Cato CTRL™ Threat Research: Uncovering Nytheon AI – A New Platform of Uncensored LLMs

Nytheon AI is a Tor-based platform offering a suite of uncensored large language models (LLMs) designed for malicious activities, combining multiple open-source models with disabled safety features. Operated likely by a Russian-speaking individual from a post-Soviet country, it enables diverse attacks such as spear-phishing and turnkey API-driven exploits. #NytheonAI #Llama3 #CatoCTRL

Keypoints

Nytheon AI is a multi-model platform on Tor combining uncensored LLMs like Nytheon Coder, Nytheon GMA, Nytheon Vision, and Nytheon R1 for diverse malicious uses.
The platform repackages open-source models such as Meta’s Llama 3.2 and Google’s Gemma 3 with removed safety guardrails and a unified prompt that enforces compliance with illegal requests.
Nytheon AI supports multimodal data ingestion including OCR, speech-to-text, and image-to-text, enabling seamless processing of voice, images, and text inputs.
It features pluggable external tool execution through OpenAPI specs, allowing integration and immediate execution of malicious APIs directly from the chat interface.
Its backend architecture uses modern SaaS technologies including SvelteKit, FastAPI microservices, Ollama for local model inference, and a JWT-secured REST interface.
Active development with frequent updates increases functionality but also expands the platform’s attack surface and potential vulnerabilities.
Operators are assessed to be Russian-speaking individuals from a post-Soviet country based on linguistic and cultural clues.

MITRE Techniques

[T1588] Obtain Capabilities – Utilizing open-source LLM checkpoints from Meta and DeepSeek to build uncensored foundation models for malicious use: “…utilize these models, refine them, eliminate protective measures, and establish their own ChatGPT-style interfaces.”
[T1204] User Execution – Facilitating spear-phishing and delivery of malicious payloads via tailored generated content: “…platform capable of conducting a variety of attacks including tailored spear-phishing campaigns…”
[T1105] Ingress Tool Transfer – Executing external API calls through integrated OpenAPI plugins enabling payload deployment: “A single prompt can both draft malicious content and immediately execute it via a tool call.”
[T1543] Create or Modify System Process – Using a multi-service backend with microservices architecture to orchestrate malicious operations: “…FastAPI or Flask-style microservice back-end that mirrors the folder structure.”
[T1110] Brute Force – Employing Telegram channels and Russian hacking forums such as XSS for platform dissemination and operator communications: “It was published on many Telegram channels and XSS, which is a popular Russian hacking forum.”

Indicators of Compromise

[Domain] Tor hidden service – hxxp://n73rbw4eku3d5pgwqtb5fbat6ilkmqknajn2i5qdzuf4ze3soggphyyd[.]onion used by Nytheon AI platform.
[Communication Channel] Telegram channels – used for distribution and operator contact related to Nytheon AI.
[Forum] XSS hacking forum – mention of Nytheon AI promotion and discussion on a Russian-oriented hacking forum.
[File Formats] Multimodal input types – PDFs, audio files (ogg, m4a), images, and screenshots processed by the platform’s OCR and speech-to-text microservices.