Xanthorox AI Raises Alarm With Offline, Undetectable Cybercrime Capabilities

A powerful new AI tool called Xanthorox has surfaced in cybercrime forums, raising concerns among cybersecurity experts.

Discovered by researchers at SlashNext, it functions as a complete self-hosted cybercrime platform that operates independently from popular AI systems including ChatGPT and Claude.

First spotted in early 2025, Xanthorox is being promoted as a “Killer of WormGPT and all EvilGPT variants.” The researchers say that Xanthorox differs from previous tools because it was developed from scratch. Xanthorox operates as a local server-based system with five modular models which enables offline usage, and complicates detection efforts.

Screenshots show one of its components, Xanthorox Coder produces ransomware which bypasses Windows Defender. Xanthorox Vision serves as an image and diagram analysis tool, while Xanthorox Reasoner Advanced creates decisions through human-like processes.

The system contains voice functionality and search capabilities which can extract data from more than 50 search engines.

“It’s easy to think of the cybercriminal ecosystem as one big amorphous blob of badness, when in reality it operates much like any service and platform industry — with different groups focusing on and specializing in their unique contribution to the overall kill chain, and ‘startups’ like this one popping up to create a competitive advantage for criminals,” said Bugcrowd founder Casey Ellis, as reported by SC Media.

What makes Xanthorox especially dangerous is its ability to operate without internet access, public APIs, or commercial cloud tools. It can process various file types like .pdf, .txt, and .c files — extracting, rewriting, or analyzing them to support cyber operations. SlashNext researchers were able to view some of its features through videos and screenshots shared by the developer.

“If the threat actor’s claims are true, Xanthorox is less susceptible to detection and takedown than similar malicious tools,” said Stephen Kowski, Field CTO at SlashNext, as reported by SC Media.

With the use of AI in phishing and malware campaigns growing rapidly, security firms warn that tools like Xanthorox could mark a turning point in AI-driven cybercrime.

As SlashNext researcher Daniel Kelley noted to SC Media, “Even if Xanthorox doesn’t meet every expectation, the technology to build something similar is available, and we’ll likely see systems like it emerge soon.”