What is GhostGPT and why should your business care
A new tool has entered the cybercrime underground, and it is changing the rules of the game. GhostGPT is an uncensored AI chatbot specifically designed to help threat actors craft phishing emails, develop malware, and execute social engineering attacks with unprecedented speed and precision. Unlike mainstream AI models such as ChatGPT or Claude, which have built-in safety guardrails, GhostGPT strips away all ethical restrictions, giving criminals a powerful assistant that never says no.
First identified by researchers at Abnormal Security in early 2025, GhostGPT is sold through Telegram channels as a convenient, no-questions-asked service. Users do not need to jailbreak a legitimate model or possess advanced technical skills. They simply pay a subscription fee and gain instant access to an AI engine willing to generate convincing phishing templates, exploit code, and fraudulent business communications on demand.
For European SMBs, particularly those in Italy and across the EU, this development represents a significant escalation in the threat landscape. The barrier to entry for sophisticated cyberattacks has effectively collapsed.
How GhostGPT is reshaping the cyber threat landscape
Phishing at scale with perfect grammar
One of the most immediate dangers of GhostGPT is its ability to generate flawless phishing emails in multiple languages, including Italian, German, French, and Spanish. Traditional phishing attempts often contained awkward phrasing or grammatical errors that trained employees could spot. That safety net is now gone.
According to the 2024 Verizon Data Breach Investigations Report, phishing and pretexting accounted for over 73% of social engineering breaches. With AI-powered tools like GhostGPT producing linguistically perfect messages tailored to specific industries and regions, that percentage is expected to climb sharply. An Italian SMB could receive a convincing email that perfectly mimics communications from the Agenzia delle Entrate or a trusted supplier, complete with correct terminology and formatting.
Malware development without expertise
GhostGPT can generate functional malicious code, including scripts for data exfiltration, ransomware components, and credential-stealing tools. What previously required months of programming knowledge can now be produced in minutes. Europol’s 2024 Internet Organised Crime Threat Assessment warned that AI-assisted malware creation would become a defining feature of cybercrime by 2025, and that prediction has materialised faster than anticipated.
This democratisation of attack capabilities means that even low-skilled threat actors can now target businesses with customised malware that evades basic antivirus solutions. SMBs, which often lack dedicated security operations centres, are particularly vulnerable.
Business email compromise on steroids
Business email compromise (BEC) attacks have cost organisations worldwide over $50 billion since 2013, according to the FBI’s Internet Crime Complaint Center. GhostGPT supercharges these attacks by generating realistic correspondence that impersonates executives, accountants, or legal counsel. The AI can mimic writing styles, reference real business processes, and create urgency that pressures employees into transferring funds or sharing sensitive data.
For Italian businesses operating within complex supply chains, where invoice fraud and payment redirection scams are already common, the risk is acute.
What the EU regulatory framework means for your defences
European businesses operate under some of the world’s strongest data protection and cybersecurity regulations, and these frameworks are more relevant than ever in the age of AI-driven threats.
The NIS2 Directive, which expanded its scope in October 2024, now covers a broader range of sectors and imposes stricter incident reporting requirements. Many Italian SMBs that previously fell outside the original NIS Directive now find themselves subject to mandatory cybersecurity risk management measures. Non-compliance can result in fines of up to €10 million or 2% of global annual turnover.
The EU AI Act, the world’s first comprehensive AI regulation, classifies AI systems by risk level and explicitly addresses the misuse of AI technologies. While it primarily targets AI providers and deployers within legitimate markets, it also strengthens the legal basis for law enforcement action against tools like GhostGPT.
Under GDPR, organisations remain fully responsible for protecting personal data regardless of how an attack is conducted. An AI-generated phishing email that leads to a data breach does not reduce your liability. Italian businesses must demonstrate that they implemented appropriate technical and organisational measures, as the Garante per la Protezione dei Dati Personali has made clear in several enforcement actions.
Practical steps to protect your business
Defending against AI-enhanced threats does not require an enterprise-level budget, but it does require a strategic approach. Here are concrete measures that European SMBs should prioritise.
Upgrade your email security
Traditional spam filters are insufficient against AI-crafted messages. Invest in email security solutions that use behavioural analysis and anomaly detection rather than relying solely on signature-based filtering. Solutions that flag unusual sender behaviour, unexpected attachment types, or atypical request patterns add a critical layer of defence.
Implement continuous employee training
Your staff remains the first and last line of defence. Regular, scenario-based training that includes examples of AI-generated phishing is essential. Simulated phishing exercises should be conducted quarterly at minimum, with particular attention to finance, HR, and executive assistant roles. According to ENISA, organisations that conduct regular security awareness training reduce successful phishing attacks by up to 60%.
Enforce multi-factor authentication and zero trust
Multi-factor authentication (MFA) should be mandatory across all business applications, particularly email, banking platforms, and remote access tools. Adopting a zero trust approach, where no user or device is automatically trusted, significantly limits the damage that a successful phishing attack can cause.
Establish an incident response plan
Every SMB should have a documented and tested incident response plan. This plan should include clear escalation procedures, contact details for your IT provider or managed security service, notification procedures under NIS2 and GDPR timelines, and regular tabletop exercises that simulate AI-driven attack scenarios.
Monitor the dark web and threat intelligence feeds
Consider subscribing to threat intelligence services that monitor underground marketplaces and Telegram channels where tools like GhostGPT are traded. Early awareness of new attack techniques gives your organisation time to adapt its defences before those techniques are deployed at scale.
The road ahead for SMBs facing AI-powered threats
GhostGPT is not an isolated phenomenon. It is part of a broader trend where artificial intelligence amplifies both defensive and offensive capabilities in cybersecurity. Tools like WormGPT and FraudGPT preceded it, and more sophisticated successors will inevitably follow.
The key takeaway for European business owners is straightforward: the attacks targeting your organisation are becoming more convincing, more personalised, and more difficult to detect through traditional means. The companies that invest now in layered security, employee awareness, and regulatory compliance will be far better positioned to withstand this new generation of threats.
Waiting is not a strategy. The criminals certainly are not waiting.
Need support on this topic? Contact us for a free consultation — let’s assess your company’s situation together.
Stay updated every week on cybersecurity, AI and technology for SMBs: subscribe to our newsletter.