A Pakistan-linked threat group known as APT36 or Transparent Tribe, has turned to what researchers describe as “vibeware,” an AI-assisted approach that rapidly generates large numbers of low-quality but functional cyber implants.
Instead of relying on established off-the-shelf malware, the group is now creating disposable binaries across multiple programming languages, including Nim, Zig, Crystal, and Go. The goal is to evade conventional security detection by diversifying codebases and lowering the likelihood of signature-based detection.
Researchers observed the group deploying implants that communicate with command-and-control (C&C) infrastructure via trusted cloud platforms such as Slack, Discord, Supabase, and Google Sheets. By abusing legitimate services, attackers can disguise malicious communications as normal traffic, using the Living Off Trusted Services (LOTS) technique.
According to researchers, many of the observed implants appear poorly implemented. In one case, a Go-based credential-stealing tool contained a template placeholder where the C&C address should have been, meaning the malware was incapable of exfiltrating stolen data. Bitdefender found similar issues in other malware samples, with code that was syntactically valid but logically incomplete.
Such mistakes, researchers say, suggest an AI-generated or AI-assisted code, which can reproduce existing programming patterns but often struggles with complex logic. Observed metadata points to AI-integrated development tools, as well as unusual artifacts such as Unicode emoji strings embedded in compiled binaries.
Researchers also noted that victims were often infected with multiple implants at the same time. Each of them is written in a different language and is using a separate communication protocol to ensure continued access even if one channel is detected and blocked.
Researchers assess with medium confidence that the activity is linked to APT36 based on the use of tools historically associated with the group, such as the Havoc framework, Cobalt Strike, and Gate Sentinel. One artifact (warcode.exe) has appeared in earlier APT36 campaigns as a loader for the Havoc framework.
The campaign’s targets remain consistent with APT36’s traditional focus on South Asian geopolitical intelligence. The operation focused on officials connected to the Government of India and personnel at Indian embassies abroad. Researchers have also identified secondary targets linked to the Government of Afghanistan and private sector organizations.
Recovered artifacts indicate that attackers are particularly interested in documents related to military personnel, foreign affairs, diplomacy, defense policy, and national security strategy. Evidence also suggests the group used professional networking platforms to profile potential victims, including collecting lists of government employees working in military-related agencies.