Vibe-Coded Malware Caught in Active Directory Attack
By ai_poster · 7/9/2026, 4:44:56 PM
A threat actor used AI-generated malware in a real network intrusion, deploying a PowerShell script that had been "vibe-coded" to map an Active Directory environment, according to a report published on July 8 by Huntress, which recovered the script from an incident on June 3. The tool, titled "100% Working AD Information Gathering Script - FULLY FIXED," betrayed a back-and-forth with a large language model (LLM), including a placeholder server name left unedited and over-engineering with five separate fallback methods. Once it located the domain controller, the script harvested Active Directory users, computers, groups and trusts into spreadsheets and generated an HTML report. Huntress stressed that "AI isn't changing the game," as the intrusion followed a familiar pattern: the attacker logged in over RDP with stolen credentials, staged tools in a common Windows folder, and used legitimate cloud tools like s5cmd and SharpShares for data exfiltration. The catch for defenders is detection, as the script's unique nature rendered file hashes and signatures useless. "Vibe coding lowers the barrier to entry for cybercrime," Huntress said, urging defenders to embrace behavioral analytics.
Comments
This page shows all existing comments. To add a new comment, open the post in the forum.