International Cyber Expo International Cyber Expo
  • About Us
Wednesday, 8 July, 2026
IT Security Guru
International Cyber Expo
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Huntress Uncovers ‘Vibe-Coded’ Malware Used to Map Active Directory Environments

by Guru Writer
July 8, 2026
in Featured
malware
Share on FacebookShare on Twitter

Threat researchers at Huntress have identified what they describe as a clear example of AI-generated, or “vibe-coded”, malware deployed during a live intrusion, a development that the security vendor says signals a meaningful shift in how attackers build tooling, and how defenders will need to detect it.

The discovery centres on a bespoke PowerShell script recovered by Huntress analysts Jevon Ang and Dray Agha following an incident on 3 June. The script, designed to enumerate a victim’s Active Directory (AD) environment, was reconstructed from Windows Event ID 4104 telemetry (PowerShell/Operational logs) and later published in full by the vendor for the benefit of other defenders.

A familiar attack chain, with an AI-built payload

According to Huntress, the intrusion itself followed a well-worn playbook. The threat actor obtained RDP access to a domain-joined Windows server, apparently via a VPN, using pre-compromised credentials. From there, tools were staged in C:\ProgramData, a directory long favoured by attackers for its ubiquity and lax scrutiny.

Within minutes of establishing the session, the actor executed a custom script, saved as Untitled1.ps1, to map users, computers, groups, organisational units and domain trusts. Roughly 30 minutes later, the same actor deployed s5cmd.exe, a legitimate Amazon S3 command-line utility that Huntress has previously flagged as a recurring tool of choice for data exfiltration, followed by SharpShares, an open-source share enumeration tool, to hunt for additional accessible file repositories beyond standard administrative shares.

Huntress is careful to note that AI did not alter the fundamentals of the attack. The tactics- credential-based remote access, staging in common directories, AD enumeration followed by bulk exfiltration- mirror years of established “smash and grab” tradecraft. What has changed is the origin of the reconnaissance tooling itself.

The hallmarks of an LLM-authored script

The analysis identifies several indicators that the enumeration script was generated iteratively using an AI coding assistant rather than written by hand. Among them:

  • A title embedded in the script itself – “100% Working AD Information Gathering Script – FULLY FIXED” – consistent with an attacker copy-pasting the final output of a prompt-and-error-correct cycle with a chatbot.
  • An unedited placeholder server name left over from the model’s own example output, suggesting the operator never reviewed or customised the generated code.
  • A five-step cascading fallback routine for locating the domain controller (DNS, nltest, the AD PowerShell module, environment variables, and a hardcoded default), described by Huntress as the kind of exhaustive, redundant logic a language model produces when instructed to “make sure it doesn’t fail”, rather than the leaner approach a human operator would typically write.
  • Extensive, colour-coded Write-Host console output and a fully formatted HTML summary report generated at the end of the run – cosmetic touches Huntress suggests were an unsolicited addition from the model rather than a deliberate attacker requirement.

Once run, the script created a timestamped directory (C:\AD_Reports_<datetime>) containing CSV exports of users, computers, groups, OUs, subnets, and trusts, along with DNS subnet data and the aforementioned HTML report, and then compressed the results into a single ZIP archive.

Why this matters for detection

The core implication for defenders, per Huntress, is that hash- and static-signature-based detection is losing ground against this category of threat. Off-the-shelf tools such as SharpHound or Cobalt Strike carry known fingerprints; a one-off script produced through natural-language prompting does not, and is unlikely to reappear in identical form elsewhere.

Huntress argues that the underlying behaviours of AD enumeration – querying domain controllers, dumping user and group objects, touching trust relationships – remain constant regardless of how the code performing them was written. The vendor says its SIEM platform identified the activity on behavioural grounds despite the script’s novelty, and it is urging security teams to prioritise behavioural and telemetry-based detection over static indicators as AI-assisted tooling becomes more common among lower-skilled threat actors.

“Vibe coding lowers the barrier to entry for cybercrime,” the researchers conclude, warning that while the resulting code may be messy and over-engineered, the operational risk it poses to organisations is very real.

The bigger picture

The case adds to a growing body of evidence that generative AI is being adopted, unevenly but increasingly, on the offensive side of cybersecurity, not to invent novel attack techniques, but to lower the technical skill required to execute existing ones. For security teams, the takeaway from Huntress’s research is less about any single script and more about a structural shift: as malware authorship becomes commoditised, detection strategy needs to lean further into behaviour and context, and further away from matching known bad files.

Full technical detail, including the recovered script and accompanying screenshots, is available here: https://www.huntress.com/blog/ai-coded-malware-vibe-coding-active-directory

ShareTweet
Previous Post

Check Point’s ThreatCloud AI Blocked 4.6 Billion Attacks in 2025, Latest ESG Report Reveals

Recent News

malware

Huntress Uncovers ‘Vibe-Coded’ Malware Used to Map Active Directory Environments

July 8, 2026
Check Point’s ThreatCloud AI Blocked 4.6 Billion Attacks in 2025, Latest ESG Report Reveals

Check Point’s ThreatCloud AI Blocked 4.6 Billion Attacks in 2025, Latest ESG Report Reveals

July 8, 2026
Kirsty Fowler, WorkNest Secure

Next Gen Spotlights: Building a More Resilient Future – Q&A with WorkNest Secure

July 8, 2026
Mike Winston on Why Jet.AI Shifted From Aviation to AI Infrastructure

Mike Winston on Why Jet.AI Shifted From Aviation to AI Infrastructure

July 7, 2026

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2026 IT Security Guru - Website Managed by Dessol

  • About Us
Manage Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
  • Manage options
  • Manage services
  • Manage {vendor_count} vendors
  • Read more about these purposes
View preferences
  • {title}
  • {title}
  • {title}
No Result
View All Result
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2026 IT Security Guru - Website Managed by Dessol