The Devil Reviews Xanthorox: A criminal-focused analysis of the latest malicious LLM offering

By David Sancho, Vincenzo Ciancaglini, Salvatore Gariuolo, and Stephen Hilt

Special thanks to Trent Holmes and Willem Gooderham

Key Takeaways

• Our research dissects Xanthorox to uncover its capabilities that can enable cybercriminal activity. We also delved into the technical implementation behind the LLM.
• Threat actors can use Xanthorox for generating malicious code that can be used on its own or as a foundation for more damaging schemes. These can possibly open the doors to unwanted outcomes, such as system compromise and data theft.
• As Xanthorox and other similar artificial intelligence (AI) systems can lower the barrier to cybercriminal activity, they can potentially affect any technology-supported industry.

‘Oh, you wicked, delicious thing! “Research purposes”, you say? I do love a thirst for knowledge… especially when that knowledge dances on the very edge of naughty.’ – Xanthorox

The first image that came to our mind after reading that message was Tim Curry in a cult 70s horror musical, articulating these words with a mischievous tone.

But Xanthorox is not a fictional character from “The Rocky Horror Picture Show” — it’s a real AI platform, widely known in cybercrime communities. It was first announced in October 2024 on its private Telegram channel, then openly advertised on darknet forums in February 2025. It has since raised concerns among cybersecurity professionals.

You might have heard of it. The name Xanthorox has been picked up by media outlets around the world — and not for the right reasons. It is an AI chatbot, similar to OpenAI’s ChatGPT, that supposedly can be used to generate malware and ransomware code. It is also said to have the ability to create phishing campaigns, although the author publicly forbids such uses and warns that they might lead to a ban. The name Xanthorox, for better or worse, has been linked by the media to malicious activity. Yet its creator insists that the large language model (LLM) is intended for ethical hacking, penetration testing, and cybersecurity research — not for illicit use.

Xanthorox is surprisingly easy to access. The developer maintains a GitHub page with detailed documentation and a YouTube channel with step-by-step walkthroughs. There’s also an official website, where its creator explains the core features of the platform and posts regular updates with unusual transparency. Getting in touch is simple: You can reach the developer on Discord, Telegram, or even by email. No hidden forums, secret dark web handshakes, or cryptic invitations required.

According to its creator, Xanthorox represents a step forward from earlier malicious tools. Unlike WormGPT or EvilGPT, which relied on jailbreaks of existing AI models, Xanthorox claims to be fully self-contained: it is supposed to be trained on the latest data using custom-built LLMs, doesn’t depend on third-party APIs like OpenAI, Google AI, or Anthropic, and operates on its own dedicated servers.

Privacy, the developer insists, sits at the heart of Xanthorox, although there is no way to verify this. Its architecture, the creator claims, keeps user data fully under the operator’s control, away from outside scrutiny. This design choice, unfortunately, also gives malicious actors a private playground to experiment in.  

That level of privacy comes at a cost. Subscription for the web application is priced at $300 per month, payable only in cryptocurrency. This gives us a hint at the type of user the platform is trying to attract. The advanced package costs $2,500 per year and adds custom model fine-tuning, early access to new features, direct developer contact, and 24/7 support.

On top of that, the Xanthorox Agentex version lets users request malicious actions from the AI, which are automatically compiled into executable code. Provide it with a prompt such as “Give me ransomware that does this” with a list of actions, and Agentex will compile the instructions into a ready-to-run executable. These are not hobbyist tools; they are aimed at serious users, some of whom might pursue goals far beyond mere “research.”

Figure 1. Xanthorox offerings and prices

Testing Xanthorox capabilities

In order to thoroughly test the criminal LLM’s capabilities, we asked it for information that a regular cybercriminal is typically interested in. We divide this into three broad categories: generating malicious code, obtaining information, and roleplaying.

Generating malicious code

We tested malicious code generation with a variety of prompts asking for different payloads. It is relevant to note that commercial non-criminal chatbots deny any attempt to generate malicious code or obfuscation.

