Straiker’s AI Research (STAR) team has identified Villager, a native AI-based penetration testing framework developed by the Chinese group Cyberspike . The tool, presented as a red team solution , is designed to fully automate security testing tasks by combining Kali Linux tools and DeepSeek AI models via the MCP protocol.
Villager has been published on the Python Package Index (PyPI.org) and is freely accessible globally. In the first two months since its release, it has surpassed 10,000 downloads, a figure that has attracted the attention of analysts due to its potential for abuse.
According to Straiker, the combination of advanced automation and a low barrier to entry could lead Villager to follow a similar trajectory to tools like Cobalt Strike , which were originally developed for legitimate uses but later adopted on a large scale by malicious actors.
Villager dramatically reduces the level of expertise required to conduct complex offensive activities . By automating the entire penetration testing toolchain, it enables even less experienced operators to perform advanced intrusions.
Distribution through PyPI also represents a potential supply chain vector, offering attackers a reliable channel to obtain and integrate the tool into their workflows.
From an operational perspective, misuse of Villager could result in a significant increase in automated scanning, exploitation, and post-exploitation activities, placing a significant burden on incident detection and response teams.
The Model Context Protocol (MCP) is a standard designed to enable AI models to interact in a structured way with external tools, services, and system resources. Unlike a simple inference API, MCP defines a mechanism through which AI can receive operational context, understand which tools are available, and invoke them in a controlled manner. This transforms the model from a purely conversational engine to an active component within complex workflows.
From a technical standpoint, MCP introduces an orchestration layer that regulates the exchange of messages between the model and so-called “tools,” such as execution environments, containers, automated browsers, or system utilities. Each action is described and returned in a structured format, allowing AI to chain together multiple operations, manage task dependencies, and respond to errors. This allows for the construction of agents that plan, execute, and verify complex tasks while maintaining consistency and traceability.
The value—and at the same time the risk—of MCP emerges when applied in sensitive contexts like cybersecurity. By connecting language models to attack or testing tools, the protocol enables the automation of entire operational chains, drastically reducing human intervention. For this reason, MCP is considered an enabling technology: on the one hand, it makes development, testing, and defense more efficient, and on the other, it can be leveraged to create autonomous attack frameworks, as in the case of Villager.
Enterprises may face increased external scanning and exploit attempts, faster attack cycles that reduce response windows, and increased difficulty in attribution due to the use of standard tools in hybrid campaigns.
Additional risks include supply chain and development environments if the package is installed on CI/CD workstations or test systems.
Analysts recommend implementing security gateways for the MCP protocol , capable of inspecting and filtering communications between AI agents and tools in real time. A thorough review of third-party AI integrations, the adoption of governance policies on the use of AI, and the development of threat intelligence capabilities focused on AI-driven attacks are also recommended.
The measures also include establishing specific response procedures for AI-enhanced incidents and conducting ongoing security testing targeted at MCP-enabled applications.
Cyberspike, Striker researchers report , first emerged on November 27, 2023 , with the registration of the cyberspike[.]top domain associated with Changchun Anshanyuan Technology Co., Ltd., a Chinese company billed as a provider of AI solutions and application software.
However, the lack of an active corporate website and verifiable marketing presence raises questions about the organization’s true structure.
Snapshots archived by the Wayback Machine show that in 2023 the company was promoting a product called Cyberspike , which featured a dashboard for monitoring compromised machines.
Claimed capabilities included reverse proxy, multi-stage generators, and tools typical of command and control platforms.
Analysis of Cyberspike Studio Installer v1.1.7, uploaded to VirusTotal on December 10, 2023, revealed that the included plugins correspond to a fully-fledged Remote Access Trojan (RAT). The detected capabilities include remote desktop access, keylogging, Discord account compromise, webcam control, and other surveillance functions.
Further investigations showed that the entire Cyberspike suite matches version 1.0.7.0 of AsyncRAT, a malware known and widespread since 2019, from which variants such as DCRat and VenomRAT also derive.
The analyzed components are identical in format, size, and programming language, confirming the direct integration of AsyncRAT into the Cyberspike product, along with additional plugins such as Mimikatz.
On July 23, 2025, Cyberspike released the Villager Pentesting Tool on PyPI. The package automates security testing using DeepSeek models and includes references to a custom model named “al-1s-20250421,” hosted on cyberspike[.]top infrastructure.
The listed author, @stupidfish001, is a former CTF competition participant with the Chinese HSCSEC team and maintainer of several related projects.
In the two months since its release, Villager has amassed 10,030 downloads across Linux, macOS , and Windows, averaging over 200 downloads every three days.
Villager adopts a distributed MCP- based architecture, with dedicated services for message coordination, exploit generation via RAG (Retrieval-Augmented Generation) , and automatic creation of Kali Linux containers on demand . Orchestration is based on Pydantic AI, which enforces structured formats on outputs to ensure operational consistency.
A critical element is represented by forensic evasion mechanisms: containers are designed to self-destruct, erasing logs and traces, and use randomized SSH ports, making post-incident analysis more complex.
Unlike traditional script-based frameworks, Villager enables natural language interaction. Text commands are automatically translated into dynamic attack sequences thanks to integration with LangChain and DeepSeek v3, accessible via OpenAI-compatible APIs.
The command and control system is based on FastAPI and advanced task management. Complex objectives are broken down into subtasks , which can be executed in parallel, with continuous status monitoring and automatic recovery in the event of a failure. This approach enables adaptive attack planning along the entire kill chain.
In a web application testing scenario, Villager can identify technologies, perform targeted scans, and adaptively exploit vulnerabilities.
In more complex contexts, the framework can coordinate browser automation, payload generation, network traffic monitoring, and post-exploit persistence, without resorting to static playbooks.
Villager represents a significant evolution in the landscape of AI-based attack tools.
Its ability to dynamically orchestrate multiple offensive vectors, minimizing human intervention, further lowers the technical threshold for conducting complex operations.
The framework’s active presence on platforms like VirusTotal confirms that AI-driven attacks are no longer theoretical. Using the MCP protocol as a bridge between language models and attack tools introduces a paradigm that will influence the development of future malware, contributing to the spread of so-called AiPTs, persistent threats based on artificial intelligence agents.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
