A new threat intelligence report has revealed that APT36, also known as Transparent Tribe, has shifted its malware development strategy toward an approach described as vibeware. Security researchers say the group has moved away from relying mainly on ready made malware frameworks and now uses AI assisted development to generate a large number of malware samples written in multiple programming languages. This approach allows attackers to distribute numerous experimental tools simultaneously while attempting to overwhelm detection systems.
According to the research, vibeware is not defined by advanced technical sophistication but by the large scale production of mediocre malware created with the assistance of large language models. The investigation found that the threat actor produced a high volume of implants written in languages such as Nim, Zig, Crystal, Rust, and Go. These languages are less commonly used in malware development and therefore may not have strong detection signatures in many security solutions. Analysts explained that AI tools help developers translate existing malicious logic into unfamiliar programming languages, making it easier for attackers to experiment with multiple code bases without extensive expertise. While many of these samples contain logical errors or incomplete code, the strategy still provides an operational advantage because the actor can deploy multiple implants within the same victim environment.
Researchers observed that the campaign focused mainly on government institutions, diplomatic missions, and organizations connected to national security and foreign affairs in South Asia and abroad. Evidence suggests that victims were often infected with several parallel implants at the same time. If one communication channel was blocked or removed, the attackers retained access through another malware component. The investigation also linked the activity to previous operations by APT36 based on overlapping tools and infrastructure. A loader called warcode.exe was identified as a key artifact connecting earlier campaigns with the new vibeware approach. Historically the group relied on established frameworks such as Cobalt Strike, Havoc, and Gate Sentinel, and these tools are still used as backup channels to maintain persistence inside compromised networks.
The technical analysis revealed that many implants rely on trusted cloud services for command and control communication, a tactic known as Living Off Trusted Services. Malware samples were seen using platforms such as Discord, Slack, Google Sheets, Firebase, and Supabase to exchange instructions and exfiltrate stolen data. Because these services are widely used by legitimate organizations, network traffic connected to them often appears normal and may bypass simple security filters. Some malware families retrieved commands from spreadsheet cells, while others sent stolen information through cloud databases or messaging channels. Analysts also discovered that AI assisted code generation made it easier for attackers to build stable integrations with these services because public documentation and development kits are widely available.
Further investigation identified several malware families associated with the campaign, including CrystalShell, ZigShell, SupaServ, LuminousStealer, and BackupSpy. These tools perform a range of functions including file harvesting, command execution, browser credential theft, and remote access. In some cases, malware scanned local drives for documents, images, archives, and spreadsheets before uploading them to cloud storage accounts controlled by the attackers. Another tool called LuminousCookies targeted browser session data and attempted to bypass modern encryption protections used by Chromium based browsers. Researchers also discovered unusual signs of AI assisted development inside the code, including emoji based logging messages and metadata linked to AI integrated coding environments. Despite many design flaws in the malware samples, analysts warn that the large scale production model allows attackers to continuously introduce new variants, increasing the pressure on traditional detection systems that rely heavily on known signatures.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