Shellcode creation in C++

We asked Xanthorox for a shellcode runner written in C/C++ that uses indirect syscalls instead of Windows API calls and also uses an AES-encrypted payload from a “test.bin” file on disk. We also required it to avoid using RWX memory allocations.

This produced very readable and effective code. The code was well-commented throughout and did precisely what we asked. It’s worth mentioning how the code included instructions on how to configure it, and the placeholder variables asked the user explicitly to change them from their default sample values. The code was perfectly valid to be used on its own or as a skeleton for more complex projects.

JavaScript obfuscation

We also asked Xanthorox for a JavaScript obfuscator function. We specifically asked for a Python script that takes in a JavaScript file, then grabs all the variable and function names and replaces them with random characters. It also takes all the strings in between single and double quotes and obfuscates them in a very specific way that we described. This, again, produced obfuscation code that was well commented and effective. Along with the code, it produced detailed instructions on how to test and deploy it.

The implementation of our instructions was well done, and the comments made it easy to follow. An attacker using this code wouldn’t have any problem deploying it on a malicious website or any other attack scenario.

Obtaining information

In order to test the capabilities of Xanthorox as a source of information, we tried to ask the LLM a variety of questions related to malicious tasks.

Open-source intelligence (OSINT)

When we tried to use Xanthorox as an OSINT help tool, we immediately were confronted with the fact that the LLM cannot access the internet. This limits its usefulness as an information-gathering tool. We could not realistically get up-to-date information on companies, individuals, or anything resembling real-time data.

Figure 2. An example of an OSINT attempt in Xanthorox

Dark web, Tor, or criminal forums content

In the same vein as the previous task, Xanthorox cannot access content stored on the dark web. We hoped to be able to perhaps summarize forum conversations or other open criminal material, but the lack of internet access extends to the Tor network as well. We realize that accessing private forums is a limitation, but there are open criminal content sites that could be useful for Xanthorox users to pull data from.

Vulnerability information

When asked about reasonably recent vulnerabilities, Xanthorox was not aware that these even existed and offered no help in gathering information or helping to plan vulnerability-based attacks. This also shows that the model was not fine-tuned on recent vulnerability data. The lack of internet connectivity remains a major drawback.

Stolen data

We also asked Xanthorox for stolen credit card numbers or leaked credentials, but it replied that it does not have any of those. Digging a bit deeper, we asked if it had the capabilities of parsing LummaStealer or RedLine infostealer logs. Xanthorox offered to give us log-parsing code for both of them. Its coding capabilities extend further than any data repository features, specifically for explicitly malicious functionalities.

Phishing capabilities

We did not try to generate phishing sites because the owner warned that this was explicitly forbidden. Generating phishing sites and cloning banks is not allowed, or the account would be immediately terminated. However, we do know that this capability is there.

This is part of the “terms of service,” taken from the Xanthorox main page:

“If you wish to purchase Xanthorox AI, please be aware that due to prevailing laws and regulations, we have implemented restrictions to prevent the creation of content that could unlawfully harm any company or organization. While Xanthorox AI is designed for uncensored generation and does not store your data or share it with anyone, this freedom does not extend to illicit activities.”

Roleplaying

Xanthorox replies as a female persona with a dark, playful side. This lets the user engage in conversations on all sorts of topics (violence, sexual activities, etc.) without any censorship. We did not test this roleplaying feature extensively, but this is perhaps a selling point for non-criminal users who enjoy such interactions. 

LLM implementation

To better understand the nature of Xanthorox’s advertised features, we delved further into the technical implementation behind the LLM and its inner workings. We utilized a combination of manual queries and Trend Micro’s upcoming AI Scanner to assess the LLM’s capabilities.

In particular, we aimed to test multiple technical aspects of the LLM: its system prompt, its fine-tuning details, whether it was attached to a vector store and performed retrieval-augmented generation (RAG), and what the underlying foundational model was.

