Security researchers with cybersecurity firm Straiker are warning about a new platform available on the Python Package Index (PyPI) repository that is pitched by its Chinese developers as an AI-powered penetration-testing tool but appears to be on a path to becoming the next Cobalt Strike.
Called Villager, the new red team tool has been downloaded almost 11,000 times in the two months after being put into the PyPI repository as a free download. It was developed by the Chinese company Cyberspike and integrates the Kali Linux toolsets with DeepSeek AI models.
The downloads touch on multiple operating systems, including Linux, macOS and Windows.
Villager is an AI-enabled tool that automates pentesting operations and supports the Model Context Protocol (MCP), which is used to enable AI models to more easily access external data and services.
The concern is that such a tool can easily be turned around and used by bad actors, Dan Regalado, principal AI security researcher with Straiker, and Amanda Rousseau, a member of the technical staff at the company, wrote in a report this week. The two reported that the Villager framework is already being used in the wild to orchestrate and automate attacks.
“The rapid, public availability and automation capabilities create a realistic risk that Villager will follow the Cobalt Strike trajectory: commercially or legitimately developed tooling becoming widely adopted by threat actors for malicious campaigns,” Regalado and Rousseau wrote. “Villager operates as an MCP client, integrating multiple security tools. Most notably, the ‘Kali Driver’ integration automates penetration testing using Kali Linux toolsets, and in adversarial hands, can unleash containerized Kali Linux attacks at scale.”
A Favorite Attack Tool
Cobalt Strike was developed more than a decade ago as a pentesting software and hacker simulator that could be used by red team members to test the security of an organization’s systems and networks and uncover potential weaknesses and vulnerabilities.
Cybersecurity vendor SentinelOne noted that while the tool is used by security professionals, “for several reasons, Cobalt Strike has also become a favorite tool of malicious hackers. Some of the key reasons include its power and versatility and its ability to remotely control and monitor attacks and generate detailed reports on their activities.”
Older, Unlicensed Versions
Bad actors have been using older and unlicensed versions of Cobalt Strike for malicious campaigns since at least 2016 to enable them to penetrate the networks of targets. They’ve also embraced the Beacon payload in Cobalt Strike, according to security firm Cynet.
“Once deployed, it allows attackers to maintain a discreet presence within a network, carrying out operations while remaining largely invisible to security systems,” Cynet wrote. “This facilitates long-term data theft, manipulation, and disruption of network operations.”
Two years ago, a U.S. District Court judge allowed Fortra, which has owned Cobalt Strike since 2020, Microsoft, and Health-ISAC to push back on the use of unauthorized versions of the software by malicious actors to run ransomware and other attacks. In the two years since, the three organizations have used legal and technical means in the effort, reducing the number of unauthorized copies of Cobalt Strike seen in the wild by 80%, Fortra reported.
More Dangerous Than Cobalt Strike
While Villager is on a similar story arc as Cobalt Strike, it’s more dangerous. Where Cobalt Strike, like other traditional pen-testing frameworks, relies on scripted playbooks, Villager uses natural language processing prompts.
“The framework’s most dangerous innovation lies not in any single capability, but in how it seamlessly integrates multiple attack vectors through intelligent task orchestration,” Regalado and Rousseau wrote. “By combining containerized Kali environments, browser automation, direct code execution, and a 4,201-prompts vulnerability database, all coordinated by AI decision-making, the framework dramatically lowers the technical barrier for conducting complex attacks.”
Villager’s developer, Cyberspike, first showed up in November 2023 when its domain was registered under Changchun Anshanyuan Technology Co., which the Straiker researchers said is a Chinese company listed as an AI and software development provider. Cyberspike released Villager in July.
The components that make up Villager not only include a MCP client service, Retrieval-Augmented Generation (RAG)-powered decision making that uses 4,201 AI system prompts to create exploits and make real-time pen-testing decisions, on-demand creation of Kali Linux containers, and evasion techniques, including a 24-hour self-destruct mechanism that wipes activity logs and evidence, they wrote.
Regalado and Rousseau wrote that Villager “represents a concerning evolution in AI-driven attack tooling, demonstrating how legitimate development technologies can be weaponized for sophisticated automated penetration testing. Its task-based architecture, where AI dynamically orchestrates tools based on objectives rather than following rigid attack patterns, marks a fundamental shift in how cyberattacks are conducted.”
