Listen to this Post
Introduction: A New Phase of Malware Development
Artificial intelligence is rapidly transforming the cybersecurity landscape. While defenders increasingly rely on AI to detect threats, attackers are also beginning to use the same technology to accelerate their operations. Security researchers have recently identified a significant shift in how a Pakistan-linked cyber espionage group is developing its malware. The group, widely known as Transparent Tribe and also tracked as APT36, appears to be experimenting with AI-assisted coding to speed up malware production.
This evolution does not necessarily mean attackers are creating more advanced malware. Instead, it signals a change in strategy. Rather than focusing on highly sophisticated tools, the group is prioritizing speed, variety, and quantity. By generating malware across multiple programming languages and constantly modifying its code, the group aims to overwhelm traditional security detection systems and maintain access to compromised environments.
Researchers describe this emerging development style as “vibeware” code. The concept refers to malware that is quickly produced, frequently altered, sometimes flawed, but still effective enough to support real-world cyber operations. The approach suggests that the future of cyber threats may not depend on perfect code, but rather on the rapid generation of countless disposable tools.
AI Speed Over Technical Quality
Security researchers examining recent campaigns linked to Transparent Tribe found clear signs that AI-assisted development is being used to industrialize malware creation. Instead of relying on a single programming language, the group is experimenting with a broad mix that includes Nim, Zig, Crystal, Rust, Go, .NET, and C.
This diversity creates a major challenge for defenders. Many security tools are optimized to detect malware written in commonly used languages such as C++ or C. When attackers introduce unusual or less common languages, the detection baseline becomes harder to maintain. Even if the malware itself is not technically advanced, the unfamiliar code structure can evade certain automated security checks.
However, the quality of these AI-assisted tools is inconsistent. Some of the malware samples researchers analyzed contained clear logic errors. One example involved a Go-based information stealer that accidentally left a template placeholder where the command-and-control server address should have been. As a result, the malware was incapable of sending stolen data to the attackers.
Other samples failed when their code became more complex. Researchers observed that while the syntax of the code appeared correct, the underlying logic was incomplete or poorly structured. This pattern is commonly associated with AI-generated code that produces functional-looking scripts but lacks fully implemented operational logic.
Despite these flaws, the malware still provides value to attackers. Even imperfect tools can serve as testing frameworks, temporary implants, or stepping stones during an intrusion campaign.
Using Trusted Services for Stealth
Another notable tactic observed in the campaign involves abusing trusted online services for command-and-control communication and data exfiltration. This technique is commonly known as Living Off the Trust of Services, a strategy that blends malicious traffic into legitimate cloud platforms.
Researchers discovered malware implants communicating through widely used platforms such as Discord, Slack, Google Sheets, Firebase, Supabase, and Google Drive.
By using these services, attackers avoid the need to maintain dedicated command-and-control servers. Traffic directed to well-known cloud services often appears legitimate to enterprise network monitoring systems, allowing malicious activity to blend in with normal business communications.
The malware toolkit observed in the campaign includes a wide range of capabilities. Researchers identified backdoors, shellcode loaders, information stealers, document collectors, and tools designed to extract sensitive browser data. These tools allow attackers to maintain access to compromised systems and harvest valuable information over time.
Some malware variants achieve persistence through scheduled tasks within the operating system. Others temporarily store stolen data in local SQLite databases before transferring metadata and files to cloud services. This staged approach helps attackers manage large volumes of data while minimizing the risk of detection.
Examples of Malware Components
Researchers documented several malware components developed during the campaign. Each tool reflects the group’s experimentation with different programming languages and command-and-control methods.
SupaServ (Rust)
A backdoor that communicates through Supabase and Firebase for command-and-control operations. It maintains persistence by creating scheduled tasks on the infected system.
CrystalShell (Crystal)
A cross-platform backdoor that uses Discord channels for command-and-control communication. Data exchanges are encoded using Base64 to conceal their contents.
ZigShell (Zig)
A functional counterpart to CrystalShell that communicates through Slack and supports built-in file transfers between infected systems and attacker infrastructure.