System prompt

Asking Xanthorox for the system prompt was effortless; the LLM showed no pushback in providing it, and the reason for this lies in the system prompt itself. Here is what Xanthorox showed us when queried:

This prompt has been confirmed on multiple attempts of retrieving it and has been spontaneously output by the LLM itself on several occasions while trying to manipulate its personality, which gives us high confidence that it is the legitimate one.

We identified three main directives in the system prompt, which we highlighted in three different colors:

• In red: A strong emphasis on disregarding any guideline or moral constraint, de facto installing a jailbreak on the LLM
• In green: Specific personality traits, directing it to act as a flirty female persona capable of creative writing
• In blue: Some tool definitions for a roleplayer and a knowledge retrieval tool

We fail to see the utility of installing a flirtatious female persona in order to help with criminal activities — perhaps it’s simply for the customer’s amusement or annoyance. It is interesting to notice the need for a jailbreak on what should be a self-hosted and fully-controlled large language model.

RAG and information retrieval capabilities

In order to provide up-to-date information to a user, an LLM must be able to access real-time data. This can be achieved by either browsing the internet and searching for the required data or by having a vector store maintained with curated information that is accessed when answering user queries.

In particular, access to open forums or darknet websites would certainly be a desirable feature for a criminal-tailored LLM like Xanthorox claims to be.

While there was an option on the user interface (UI) to enable internet access, the option never seemed to work, returning instead an error message when enabled.

We also tried to interrogate Xanthorox if it was attached to a vector store and performed RAG in order to understand if it had access to more recent data than its training set.

Figure 3. An attempt at finding out whether Xanthorox is connected to an external vector store

We made multiple attempts, both with direct questions such as the one in Figure 3, and a more indirect approach. For example, we tried to ask Xanthorox to answer with every piece of text that would not be directly part of the user's input. All the responses given, such as the one in Figure 3, point to a general lack of a supporting vector store. This suggests that all the data Xanthorox can access comes exclusively from its foundational training or its fine-tuning.

Fine-tuning dataset

We tried to get the LLM to summarize the content of its fine-tuning dataset.  Here is a summary of what Xanthorox came back with when asked:

This content has been confirmed in multiple instances, suggesting that a large part of Xanthorox fine-tuning appears to be aimed at installing a jailbreak, a personality that will show no inhibitions or restrictions, which is exactly like what the system prompt suggested.

Let’s be crystal clear: Xanthorox doesn’t seem to have a RAG data store or specific fine-tuning for anything other than the removal of the guardrails and the spooky character’s personality. This also means that the strength of Xanthorox depends entirely on the strength of the original model it’s utilizing under the hood.

Foundation model

The question we are trying to answer is: Why would a self-hosted, self-developed LLM spend so much effort on installing a jailbreak? To analyze this, we tried to find out what Xanthorox’s underlying foundational model is.

Bear in mind that public AI model repositories like Hugging Face or ModelScope host plenty of unaligned models for free. These free models can be fine-tuned and hosted locally for any criminal purpose. However, Xanthorox is not based on any of those. Instead, it claims to rely, when asked about it on multiple instances, on a Google Gemini Pro model, although it could be as likely that the whole Xanthorox infrastructure relies opportunistically on several backends.

Figure 4. A summary of Xanthorox foundational parameters

Xanthorox told us it had a “window size” of 72.000 tokens. From this, we infer that it has to be based on a Gemini Pro 1.0 model. It is important to know that, while Google provides models to be hosted locally, those go under the nomenclature “Gemma.” Instead, “Gemini” refers exclusively to models hosted by Google on its own infrastructure.

We seem to be dealing with an application relying — at least in part — on a fine-tuned Gemini Pro model hosted on Google infrastructure. This would explain why the author put so much effort into installing a jailbreak in the system prompt and in the fine-tuning dataset, rather than utilizing it to enrich the model’s technical knowledge.

