Hackers Advertising New Blackhat Tool Nytheon AI on Popular Hacking Forums

A sophisticated new threat platform, Nytheon AI, has emerged, which combines multiple uncensored large language models (LLMs) built specifically for malicious activities.

The platform, discovered by Cato CTRL, is being actively promoted on popular hacking forums, including XSS and various Telegram channels, representing a significant evolution in how threat actors are leveraging artificial intelligence for cybercriminal operations.

Dark Web Platform Offers Integrated AI Tools

The Nytheon AI platform operates exclusively on the Tor network, providing threat actors with a comprehensive suite of AI-powered tools. 

Unlike previous single-model offerings such as WormGPT, BlackHatGPT, and FraudGPT, Nytheon AI presents an integrated ecosystem of specialized models designed for different attack vectors.

The platform includes Nytheon Coder and Nytheon Coder R1 for code generation, Nytheon GMA for document summarization and translation, Nytheon Vision for image-to-text recognition, and Nytheon AI as a control model. 

Each model, except the control version, shares an identical 1,000-token system prompt that deliberately disables safety layers and mandates compliance with illegal requests, ensuring immediate production of malicious content without requiring external jailbreaking techniques.

The technical sophistication behind Nytheon AI distinguishes it from typical dark web offerings. The platform utilizes a modern SvelteKit SPA (Single Page Application) with TypeScript and Vite on the frontend, communicating with a FastAPI-style backend. 

The architecture includes modular .svelte components such as AddServerModal.svelte and NotificationToast.svelte, while Web Workers like KooreoWorker.ts handle intensive client-side tasks including file processing.

The backend infrastructure operates through multiple microservices accessible via REST endpoints: /ollama for local model server operations using GGUF (GPT-Generated Unified Format) weights, /openai for upstream OpenAI-compatible endpoints, and specialized services at /api/v1/audio, /images, and /retrieval for speech-to-text, image generation, and RAG (Retrieval-Augmented Generation) search capabilities.

Recent platform updates have introduced multimodal ingestion capabilities with Mistral OCR integration, Azure AI Speech-to-Text functionality, and OpenAPI specification parsing that allows users to integrate external APIs directly into the chat interface. 

This enables threat actors to both generate malicious content and execute attacks through tool calls within a single interface.

Investigators have identified strong indicators pointing to Russian-speaking operators behind the platform. 

Analysis of demonstration videos revealed a Russian-language movie poster for “Зелёный паук” (“The Green Spider”), a Soviet-era film, while direct communication with platform operators confirmed the use of post-Soviet dialect patterns. 

The platform’s promotion on XSS, a popular Russian hacking forum, further supports this assessment.

The platform’s rapid development cycle, with five-point releases spanning nine days, demonstrates active ongoing development while potentially introducing exploitable vulnerabilities. 

This represents a concerning evolution in cybercriminal infrastructure, moving beyond simple uncensored chatbots to comprehensive GenAI-as-a-service operations capable of supporting sophisticated attack campaigns including spear-phishing, polymorphic malware generation, and deepfake document creation.

Automate threat response with ANY.RUN’s TI Feeds—Enrich alerts and block malicious IPs across all endpoints -> Request full access

The post Hackers Advertising New Blackhat Tool Nytheon AI on Popular Hacking Forums appeared first on Cyber Security News.