral and contextual monitoring: Faced with attackers who automate reconnaissance and exploitation via embedded models, static analysis is obsolete. Our SOC and our MDR services deploy contextual monitoring capable of spotting early signs of an agent-driven intrusion, even when the malware uses generic tools or adapts in real time to bypass defenses.
Anticipating changes in operating methods via CTI The emergence of offensive AI is transforming the speed at which threats spread. Our team of Cyber Threat Intelligence We continuously analyze new attack frameworks and the vulnerabilities of autonomous agents to transform this intelligence into actionable detection rules. We help you shift from a reactive, patch-based approach to a proactive attack surface reduction strategy.
The strength of our approach lies in the interconnectedness of these areas of expertise: CTI identifies new offensive AI tools, offensive security validates their impact on your infrastructure, and the SOC provides continuous monitoring. A complete cycle to counter a threat that is constantly accelerating.