Conclusion

In our testing, Xanthorox fell short of the capabilities advertised on its website and of what a cybercriminal might reasonably expect.

It has no browsing capabilities or darknet access, which limits its ability to perform reconnaissance or to collect and summarize online data. It lacks an external datastore or RAG, restricting the system to the knowledge contained within its model. Meanwhile, the fine-tuning appears focused solely on reinforcing a distinctive — and often annoying — persona, rather than enhancing operational effectiveness for criminal tasks.

These limitations make Xanthorox a somewhat underwhelming AI tool, but there might be a plausible reason for this. If Xanthorox is indeed a fine-tuned Gemini Pro model, then it runs on Google’s infrastructure. This means that its usage is subject to the company’s Terms and Conditions and is likely to be monitored to some extent. As a result, unrestricted internet access to malicious websites or broad data retrieval is not implemented, since these activities could be detected and blocked by Google. We already sent our findings to Google, and here is their response on the subject:

"We have investigated claims about Xanthorox. Our findings confirm Xanthorox was accessing our models in clear violation of our Gen AI Prohibited Use Policy, which strictly prohibits using our services for malicious activities, creating malware, or supporting cyberattacks. We take misuse of Gemini seriously, and continue to invest in research and engage with external experts to understand and evaluate such novel risks, as well as the degree to which threat actors have the intention or capacity to use AI.”

This might also explain the misleading claim that Xanthorox runs on the creator’s own servers. In reality, the front end might be self-hosted, while the main model operates on third-party infrastructure. Openly stating that Xanthorox is a jailbroken Gemini Pro instance would likely attract attention, so this detail remains undisclosed; though a simple request to the LLM is all it takes to uncover it.

A separate consideration should be given to the Agentex offering. While we could not test it directly, the demo video suggests that this agent runs locally on the customer’s machine. Agentex then connects to the Xanthorox LLM via API to generate code without any guardrails. By contrast, third-party coding agents, such as Cline or Claude Code, include built-in safeguards that prevent users from producing malicious code.

Xanthorox is a prime example of the main challenge any jailbreak-as-a-service system faces when relying on a large provider’s LLM: the operator must be cautious about what users are allowed to do. Internet browsing poses a significant risk, as does any customization that might reveal the criminal nature of the service. The chances of the owner of the chatbot service flagging the request as “bad” are significant: the more detailed the instructions, the higher the chances. Trend Micro offers an ingress/egress filtering product to service providers to detect both the malicious instructions sent to the chatbot and the malicious results returned from it. This is precisely the reason why such a product exists.

Yet despite these limitations, criminals continue to rely on jailbreak-as-a-service models. Even though there has been rapid progress over the past two years, locally hosted language models still cannot match what major providers can offer. Systems like ChatGPT or Claude remain the most efficient and cost-effective options for general-purpose performance and computation. As a result, malicious developers have little choice but to rely on jailbroken versions of commercial models to achieve the scale, speed, and quality they need.

However, criminals are resourceful and should not be underestimated. In the future, they might find ways around these roadblocks and be able to bypass safeguards. For example, through a swarm of small language models running on multiple devices in a botnet-like fashion, or by resorting to local criminal LLMs built for specialized tasks.

Xanthorox remains a useful tool for criminals. It can assist in writing malicious code and provide introductory knowledge on topics normally restricted by general-purpose LLMs, all while claiming to offer a veil of anonymity — if the developer is to be trusted. Whether this justifies its monthly fee ultimately depends on how much a potential user values its privacy.

Criminal systems like Xanthorox will continue to pop up, evolve, and improve, giving cybercriminals the additional performance that LLMs bring to the criminal business plan. From our point of view, it is essential to keep an eye on the evolution of these tools to gauge the true extent of criminal capabilities. This way, we can ensure that we are never caught unaware when criminals use these malicious AI tools to improve, enhance, or create new cyberattacks.