Predator AI is a Python-based infostealer/hacktool targeting cloud platforms, integrating a GPTj-powered ChatGPT interface to simplify use. While not production-ready, it demonstrates how AI could streamline threat-actor workflows by enriching data and adding context to scanner results. #PredatorAI #GPTj #ChatGPT #Twilio #AWSSES #WordPress #Drupal #Joomla #Laravel #Magento #OpenCart #osCommerce #vBulletin
Keypoints
- Predator AI is a Python-based infostealer/hacktool with a Tkinter GUI and over 11,000 lines of code, organized into 13 global classes.
- The GPTj class provides a ChatGPT-enabled interface, preferring local handling before querying OpenAI to reduce API use.
- The tool targets web-apps and cloud services (e.g., WordPress, Drupal, AWS SES, Twilio) and can scan for common weaknesses like XSS, SQLi, and misconfigurations.
- Predator includes features to potentially abuse AWS accounts (e.g., creating accounts, admin privileges) and to check or exfiltrate data via cloud services.
- The StealerBuilder can produce a Windows PE or Python-based stealer and support C2 via Discord/Telegram webhooks, though some configs appear incomplete.
- Hardcoded credentials and identifiers (passwords, user names, ARNs) are present in the code, providing clear IOC evidence.
MITRE Techniques
- [T1059] Command and Scripting Interpreter – Predator is a Python application, implying its use of a Python interpreter: ‘Predator is a Python application with over 11,000 lines. The application runs entirely through a Tkinter-based graphical user interface (GUI).’
- [T1082] System Information Discovery – NetXplorer uses Psutil and Subprocesss to query network status and system information: ‘NetXplorer uses Psutil and Subprocesss to query network status and system information.’
- [T1046] Network Service Scanning – NetGun handles web application security scans with options for proxies and custom wordlists: ‘NetGun handles web application security scans with options for proxies and custom wordlists.’
- [T1190] Exploit Public-Facing Application – Predator’s web application attacks look for weaknesses, including XSS and SQLi: ‘Predator’s web application attacks look for common weaknesses, misconfigurations or vulnerabilities in Cross Origin Resource Sharing (CORS), exposed Git configuration, PHPUnit Remote Code Execution (RCE), Structured Query Language (SQL), and Cross-Site Scripting (XSS).’
- [T1136] Create Account – Potential AWS cloud account provisioning with admin privileges: ‘Create a new account, assign administrative privileges, and delete the old account.’
- [T1552.002] Credentials In Code – Hardcoded credentials embedded in the tool, such as an API key and passwords: ‘hardcoded OpenAI API key’ and ‘Predator123’.
- [T1041] Exfiltration Over C2 Channel – The stealer can be configured to use Discord or Telegram webhooks for C2: ‘The stealer can be configured to use Discord or Telegram webhooks for C2.’
Indicators of Compromise
- [SHA-1 Hash] main.py – 88d40f86eefee5112515b73cce2d2badb7f49ffd
- [Hardcoded Strings] jSDSgnditikunggobloktolol, titid, Adminn, Predator123, admainkontolpaslodsajijsd21334#1ejeg2shehhe
- [ARN] arn:aws:iam::320406895696:user/Kontolz – example ARN for Kontolz user