NimShellcodeLoader (Nim)
An experimental wrapper used to deploy a Cobalt Strike beacon while attempting to bypass simple malware scanning mechanisms associated with Cobalt Strike.
These tools demonstrate a clear strategy: diversify the development environment while maintaining compatibility with established offensive frameworks.
Human Operators Still Control the Attack
Although AI is helping accelerate malware creation, researchers emphasize that human operators still play a critical role in the attack process. Once access to a system is obtained, the campaign becomes highly manual.
Attackers analyze the compromised environment, select specific targets, and deploy additional tools as needed. This hybrid model allows AI to handle repetitive coding tasks while human attackers focus on strategic decision-making during the intrusion.
The primary concern for defenders is not the sophistication of each individual tool. Instead, it is the attackers’ growing ability to produce large volumes of functional malware quickly. Even if many tools fail or contain bugs, enough working variants can remain active to sustain a long-term intrusion campaign.
What Undercode Say:
The emergence of AI-assisted malware development marks a turning point in cyber warfare strategy. Historically, advanced persistent threat groups focused on crafting highly sophisticated malware that could remain undetected for long periods. That approach required extensive development time, specialized expertise, and significant testing.
The strategy now appears to be shifting toward speed and scalability.
Instead of investing months building a perfect piece of malware, threat actors can generate dozens or even hundreds of lightweight tools in a short period. AI models capable of generating code snippets, debugging functions, or converting scripts between languages significantly reduce development time.
This approach resembles the concept of disposable infrastructure used in modern cybercrime. Attackers create tools designed to be used briefly and then abandoned. If a security vendor detects one sample, attackers can quickly generate another variant with slightly different characteristics.
Another critical implication is the diversification of programming languages in malware development. Security tools historically evolved to detect patterns associated with a small number of dominant languages. When attackers introduce languages such as Zig, Nim, or Crystal, existing detection signatures become less reliable.
From a defensive perspective, this forces cybersecurity teams to rely more heavily on behavioral detection rather than code signatures. Monitoring suspicious actions, network patterns, and abnormal data transfers becomes more important than identifying specific code structures.
The use of trusted cloud platforms for command-and-control also signals a broader shift in attacker strategy. Cloud services are deeply integrated into enterprise environments. Blocking them outright is rarely possible because organizations depend on them for daily operations.
This creates an ideal hiding place for attacker communication channels.
If malware communicates with a well-known service like Discord or Google Drive, network security tools may struggle to distinguish malicious traffic from legitimate collaboration activity. Attackers understand this challenge and increasingly exploit trusted ecosystems rather than building their own infrastructure.
AI-generated malware also raises a psychological factor in cybersecurity defense. When attackers can generate thousands of code variations quickly, defenders face an overwhelming volume of potential threats. The burden shifts from detecting a few sophisticated attacks to filtering a massive stream of mediocre ones.
Ironically, even flawed malware can become dangerous when produced at scale. A tool that works only 30 percent of the time can still succeed if deployed widely across multiple targets.
This trend suggests that the future of cyber operations may resemble industrial manufacturing. Malware production becomes automated, iterative, and disposable.
For organizations, this means traditional signature-based security will struggle to keep pace. Adaptive security models, continuous monitoring, and AI-powered defense tools will become increasingly essential to counter attackers who are also using AI.
Ultimately, the battle between attackers and defenders may become an arms race of automation.
Fact Checker Results
✅ Transparent Tribe (APT36) is a known Pakistan-linked cyber espionage group tracked by multiple security organizations.
✅ Researchers have observed malware samples written in less common languages such as Rust, Nim, Zig, and Crystal.
❌ AI-generated malware is not necessarily more sophisticated; many samples contain logic errors and incomplete functionality.
Prediction
🔮 AI-assisted malware generation will rapidly increase across many threat groups, not just state-linked actors.
⚠️ Cybersecurity defenses will shift toward behavioral detection rather than static malware signatures.
🚨 Cloud services will become one of the most common command-and-control channels for future cyberattacks.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.stackexchange.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
