Bitdefender researchers have discovered an artificial intelligence (AI)-assisted malware propagation campaign attributed to a Pakistani threat group that is industrializing cyberattacks in South Asia.
This campaign, leveraging an emerging malware category known as “vibeware,” has been linked with medium confidence to APT36, a state-sponsored threat group (also known as Transparent Tribe). APT36 has historically been associated with targeting the Indian government, diplomatic missions, and defense organizations.
Rather than aiming for technical sophistication, the Vibeware model relies on large-scale language models (LLMs) and AI-powered development tools to rewrite malicious logic across multiple programming languages and generate large numbers of malware variants on an almost daily basis.
Researchers observed malware samples written in niche languages such as Nim, Zig, and Crystal, in addition to more widely used languages such as Rust and Go.
By using a language that is less monitored, this group is effectively resetting the detection baseline for many traditional security tools. Bitdefender described this tactic as a form of “decentralized denial of detection.”
“Rather than a technological advance, we are seeing a shift toward an AI-assisted malware industrialization that allows attackers to flood target environments with single-use, multilingual binaries,” Bitdefender researchers said in a blog post.
Although the amount of malware is high, the quality of vibeware code is often low. Bitdefender analysis revealed that many of the samples contained coding flaws and incomplete logic consistent with AI-assisted code generation.
In one example, a basic Go binary was deployed to steal browser credentials, but the developer left a template placeholder where a command-and-control URL should be. This means that this tool will never be able to actually extract data.
“We observed a similar pattern with the rest of the fleet: as soon as the logic reached a medium complexity level, other malware components began to collapse under their own weight,” the researchers explained. “This kind of mistake is common in code that is syntactically correct but logically incomplete.”
Despite these basic errors, the overall strategy is still effective. The sheer volume and diversity of malware variants increases the likelihood that at least one implant will evade signature-based or behavior-tuned malware detection engines.
In some cases, victims were infected with multiple parallel implants written in different languages and using separate communication protocols. Even if a defender blocks one access path, other access paths remain active, significantly complicating incident response and increasing operational resiliency for attackers.
Live with reliable services
To further obfuscate detection, APT36 utilizes trusted services. Rather than relying solely on attacker-controlled infrastructure, this vibeware leverages legitimate services such as Google Sheets to store malware instructions and Slack to send real-time instructions and retrieve collected data.
This allows malicious traffic to blend seamlessly into normal business activities, making it much harder to detect and disrupt. Bitdefender’s examination of APT36’s internal infrastructure also revealed the presence of a resident developer persona known as Nightmare, who appears to be central to the development and operation of the malware fleet.
“Although this malware lacks real innovation, it would be a mistake to underestimate the risk it poses,” the researchers warned. “The threat lies in the industrialization of these attacks. We are seeing the convergence of two trends that have been developing for some time: the adoption of exotic, niche programming languages and the exploitation of trusted services to hide behind legitimate network traffic.”
While targets continue to focus on regional politics and national security in South Asia, the impact of the AI-assisted malware assembly line extends across the globe. AI is significantly lowering the barrier to entry for experimenting with new languages and delivery mechanisms, proving that even imperfect code can be successful when deployed at scale.
For organizations in the broader Asia-Pacific region, the findings highlight the need for a multi-layered detection strategy that prioritizes trusted cloud service behavioral analysis, anomaly detection and monitoring, rather than relying solely on static signatures, Bitfender said.
