Pakistan-linked state-sponsored threat group APT36 has begun using AI coding tools to bombard targets with mass produced malware that appears designed to overwhelm defenses not through technical quality but by sheer volume.
Bitdefender dubbed the tactic as “Distributed Denial of Detection,” after spotting the threat actor using vibe-coded malware in recent attacks targeting entities associated with the Indian government, its embassies across multiple countries, and other targets in South Asia.
How Distributed Denial of Detection Works
The security vendor found the “vibeware” to be of decidedly low quality and riddled with errors. For example, in one instance, a tool designed to steal browser credentials had a placeholder instead of a command-and-control (C2) server address, meaning it could never have actually exfiltrated any data. In another case, a backdoor’s status-reporting function reset the very timestamp it was meant to track each time it ran, causing the host to always appear online, regardless of its true state.
“We saw similar patterns across the rest of the fleet, where other malware components began to collapse under their own weight as soon as the logic reached a moderate level of complexity,” Bitdefender researcher Radu Tudorica said in a blog post this week. These are the kinds of mistakes that occur when code is “syntactically correct but logically unfinished,” he said.
Even so, it’s a mistake for enterprise organizations to underestimate the risks that such malware can present, if the malware is written in niche programming languages and uses legitimate services to hide C2 communications, Tudorica warned.
For exmaple, APT36, aka Transparent Tribe, is using vibe-coding — the practice of using conversational, natural language prompts to develop code with AI tools — to generate malware in obscure programming languages like Nim, Zig, and Crystal. Previously, developing malware in multiple languages required considerable time and skill. But, Tudorica said, AI has made it possible even for bad actors with foundational technical skills to churn out malware in different languages with minimal effort.
A Mistake to Underestimate Vibeware
That’s a problem, because most endpoint detection engines are tuned to detect malware written in common languages like C++ or C#. When a malicious binary arrives in a language those engines have little exposure to, it “essentially reset[s] the detection baseline,” Tudorica wrote.
APT36 is also leveraging AI smarts to exploit legitimate cloud platforms for C2 purposes. Bitdefender found the threat actor’s vibeware collection using Slack, Discord, Google Sheets and Supabase, as channels for issuing commands to compromised machines and receiving stolen data. The combination, Tudorica observed, allows even a threat actor with mediocre tools to overwhelm standard defenses and achieve considerable operational success.
Multiple, Parallel Implants
In attacks that Bitdefender analyzed, APT36 infected victims with multiple, simultaneous malware implants, each developed in a different language and using a different communication protocol. The objective is to ensure that the threat actor maintains access on a network even if one attack channel gets neutralized, the researcher noted. Bitdefender estimated the threat group is producing new malware variants daily using vice coding.
“The real danger for organizations is the industrialization of mediocrity,” says Martin Zugec, technical solutions director at Bitdefender. AI is allowing attackers to generate attacks at a volume that can be challenging for organizations to handle if they have not paid attention to basic security hygiene, he says.
“While the industry has advocated for defense-in-depth and multilayered security for years, many environments still suffer from basic issues like flat networks, over-privileged users, and a lack of active MDR or SOC monitoring,” Zugec tells Dark Reading. “Vibeware does not rely on technical brilliance. It relies on exploiting the false sense of security in organizations that have simply managed to fly under the radar until now.”
Bitdefender assessed APT36’s pivot to a vibe-coding model as something of a “technical regression for the threat group itself.” But the broader trend could become concerning as the model evolves and the underlying AI tools continue to improve.
“It is a common misconception that every APT group is a collection of elite cyber warriors,” Zugec says. Many are bureaucratic government departments staffed by junior operators who have historically relied on adjusting open source projects or existing attack frameworks rather than developing malware from scratch. “For these actors, vibe coding is a way to scale their existing, low-level tactics.”
APT36 has for some time been associated with attacks on entities in India’s aerospace, defense and government sectors. It’s attack portfolio includes a constantly evolving list of malware for targeting Windows, Linux, and Android environments. The group is known for its extensive use of living-off-the-land binaries and legitimate cloud services to conceal attack activity.
Source: www.darkreading.com…