Redazione RHC : 13 September 2025 10:04
The experts at Straiker have announced a new tool called Villager, which has been downloaded nearly 10,000 times from the official PyPI repository since its release in July. The program positions itself as a Model Context Protocol client and combines dozens of network auditing tools, yet contains everything needed to conduct fully automated attacks.
Similar to Cobalt Strike, Villager can be used both for legitimate purposes and as an offensive platform for attackers who don’t even need extensive technical training. Villager includes Kali Linux containers, hundreds of analysis and exploit tools, and integration with DeepSeek language models.
The developers have added a large database of 4,201 pre-prepared queries for exploit generation, which allows the system to independently tailor attacks to specific targets. Furthermore, sophisticated detection mechanisms have been implemented, the automatic creation of isolated containers for scanning and testing, and a container self-destruction feature after 24 hours to hide traces.
Vuoi diventare un esperto del Dark Web e della Cyber Threat Intelligence (CTI)?Stiamo per avviare il corso intermedio in modalità "Live Class" del corso "Dark Web & Cyber Threat Intelligence". A differenza dei corsi in e-learning, disponibili online sulla nostra piattaforma con lezioni pre-registrate, i corsi in Live Class offrono un’esperienza formativa interattiva e coinvolgente. Condotti dal professor Pietro Melillo, le lezioni si svolgono online in tempo reale, permettendo ai partecipanti di interagire direttamente con il docente e approfondire i contenuti in modo personalizzato. Questi corsi, ideali per aziende, consentono di sviluppare competenze mirate, affrontare casi pratici e personalizzare il percorso formativo in base alle esigenze specifiche del team, garantendo un apprendimento efficace e immediatamente applicabile. Contattaci tramite WhatsApp al 375 593 1011 per richiedere ulteriori informazioni oppure scriviti alla casella di posta [email protected] 
Se ti piacciono le novità e gli articoli riportati su di Red Hot Cyber, iscriviti immediatamente alla newsletter settimanale per non perdere nessun articolo. La newsletter generalmente viene inviata ai nostri lettori ad inizio settimana, indicativamente di lunedì. |
Villager is able to reconstruct the attack strategy in real time: when WordPress is detected, WPScan is automatically launched; when an API endpoint is found, browser automation is triggered to verify authentication. If a client-side prototype taint vulnerability is detected, the tool generates a payload, monitors network traffic, and, if successful, infiltrates the system. Straiker’s report provides examples of multi-step chains: from initial scanning to the implementation of persistence mechanisms.
Research has shown that the project is linked to a Chinese organization called Cyberspike, registered in November 2023 at Changchun Anshanyuan Technology Co.. Despite its official address and registration, the company does not have a full website or employee information, and its website was shut down in early 2024. A previous Cyberspike product line was uploaded to VirusTotal, where researchers found embedded AsyncRAT and plugins for popular tools such as Mimikatz. The analysis confirmed that Cyberspike was actually repackaging known malware as pentesting kits and potentially offensive operations.
The author of Villager, known by the handle @stupidfish001, previously participated in the Chinese CTF HSCSEC team. These competitions, as the researchers note, traditionally serve as a channel for training specialists and attracting them to cyber operations structures. Villager’s code contains comments in Chinese, and the service continues to use the company’s domain, indicating active use of its infrastructure.
Since July, Straiker has seen stable downloads of the package: approximately 200 downloads every three days. In total, the number of installations has reached 9,952 on various operating systems, including Linux, macOS, and Windows. At the same time, the product remains available as open source and continues to be distributed via PyPI.
According to experts, attackers are rapidly learning to use artificial intelligence to automate attacks, and the speed of this process requires companies to adopt a symmetric approach, implementing their AI-based security solutions with the same level of efficiency.
Redazione