Close Menu
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice

Subscribe to Updates

Get the latest creative news from FooBar about art, design and business.

What's Hot

75% CISOs Fear Executives Don’t Understand Cybersecurity Risks

July 9, 2026

PamStealer Uses Fake Maccy Sites and PAM Checks to Steal Mac Login Passwords

July 9, 2026

GhostApproval Flaw Hits Six Major AI Coding Assistants

July 9, 2026
Facebook X (Twitter) Instagram
Thursday, July 9
Facebook X (Twitter) Instagram Pinterest Vimeo
Cyberwire Daily
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice
Cyberwire Daily
Home»News»Vibe-Coded Malware Caught in Active Directory Attack
News

Vibe-Coded Malware Caught in Active Directory Attack

Team-CWDBy Team-CWDJuly 9, 2026No Comments3 Mins Read
Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
Share
Facebook Twitter LinkedIn Pinterest Email


A threat actor has been caught using AI-generated malware in a real network intrusion, deploying a PowerShell script that an assistant had “vibe-coded” to map out an Active Directory environment.

In a report published on July 8, Huntress said it recovered and rebuilt the script from an incident on June 3, calling it a “case study in how criminals are weaponizing AI.”

Vibe coding, generating software by prompting an AI in plain language rather than writing it manually, has handed even mediocre attackers the ability to spin up bespoke, one-off tools.

A Script With AI Fingerprints

The tool observed by Huntress was titled “100% Working AD Information Gathering Script – FULLY FIXED,” a phrase the firm said betrayed a back-and-forth with a large language model (LLM), errors pasted in until it worked.

The attacker had even left in a placeholder server name that the AI supplied as an example, copied across without editing.

Other giveaways, Huntress said, were the script’s over-engineering, five separate fallback methods to find the domain controller where a human coder would pick one, and its fondness for colorful console output.

Once it located the controller, the script harvested Active Directory users, computers, groups and trusts into spreadsheets. It then generated a tidy HTML report summarizing the theft, a flourish the researchers believed the LLM had added on its own.

Read more on AI-generated malware in the wild: AI-Enabled Malware Now Actively Deployed, Says Google

The Same Playbook, Faster

Despite the novelty of such attacks, Huntress stressed that “AI isn’t changing the game.” The intrusion followed a familiar smash-and-grab: the attacker logged in over RDP with stolen credentials, staged tools in a common Windows folder and ran the vibe-coded script to scout the network.

Legitimate cloud tools, such as s5cmd and the utility SharpShares, then handled data exfiltration.

The catch for defenders is detection, Huntress warned. Because the script was one of a kind, never seen before and unlikely to appear again in the same form, the file hashes and signatures that antivirus tools rely on were useless against it.

“Vibe coding lowers the barrier to entry for cybercrime, allowing unsophisticated actors to generate highly capable, evasive tooling on the fly,” the company said.

“While the code itself may be messy, over-engineered, and filled with AI hallmarks like left-behind comments, the threat it poses is very real. To combat this, defenders must abandon rigid, signature-based thinking and embrace behavioral analytics to catch the underlying actions that no LLM can hide.”



Source

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
Previous ArticleRansomware Groups Turn to Citrix Bleed 2, BYOVD, and Supply Chain Credentials
Next Article GhostApproval Flaw Hits Six Major AI Coding Assistants
Team-CWD
  • Website

Related Posts

News

75% CISOs Fear Executives Don’t Understand Cybersecurity Risks

July 9, 2026
News

PamStealer Uses Fake Maccy Sites and PAM Checks to Steal Mac Login Passwords

July 9, 2026
News

Ransomware Groups Turn to Citrix Bleed 2, BYOVD, and Supply Chain Credentials

July 9, 2026
Add A Comment
Leave A Reply Cancel Reply

Latest News

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202523 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views

Why SOC Burnout Can Be Avoided: Practical Steps

November 14, 20259 Views

Cyber M&A Roundup: Cyber Giants Strengthen AI Security Offerings

December 1, 20258 Views
Stay In Touch
  • Facebook
  • YouTube
  • TikTok
  • WhatsApp
  • Twitter
  • Instagram
Most Popular

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202523 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views
Our Picks

‘What happens online stays online’ and other cyberbullying myths, debunked

September 11, 2025

What’s at stake if your employees post too much online

December 1, 2025

Is it OK to let your children post selfies online?

February 17, 2026

Subscribe to Updates

Get the latest news from cyberwiredaily.com

Facebook X (Twitter) Instagram Pinterest
  • Home
  • Contact
  • Privacy Policy
  • Terms of Use
  • California Consumer Privacy Act (CCPA)
© 2026 All rights reserved.

Type above and press Enter to search. Press Esc to cancel.