The Next Evolution in Black-Hat AI
A new player has entered the cybercrime AI landscape – Xanthorox AI, a malicious tool that brands itself as the “Killer of WormGPT and all EvilGPT variants.”
First spotted in late Q1 2025, Xanthorox began circulating in cybercrime communities across darknet forums and encrypted channels. The system is promoted as a highly modular AI platform tailored specifically for offensive cyber operations and privacy-conscious exploitation.
Unlike its predecessors, Xanthorox AI doesn’t rely on jailbreaks or tweaks to existing foundation models.
Instead, the developers claim to have built a self-contained, multi-model architecture hosted entirely on their own servers, enabling a local, unmonitored, and highly customizable AI experience.
Infrastructure and Architecture
According to the seller, Xanthorox AI is powered by five distinct models, each optimized for different operational tasks. These models run entirely on local servers controlled by the seller, rather than being deployed over public cloud infrastructure or through exposed APIs. This local-first approach drastically reduces the chances of detection, shutdown, or traceability.
Some of the standout claims include:
- Fully custom-built language models (no GPT, LLaMA, Claude, etc.)
- Modular design allowing updates or replacement of capabilities
- Built-in voice and image handling modules
- Live internet search scraping using over 50 engines
- Offline functionality, enabling use without network dependencies
- Data containment, removing the risks of third-party AI telemetry
Considering the current state of AI technology, creating modular, self-contained systems that work offline and combine various models is entirely possible. We already have tools like customizable language models and methods to integrate voice and image processing. Even if Xanthorox doesn’t meet every expectation, the technology to build something similar is available, and we’ll likely see systems like it emerge soon.
What Xanthorox AI Can Currently Do
Xanthorox AI presents itself as a comprehensive, all-in-one hacking tool, powered by a modular architecture designed to support a wide range of cybercrime operations.
From an attacker’s perspective, Xanthorox AI hits most of the marks needed for a versatile hacking assistant. It handles code generation, vulnerability exploitation, data analysis, and integrates voice and image processing, making it capable of both automated and interactive attacks.
At the core of its toolkit is Xanthorox Coder, which automates everything from code generation and script writing to malware development and vulnerability exploitation.

Xanthorox Vision adds a visual intelligence layer by allowing users to upload images or screenshots for analysis. The model can describe, interpret, or extract relevant data from visual content.

Xanthorox Reasoner Advanced aims to copy the way humans make decisions with accurate reasoning. While reaching “100% accuracy” might be unrealistic, it is entirely possible to create a model that consistently produces well-organized and convincing results.
Given this, it’s likely that Reasoner Advanced could very well support tasks where logical consistency and persuasive communication are essential, even if it doesn’t always hit perfection.

The platform also supports voice-based interaction via real-time voice calls and asynchronous voice messaging, enabling hands-free command and control. This feature allows for fluid, natural engagement with the AI, especially in environments where typing may not be optimal.

Xanthorox can reportedly gather information from over 50 search engines using its internet search abilities. This allows it to provide up-to-date and highly relevant details.
Because data scraping is a common and practical method, this claim seems believable. By doing this, it avoids the usual limitations of APIs and ensures the system can access useful information for specific targeting or research purposes.

For static file input, file analysis enables the model to process a wide variety of file formats, including .c, .txt, .pdf, and others. It can extract, summarize, and even rewrite or edit content, offering support for threat actors handling leaked data or technical documentation.
How SlashNext Can Help
Xanthorox AI is a powerful tool that takes cyberattacks to a new level. It’s a self-hosted, customizable AI system built to handle large-scale, automated cyber operations.
It can focus on tasks like phishing, social engineering, creating malware, and analyzing files, all without depending on public platforms or commercial AI models. With tools like Xanthorox, attackers can unfortunately create precise and convincing phishing campaigns at scale.
SlashNext is here to stop this.
Our platform uses advanced technology to analyze behavior and understand language, helping us detect AI-generated email threats. This works whether the threats are in text, images, or part of multi-channel phishing attacks. We block harmful messages before they can reach users, even when there are no obvious warning signs.
As AI threats become more advanced, our defenses keep up. SlashNext offers real-time protection against these new types of email attacks, including those powered by systems like Xanthorox.